2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
16 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
19 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
24 Usage: ${0##*/} [EXTRA_SETTINGS_FILE] DOMAIN
25 Note: this is less tested and mature than the apache site script.
27 Setup nginx config with https using
28 ssl config provided by let's encrypt and my standard
29 location for storing certs.
31 EXTRA_SETTINGS_FILE can be - for stdin
32 -c CERT_DIR In priority: this arg, $ACME_TINY_WRAPPER_CERT_DIR,
33 $HOME/webservercerts, if the other options aren't set.
34 -p PORT Port to listen on, default 443
35 -f PORT Enable proxy to PORT on localhost
37 -h|--help Print help and exit
39 TODO: add https redir site.
41 Note: Uses GNU getopt options parsing style
46 ##### begin command line parsing ########
48 cert_dir
="$ACME_TINY_WRAPPER_CERT_DIR"
49 if [[ ! $cert_dir ]]; then
50 cert_dir
=$HOME/webservercerts
55 temp
=$
(getopt
-l help: c
:f
:p
:r
:h
"$@") || usage
1
59 -c) cert_dir
="$2"; shift 2 ;;
60 -p) port
="$2"; shift 2 ;;
61 -f) proxy_port
="$2"; shift 2 ;;
62 -r) root
="$2"; shift 2 ;;
65 *) echo "$0: Internal error!" ; exit 1 ;;
69 if (( ${#@} == 2 )); then
70 read -r extra_settings h
<<<"${@}"
76 echo "$0: error: expected domain arg"
80 if [[ ! $root ]]; then
85 ##### end command line parsing ########
87 sudo
rm -f /etc
/nginx
/sites-enabled
/default
89 if nginx
-V |
& grep -- '--with-http_v2_module\b' &>/dev
/null
; then
93 sudo
dd of
=/etc
/nginx
/sites-enabled
/$h.conf
<<EOF
94 # ssecurty settings taken from
95 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
96 # using modern config. last checked 2017/2/20
98 server_name $h www.$h;
100 listen $port ssl $http2_arg;
101 listen [::]:$port ssl $http2_arg;
103 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
104 ssl_certificate $cert_dir/$h-chained.pem;
105 ssl_certificate_key $cert_dir/$h-domain.key;
106 ssl_session_timeout 1d;
107 ssl_session_cache shared:SSL:50m;
108 ssl_session_tickets off;
110 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
111 ssl_dhparam $cert_dir/dh2048.pem;
113 # modern configuration. tweak to your needs.
114 ssl_protocols TLSv1.2;
115 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
116 ssl_prefer_server_ciphers on;
118 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
119 add_header Strict-Transport-Security max-age=15768000;
122 # fetch OCSP records from URL in ssl_certificate and cache them
124 ssl_stapling_verify on;
126 # ian: todo: something is missing here, stapling is not enabled
127 # per ssllabs.com test. need to put root cert in chain?.
128 # ssl labs still says we are A+.
129 # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
130 ## verify chain of trust of OCSP response using Root CA and Intermediate certs
131 ssl_trusted_certificate $cert_dir/$h-chained.pem;
133 # ian: left commented out, our local dns is expected to work fine.
134 #resolver <IP DNS resolver>;
136 if [[ $extra_settings ]]; then
137 cat $extra_settings | sudo
tee -a /etc
/nginx
/sites-enabled
/$h.conf
140 if [[ $proxy_port ]]; then
141 sudo
tee -a /etc
/nginx
/sites-enabled
/$h.conf
<<EOF
143 proxy_set_header Host \$host;
144 proxy_set_header X-Real-IP \$remote_addr;
145 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
146 proxy_set_header X-Forwarded-Ssl on;
147 proxy_set_header X-Forwarded-Port $port;
148 proxy_pass http://127.0.0.1:$proxy_port;
154 sudo
tee -a /etc
/nginx
/sites-enabled
/$h.conf
<<EOF
157 sudo mkdir
-p /var
/www
/$h/html
158 sudo chown
-R ian
:ian
/var
/www
/$h
159 sudo service nginx restart