[basic-https-conf] / web-conf

#!/bin/bash
# Copyright (C) 2016 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

shopt -s nullglob # used in apache config file expansion

usage() {
    cat <<EOF
Usage: ${0##*/} [OPTIONS] [EXTRA_SETTINGS_FILE] apache2|nginx DOMAIN
apache/nginx config & let's encrypt

If using tls then it expects certbot to be installed and in PATH.


EXTRA_SETTINGS_FILE can be - for stdin
-e EMAIL          Contact address for let's encrypt. Default is
                  root@\$(hostname -A|awk '{print $1}')
                  which is root@$(hostname -A|awk '{print $1}') on this host.
-f [ADDR:]PORT    Enable proxy to [ADDR:]PORT. ADDR default is 127.0.0.1
-i                Insecure, no ssl.
-p PORT           Main port to listen on, default 443. 80 implies -i.
-r DIR            DocumentRoot
-h|--help         Print help and exit

Note: Uses GNU getopt options parsing style
EOF
    exit $1
}

##### begin command line parsing ########

ssl=true
extra_settings=
port=443
temp=$(getopt -l help e:i:f:p:r:h "$@") || usage 1
eval set -- "$temp"
while true; do
    case $1 in
        -e) email="$2"; shift 2 ;;
        -f) proxy="$2"; shift 2 ;;
        -i) ssl=false; shift ;;
        -p) port="$2"; shift 2 ;;
        -r) root="$2"; shift 2 ;;
        --) shift; break ;;
        -h|--help) usage ;;
        *) echo "$0: Internal error!" ; exit 1 ;;
    esac
done

if (( ${#@} == 3 )); then
    read -r extra_settings t h <<<"${@}"
else
    read -r t h <<<"${@}"
fi

case $t in
    apache2|nginx) : ;;
    *) echo "$0: error: expected apache2 or nginx arg"; usage 1 ;;
esac

if [[ ! $h ]]; then
    echo "$0: error: expected domain and type arg"
    usage 1
fi

if [[ ! $root ]]; then
    root=/var/www/$h/html
fi

if [[ $proxy ]]; then
    [[ $proxy == *:* ]] || proxy=127.0.0.1:$proxy
fi

if [[ ! $email ]]; then
    email=root@$(hostname -A|awk '{print $1}')
fi


##### end command line parsing ########

se=/etc/$t/sites-enabled
cert_dir=/etc/letsencrypt/live/$h

mkdir -p $root
vhost_file=$se/$h.conf
redir_file=$se/$h-redir.conf

if [[ $port == 80 ]]; then
    ssl=false
    # remove any thats hanging around
    rm -f $redir_file
fi


if $ssl; then
    f=$cert_dir/fullchain.pem
    if [[ ! -e $f ]] || openssl x509 -checkend 86400 -noout -in $f; then
        $0 -p 80 $t $h
        # when generating an example config, add all relevant security options:
        # --hsts --staple-ocsp --uir
        certbot certonly -n --must-staple --email $email --no-self-upgrade \
                --agree-tos --$t -d $h
        rm $vhost_file
    fi
fi


if [[ $t == apache2 ]]; then
    rm -f $se/000-default.conf
    # note, we exepct ServerRoot of /etc/apache2
    # apache requires exactly 1 listen directive per port (when no ip is also given),
    # so we have to parse the config to do it programatically.
    listen_80=false
    listen_port=false
    cd /etc/apache2
    conf_files=(apache2.conf)


    for (( i=0; i < ${#conf_files[@]}; i++ )); do
        f="${conf_files[i]}"
        # note: globs are expanded here.
        conf_files+=( $(sed -rn "s,^\s*Include(Optional)?\s+(\S+).*,\2,p" "$f") )
        case $(readlink -f "$f") in
            $vhost_file|$redir_file) continue ;;
        esac
        echo "$f"
        for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do
            case $p in
                80) listen_80=true ;;&
                $port) listen_port=true ;;
            esac
        done
    done


    cat >$vhost_file <<EOF
<VirtualHost *:$port>
        ServerName $h
        ServerAlias www.$h
        DocumentRoot $root
EOF

    if [[ $extra_settings ]]; then
        cat -- $extra_settings >>$vhost_file
    fi

    # go faster!
    if [[ -e /etc/apache2/mods-available/http2.load ]]; then
        # https://httpd.apache.org/docs/2.4/mod/mod_http2.html
        a2enmod http2
        cat >>$vhost_file <<EOF
        Protocols h2 http/1.1
EOF
    fi

    if [[ $proxy ]]; then
        a2enmod proxy proxy_http
        # fyi: trailing slash is important
        # reference: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
        cat >>$vhost_file <<EOF
        ProxyPass "/"  "http://$proxy/"
        ProxyPassReverse "/"  "http://$proxy/"
EOF
    fi



    if $ssl; then
        https_arg=" https"
        common_ssl_conf=/etc/apache2/common-ssl.conf
        cat >>$vhost_file <<EOF
        SSLCertificateFile $cert_dir/fullchain.pem
        SSLCertificateKeyFile $cert_dir/privkey.pem
        Include $common_ssl_conf
        # From cerbot generated config example, taken 4/2017,
        # should be rechecked once a year or so.
        Header always set Strict-Transport-Security "max-age=31536000"
        SSLUseStapling on
        Header always set Content-Security-Policy upgrade-insecure-requests
EOF

        cat >/etc/apache2/conf-enabled/local-custom.conf <<'EOF'
# vhost_combined with %D (request time in microseconds)
# this file is just a convenient place to drop it.
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
EOF

        echo "$0: creating $redir_file"
        cat >$redir_file <<EOF
<VirtualHost *:80>
        ServerName $h
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog \${APACHE_LOG_DIR}/error.log
        CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =$h
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
EOF
        if ! $listen_80; then
            cat >>$redir_file <<'EOF'
Listen 80
EOF
        fi

        # this is a copy of a file certbot, see below.
        echo "$0: creating $common_ssl_conf"
        cat >$common_ssl_conf <<'EOF'
# Baseline setting to Include for SSL sites

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
EOF

        upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
        if ! diff -c <(wget -q -O - $upstream) $common_ssl_conf; then
            cat <<EOF
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
upstream ssl settings differ from the snapshot we have taken!!!
We diffed with this command:
diff -c <(wget -q -O - $upstream) $common_ssl_conf
Update this script to take care this warning!!!!!
EOF
            sleep 1
        fi
    fi # end if $ssl

    cat >>$vhost_file <<'EOF'
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined
</VirtualHost>
EOF

    if ! $listen_port; then
        # reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
        cat >>$vhost_file <<EOF
listen ${port}${https_arg}
EOF
    fi


    a2enmod ssl rewrite # rewrite needed for httpredir
    service apache2 restart

    # I rarely look at how much traffic I get, so let's keep that info
    # around for longer than the default of 2 weeks.
    sed -ri --follow-symlinks 's/^(\s*rotate\s).*/\1 365/' /etc/logrotate.d/apache2
fi  ###### end if apache

if [[ $t == nginx ]]; then
    common_ssl_conf=/etc/nginx/common-ssl.conf

    rm -f $se/default
    cd /etc/nginx
    [[ -e dh2048.pem ]] || openssl dhparam -out dh2048.pem 2048

    if $ssl; then
        ssl_arg=ssl
        if nginx -V |& grep -- '--with-http_v2_module\b' &>/dev/null; then
            # fun fact: nginx can be configured to do http2 without ssl.
            ssl_arg+=" http2"
        fi
    fi

    cat >$common_ssl_conf <<'EOF'
# let's encrypt gives us a bad nginx config, so use this:
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# using modern config. last checked 2017/4/22
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dh2048.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
# ian: commented out, unnecessary for le certs or my nginx ver.
#ssl_trusted_certificate $cert_dir/fullchain.pem;;

# ian: commented out, our local dns is expected to work fine.
#resolver <IP DNS resolver>;
EOF
    cat >$vhost_file <<EOF
server {
    server_name $h www.$h;
    root $root;
    listen $port $ssl_arg;
    listen [::]:$port $ssl_arg;

EOF
    if $ssl; then
        cat >>$vhost_file <<EOF
    ssl_certificate $cert_dir/fullchain.pem;
    ssl_certificate_key $cert_dir/privkey.pem;
    include $common_ssl_conf;
EOF

        cat >$redir_file <<EOF
server {
    server_name $h www.$h;
    listen 80 $http2_arg;
    listen [::]:80 $http2_arg;
    return 301 https://$server_name$request_uri;
}
EOF
    fi # end if $ssl

    if [[ $extra_settings ]]; then
        cat $extra_settings >>$vhost_file
    fi

    if [[ $proxy ]]; then
        cat >>$vhost_file <<EOF
    location / {
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-Port $port;
        proxy_pass http://$proxy;
    }
EOF
    fi

    cat >>$vhost_file <<EOF
}
EOF


    service nginx restart

fi ####### end if nginx