license gpl, per gnu license recommendations of >300 lines of code

[basic-https-conf] / web-conf

#!/bin/bash
# This file is part of web-conf which configures web servers
# Copyright (C) 2024  Ian Kelling

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# SPDX-License-Identifier: GPL-3.0-or-later

[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"
readonly this_dir="${this_file%/*}"

shopt -s nullglob # used in apache config file expansion

usage() {
  cat <<EOF
Usage: ${0##*/} [OPTIONS] [EXTRA_SETTINGS_FILE] apache2|nginx DOMAIN
apache/nginx config & let's encrypt

If using tls then it expects certbot to be installed and in PATH.  Also,
certbot cronjob should be taken care of outside this script. In the
debian package, it installs a systemd timer. If a script exists (I
expect it only on my , Ian Kelling's sytem) we install a systemd timer
to on failure. You can see the relevant script in my git repo
distro-setup, and log-quiet.


/a/bin/distro-setup/certbot-renew-hook



EXTRA_SETTINGS_FILE can be - for stdin
-a IPv4_ADDR      IP address to listen on. Default all addresses.
                  ipv6 address support could be added to this script.
-c CERT_FOLDER    No letsencrypt. use fullchain.pem and privkey.pem in this folder.
-e EMAIL          Contact address for let's encrypt. Default is
                  root@\$(hostname --fqdn')
                  which is root@$(hostname --fqdn) on this host.
-f [ADDR:]PORT    Enable proxy to [ADDR:]PORT. ADDR default is 127.0.0.1
-i                Insecure, no ssl.
-p PORT           Main port to listen on, default 443. 80 implies -i.
-r DIR            DocumentRoot
-s                Allow symlinks from the doucment root
-t                No settings on documentroot.
-h|--help         Print help and exit

Note: Uses GNU getopt options parsing style
EOF
  exit $1
}

##### begin command line parsing ########

symlinkarg=-
ssl=true
extra_settings=
port=443
do_root_settings=true
temp=$(getopt -l help a:c:e:if:p:r:sth "$@") || usage 1
vhostip='*'
eval set -- "$temp"
while true; do
  case $1 in
    -a)
      listenip="$2:"
      vhostip="$2"
      shift 2 ;;
    -c) oob_cert_dir="$2"; shift 2 ;;
    -e) email="$2"; shift 2 ;;
    -f) proxy="$2"; shift 2 ;;
    -i) ssl=false; shift ;;
    -p) port="$2"; shift 2 ;;
    -r) root="$2"; shift 2 ;;
    -t) do_root_settings=false; shift ;;
    -s) symlinkarg=+; shift ;;
    --) shift; break ;;
    -h|--help) usage ;;
    *) echo "$0: Internal error!" ; exit 1 ;;
  esac
done

# t = type, h = host
if (( ${#@} == 3 )); then
  read -r extra_settings t h <<<"${@}"
else
  read -r t h <<<"${@}"
fi

case $t in
  apache2|nginx) : ;;
  *) echo "$0: error: expected apache2 or nginx arg"; usage 1 ;;
esac

if [[ ! $h ]]; then
  echo "$0: error: expected domain and type arg"
  usage 1
fi

if [[ ! $root ]]; then
  root=/var/www/$h/html
fi

if [[ $proxy ]]; then
  [[ $proxy == *:* ]] || proxy=127.0.0.1:$proxy
fi

if [[ ! $email ]]; then
  email=root@$(hostname --fqdn)
fi


##### end command line parsing ########

se=/etc/$t/sites-enabled
if [[ $oob_cert_dir ]]; then
  cert_dir="$oob_cert_dir"
else
  cert_dir=/etc/letsencrypt/live/$h
fi

mkdir -p $root
case $port in
  80|443)
    vhost_file=$se/$h.conf
    ;;
  *)
    vhost_file=$se/$h-$port.conf
    ;;
esac
redir_file=$se/$h-redir.conf

if [[ $port == 80 ]]; then
  ssl=false
  # remove any thats hanging around
  rm -f $redir_file
fi


if [[ ! $oob_cert_dir ]] && $ssl; then

  $this_dir/certbot-setup $t

  f=$cert_dir/fullchain.pem
  threedays=259200 # in seconds
  if [[ ! -e $f ]] || ! openssl x509 -checkend $threedays -noout -in $f >/dev/null; then
    # cerbot needs an existing virtualhost.
    $0 -p 80 $t $h
    # when generating an example config, add all relevant security options:
    # --hsts --staple-ocsp --uir --must-staple
    certbot certonly -n --email $email --no-self-upgrade \
            --agree-tos --${t%2} -d $h
    # cleanup the call to ourselves a short bit ago
    rm $se/$h.conf
  fi
  # these scripts only run on renew, that is kinda dumb.
  export RENEWED_LINEAGE=/etc/letsencrypt/live/$h
  for script in /etc/letsencrypt/renewal-hooks/deploy/*; do
    if [[ -x $script ]]; then
      "$script"
    fi
  done
fi


if [[ $t == apache2 ]]; then
  rm -f $se/000-default.conf
  # note, we exepct ServerRoot of /etc/apache2
  # apache requires exactly 1 listen directive per port (when no ip is also given),
  # so we have to parse the config to do it programatically.
  listen_80=false
  listen_port=false
  cd /etc/apache2
  conf_files=(apache2.conf)


  for (( i=0; i < ${#conf_files[@]}; i++ )); do
    f="${conf_files[i]}"
    # note: globs are expanded here.
    conf_files+=( $(sed -rn "s,^\s*Include(Optional)?\s+(\S+).*,\2,p" "$f") )
    case $(readlink -f "$f") in
      $vhost_file|$redir_file) continue ;;
    esac
    for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do
      case $p in
        80) listen_80=true ;;&
        $port) listen_port=true ;;
      esac
    done
  done

  echo "$0: creating $vhost_file"
  cat >$vhost_file <<EOF
<VirtualHost $vhostip:$port>
ServerName $h
ServerAlias www.$h
DocumentRoot $root
EOF
  if $do_root_settings; then
    cat >>$vhost_file <<EOF
<Directory $root>
  Options -Indexes ${symlinkarg}FollowSymlinks
</Directory>
EOF
  fi

  if [[ $extra_settings ]]; then
    cat -- $extra_settings >>$vhost_file
  fi

  # go faster!
  if [[ -e /etc/apache2/mods-available/http2.load ]]; then
    # https://httpd.apache.org/docs/2.4/mod/mod_http2.html
    a2enmod -q http2
    cat >>$vhost_file <<EOF
Protocols h2 http/1.1
EOF
  fi

  if [[ $proxy ]]; then
    a2enmod -q proxy proxy_http
    # fyi: trailing slash is important
    # reference: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
    # retry=0: https://stackoverflow.com/questions/683052/why-am-i-getting-an-apache-proxy-503-error
    cat >>$vhost_file <<EOF
ProxyPass "/"  "http://$proxy/" retry=0
ProxyPassReverse "/"  "http://$proxy/"
EOF
  fi


  if $ssl; then
    a2enmod -q headers
    https_arg=" https"
    common_ssl_conf=/etc/apache2/common-ssl.conf
    cat >>$vhost_file <<EOF
SSLCertificateFile $cert_dir/fullchain.pem
SSLCertificateKeyFile $cert_dir/privkey.pem
Include $common_ssl_conf
# From cerbot generated config example, taken 4/2017,
# should be rechecked once a year or so.
Header always set Strict-Transport-Security "max-age=31536000"
SSLUseStapling on
Header always set Content-Security-Policy upgrade-insecure-requests
EOF

    if (( port == 443 )); then
      echo "$0: creating $redir_file"

      # note, alternatively:
      cat >/dev/null <<'EOF'
#https://webmasters.stackexchange.com/questions/124635/apache-redirect-http-to-https-without-preventing-http
<If "%{req:Upgrade-Insecure-Requests} == '1'">
Redirect permanent "/" "https://mydomain.ltd/"
</If>
# or, with generic rewrite, we use this on gnu.org
RewriteEngine on
RewriteCond %{HTTP:Upgrade-Insecure-Requests} "^1$"
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=307]
EOF

      cat >$redir_file <<EOF
<VirtualHost *:80>
ServerName $h
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =$h
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
EOF
      if ! $listen_80; then
        cat >>$redir_file <<'EOF'
Listen 80
EOF
      fi
    fi

    # this is a copy of a file certbot, see below.
    echo "$0: creating $common_ssl_conf"
    cat >$common_ssl_conf <<'EOF'
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
EOF

    upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
    if ! diff -u <(wget -q -O - $upstream) $common_ssl_conf; then
      cat <<EOF
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
WARNING!!!!!!!!!
upstream ssl settings differ from the snapshot we have taken!!!
We diffed with this command:
diff -c <(wget -q -O - $upstream) $common_ssl_conf
Update this script to take care this warning!!!!!
EOF
      sleep 1
    fi
  fi # end if $ssl

  cat >>$vhost_file <<'EOF'
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined
</VirtualHost>
EOF

  if ! $listen_port; then
    # reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
    cat >>$vhost_file <<EOF
listen ${listenip}${port}${https_arg}
EOF
  fi


  a2enmod -q ssl rewrite # rewrite needed for httpredir
  service apache2 restart

  # I rarely look at how much traffic I get, so let's keep that info
  # around for longer than the default of 2 weeks.
  sed -ri --follow-symlinks 's/^(\s*rotate\s).*/\1 365/' /etc/logrotate.d/apache2
fi  ###### end if apache

if [[ $t == nginx ]]; then
  common_ssl_conf=/etc/nginx/common-ssl.conf

  rm -f $se/default
  cd /etc/nginx
  [[ -e dh2048.pem ]] || openssl dhparam -out dh2048.pem 2048

  if $ssl; then
    ssl_arg=ssl
    if nginx -V |& grep -- '--with-http_v2_module\b' &>/dev/null; then
      # fun fact: nginx can be configured to do http2 without ssl.
      ssl_arg+=" http2"
    fi
  fi

  cat >$common_ssl_conf <<'EOF'
# let's encrypt gives us a bad nginx config, so use this:
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# using modern config. last checked 2017/4/22
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dh2048.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
# ian: commented out, unnecessary for le certs or my nginx ver.
#ssl_trusted_certificate $cert_dir/fullchain.pem;;

# ian: commented out, our local dns is expected to work fine.
#resolver <IP DNS resolver>;
EOF
  cat >$vhost_file <<EOF
server {
  server_name $h www.$h;
  root $root;
  listen $listenip$port $ssl_arg;
EOF
  if [[ ! $listenip ]]; then
    cat >>$vhost_file <<EOF
  listen [::]:$port $ssl_arg;
EOF
  fi
  if $do_root_settings; then
    cat >>$vhost_file <<EOF
  location $root {
    autoindex off;
  }
EOF
  fi
  if $ssl; then
    cat >>$vhost_file <<EOF
  ssl_certificate $cert_dir/fullchain.pem;
  ssl_certificate_key $cert_dir/privkey.pem;
  include $common_ssl_conf;
EOF

    if (( port == 443 )); then
      cat >$redir_file <<EOF
server {
  server_name $h www.$h;
  listen 80 $http2_arg;
  listen [::]:80 $http2_arg;
  return 301 https://\$server_name\$request_uri;
}
EOF
    fi
  fi # end if $ssl

  if [[ $extra_settings ]]; then
    cat $extra_settings >>$vhost_file
  fi

  if [[ $proxy ]]; then
    cat >>$vhost_file <<EOF
  location / {
    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-Port $port;
    proxy_pass http://$proxy;
  }
EOF
  fi

  cat >>$vhost_file <<EOF
}
EOF


  service nginx restart

fi ####### end if nginx

cat >/etc/apache2/conf-enabled/local-custom.conf <<'EOF'
# vhost_combined with %D (request time in microseconds)
# this file is just a convenient place to drop it.
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
EOF