#!/bin/bash # Copyright (C) 2016 Ian Kelling # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR shopt -s nullglob # used in apache config file expansion usage() { cat <$vhost_file < ServerName $h ServerAlias www.$h DocumentRoot $root EOF if [[ $extra_settings ]]; then cat -- $extra_settings >>$vhost_file fi # go faster! if [[ -e /etc/apache2/mods-available/http2.load ]]; then # https://httpd.apache.org/docs/2.4/mod/mod_http2.html a2enmod http2 cat >>$vhost_file <>$vhost_file <>$vhost_file </etc/apache2/conf-enabled/local-custom.conf <<'EOF' # vhost_combined with %D (request time in microseconds) # this file is just a convenient place to drop it. LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000) EOF echo "$0: creating $redir_file" cat >$redir_file < ServerName $h ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog \${APACHE_LOG_DIR}/error.log CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined RewriteEngine on RewriteCond %{SERVER_NAME} =$h RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] EOF if ! $listen_80; then cat >>$redir_file <<'EOF' Listen 80 EOF fi # this is a copy of a file certbot, see below. echo "$0: creating $common_ssl_conf" cat >$common_ssl_conf <<'EOF' # Baseline setting to Include for SSL sites SSLEngine on # Intermediate configuration, tweak to your needs SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common #CustomLog /var/log/apache2/access.log vhost_combined #LogLevel warn #ErrorLog /var/log/apache2/error.log # Always ensure Cookies have "Secure" set (JAH 2012/1) #Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" EOF upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf if ! diff -c <(wget -q -O - $upstream) $common_ssl_conf; then cat <>$vhost_file <<'EOF' ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined EOF if ! $listen_port; then # reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen cat >>$vhost_file </dev/null; then http2_arg=http2 fi cat >$common_ssl_conf <<'EOF' # let's encrypt gives us a bad nginx config, so use this: # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # using modern config. last checked 2017/4/22 ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/nginx/dh2048.pem; # modern configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs # ian: commented out, unnecessary for le certs or my nginx ver. #ssl_trusted_certificate $cert_dir/fullchain.pem;; # ian: commented out, our local dns is expected to work fine. #resolver ; EOF cat >$vhost_file <>$vhost_file fi if [[ $proxy ]]; then cat >>$vhost_file <>$vhost_file <$redir_file <