Usage: ${0##*/} [OPTIONS] [EXTRA_SETTINGS_FILE] apache2|nginx DOMAIN
apache/nginx config & let's encrypt
-If using tls then it expects certbot to be installed and in PATH.
+If using tls then it expects certbot to be installed and in PATH. Also,
+certbot cronjob should be taken care of outside this script. In the
+debian package, it installs a systemd timer, which I (Ian Kelling) use
+and modify to email me on failure. You can see how I do this in my git
+repo distro-setup, and log-quiet.
EXTRA_SETTINGS_FILE can be - for stdin
ssl=true
extra_settings=
port=443
-temp=$(getopt -l help e:i:f:p:r:h "$@") || usage 1
+temp=$(getopt -l help e:if:p:r:h "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
esac
done
+# t = type, h = host
if (( ${#@} == 3 )); then
read -r extra_settings t h <<<"${@}"
else
if $ssl; then
f=$cert_dir/fullchain.pem
if [[ ! -e $f ]] || openssl x509 -checkend 86400 -noout -in $f; then
+ # cerbot needs an existing virtualhost.
$0 -p 80 $t $h
# when generating an example config, add all relevant security options:
# --hsts --staple-ocsp --uir
certbot certonly -n --must-staple --email $email --no-self-upgrade \
- --agree-tos --$t -d $h
+ --agree-tos --${t%2} -d $h
rm $vhost_file
fi
fi
a2enmod proxy proxy_http
# fyi: trailing slash is important
# reference: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
+ # retry=0: https://stackoverflow.com/questions/683052/why-am-i-getting-an-apache-proxy-503-error
cat >>$vhost_file <<EOF
- ProxyPass "/" "http://$proxy/"
+ ProxyPass "/" "http://$proxy/" retry=0
ProxyPassReverse "/" "http://$proxy/"
EOF
fi
-
if $ssl; then
+ a2enmod headers
https_arg=" https"
common_ssl_conf=/etc/apache2/common-ssl.conf
cat >>$vhost_file <<EOF
Header always set Content-Security-Policy upgrade-insecure-requests
EOF
- cat >/etc/apache2/conf-enabled/local-custom.conf <<'EOF'
-# vhost_combined with %D (request time in microseconds)
-# this file is just a convenient place to drop it.
-LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined
-SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
-EOF
-
echo "$0: creating $redir_file"
cat >$redir_file <<EOF
<VirtualHost *:80>
service nginx restart
fi ####### end if nginx
+
+cat >/etc/apache2/conf-enabled/local-custom.conf <<'EOF'
+# vhost_combined with %D (request time in microseconds)
+# this file is just a convenient place to drop it.
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined
+SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
+EOF