iankelling.org
/
git
/
basic-https-conf
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
misc small updates
[basic-https-conf]
/
web-conf
diff --git
a/web-conf
b/web-conf
index 074fddd45c6279b62a9919a1544441caaf38ac60..fddb5375b45a53fe0301444234bf79ba764cd772 100755
(executable)
--- a/
web-conf
+++ b/
web-conf
@@
-40,6
+40,7
@@
EXTRA_SETTINGS_FILE can be - for stdin
-i Insecure, no ssl.
-p PORT Main port to listen on, default 443. 80 implies -i.
-r DIR DocumentRoot
-i Insecure, no ssl.
-p PORT Main port to listen on, default 443. 80 implies -i.
-r DIR DocumentRoot
+-s Allow symlinks from the doucmentroot
-h|--help Print help and exit
Note: Uses GNU getopt options parsing style
-h|--help Print help and exit
Note: Uses GNU getopt options parsing style
@@
-49,10
+50,11
@@
EOF
##### begin command line parsing ########
##### begin command line parsing ########
+symlinkarg=-
ssl=true
extra_settings=
port=443
ssl=true
extra_settings=
port=443
-temp=$(getopt -l help e:if:p:r:h "$@") || usage 1
+temp=$(getopt -l help e:if:p:r:
s
h "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
eval set -- "$temp"
while true; do
case $1 in
@@
-61,6
+63,7
@@
while true; do
-i) ssl=false; shift ;;
-p) port="$2"; shift 2 ;;
-r) root="$2"; shift 2 ;;
-i) ssl=false; shift ;;
-p) port="$2"; shift 2 ;;
-r) root="$2"; shift 2 ;;
+ -s) symlinkarg=+; shift ;;
--) shift; break ;;
-h|--help) usage ;;
*) echo "$0: Internal error!" ; exit 1 ;;
--) shift; break ;;
-h|--help) usage ;;
*) echo "$0: Internal error!" ; exit 1 ;;
@@
-116,7
+119,7
@@
fi
if $ssl; then
f=$cert_dir/fullchain.pem
threedays=259200 # in seconds
if $ssl; then
f=$cert_dir/fullchain.pem
threedays=259200 # in seconds
- if [[ ! -e $f ]] ||
openssl x509 -checkend $threedays -noout -in $f
; then
+ if [[ ! -e $f ]] ||
! openssl x509 -checkend $threedays -noout -in $f >/dev/null
; then
# cerbot needs an existing virtualhost.
$0 -p 80 $t $h
# when generating an example config, add all relevant security options:
# cerbot needs an existing virtualhost.
$0 -p 80 $t $h
# when generating an example config, add all relevant security options:
@@
-146,7
+149,6
@@
if [[ $t == apache2 ]]; then
case $(readlink -f "$f") in
$vhost_file|$redir_file) continue ;;
esac
case $(readlink -f "$f") in
$vhost_file|$redir_file) continue ;;
esac
- echo "$f"
for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do
case $p in
80) listen_80=true ;;&
for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do
case $p in
80) listen_80=true ;;&
@@
-162,7
+164,7
@@
ServerName $h
ServerAlias www.$h
DocumentRoot $root
<Directory $root>
ServerAlias www.$h
DocumentRoot $root
<Directory $root>
- Options -Indexes
-
FollowSymlinks
+ Options -Indexes
${symlinkarg}
FollowSymlinks
</Directory>
EOF
</Directory>
EOF
@@
-173,14
+175,14
@@
EOF
# go faster!
if [[ -e /etc/apache2/mods-available/http2.load ]]; then
# https://httpd.apache.org/docs/2.4/mod/mod_http2.html
# go faster!
if [[ -e /etc/apache2/mods-available/http2.load ]]; then
# https://httpd.apache.org/docs/2.4/mod/mod_http2.html
- a2enmod http2
+ a2enmod
-q
http2
cat >>$vhost_file <<EOF
Protocols h2 http/1.1
EOF
fi
if [[ $proxy ]]; then
cat >>$vhost_file <<EOF
Protocols h2 http/1.1
EOF
fi
if [[ $proxy ]]; then
- a2enmod proxy proxy_http
+ a2enmod
-q
proxy proxy_http
# fyi: trailing slash is important
# reference: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
# retry=0: https://stackoverflow.com/questions/683052/why-am-i-getting-an-apache-proxy-503-error
# fyi: trailing slash is important
# reference: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
# retry=0: https://stackoverflow.com/questions/683052/why-am-i-getting-an-apache-proxy-503-error
@@
-192,7
+194,7
@@
EOF
if $ssl; then
if $ssl; then
- a2enmod headers
+ a2enmod
-q
headers
https_arg=" https"
common_ssl_conf=/etc/apache2/common-ssl.conf
cat >>$vhost_file <<EOF
https_arg=" https"
common_ssl_conf=/etc/apache2/common-ssl.conf
cat >>$vhost_file <<EOF
@@
-243,13
+245,19
@@
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
-SSLSessionTickets off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
+
+#CustomLog /var/log/apache2/access.log vhost_combined
+#LogLevel warn
+#ErrorLog /var/log/apache2/error.log
+
+# Always ensure Cookies have "Secure" set (JAH 2012/1)
+#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
EOF
upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
EOF
upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
@@
-283,7
+291,7
@@
EOF
fi
fi
- a2enmod ssl rewrite # rewrite needed for httpredir
+ a2enmod
-q
ssl rewrite # rewrite needed for httpredir
service apache2 restart
# I rarely look at how much traffic I get, so let's keep that info
service apache2 restart
# I rarely look at how much traffic I get, so let's keep that info