-i Insecure, no ssl.
-p PORT Main port to listen on, default 443. 80 implies -i.
-r DIR DocumentRoot
+-s Allow symlinks from the doucmentroot
-h|--help Print help and exit
Note: Uses GNU getopt options parsing style
##### begin command line parsing ########
+symlinkarg=-
ssl=true
extra_settings=
port=443
-temp=$(getopt -l help e:i:f:p:r:h "$@") || usage 1
+temp=$(getopt -l help e:if:p:r:sh "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-i) ssl=false; shift ;;
-p) port="$2"; shift 2 ;;
-r) root="$2"; shift 2 ;;
+ -s) symlinkarg=+; shift ;;
--) shift; break ;;
-h|--help) usage ;;
*) echo "$0: Internal error!" ; exit 1 ;;
esac
done
+# t = type, h = host
if (( ${#@} == 3 )); then
read -r extra_settings t h <<<"${@}"
else
if $ssl; then
f=$cert_dir/fullchain.pem
- if [[ ! -e $f ]] || openssl x509 -checkend 86400 -noout -in $f; then
+ threedays=259200 # in seconds
+ if [[ ! -e $f ]] || ! openssl x509 -checkend $threedays -noout -in $f >/dev/null; then
+ # cerbot needs an existing virtualhost.
$0 -p 80 $t $h
# when generating an example config, add all relevant security options:
- # --hsts --staple-ocsp --uir
- certbot certonly -n --must-staple --email $email --no-self-upgrade \
+ # --hsts --staple-ocsp --uir --must-staple
+ certbot certonly -n --email $email --no-self-upgrade \
--agree-tos --${t%2} -d $h
rm $vhost_file
fi
case $(readlink -f "$f") in
$vhost_file|$redir_file) continue ;;
esac
- echo "$f"
for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do
case $p in
80) listen_80=true ;;&
cat >$vhost_file <<EOF
<VirtualHost *:$port>
- ServerName $h
- ServerAlias www.$h
- DocumentRoot $root
+ServerName $h
+ServerAlias www.$h
+DocumentRoot $root
+<Directory $root>
+ Options -Indexes ${symlinkarg}FollowSymlinks
+</Directory>
EOF
if [[ $extra_settings ]]; then
# go faster!
if [[ -e /etc/apache2/mods-available/http2.load ]]; then
# https://httpd.apache.org/docs/2.4/mod/mod_http2.html
- a2enmod http2
+ a2enmod -q http2
cat >>$vhost_file <<EOF
- Protocols h2 http/1.1
+Protocols h2 http/1.1
EOF
fi
if [[ $proxy ]]; then
- a2enmod proxy proxy_http
+ a2enmod -q proxy proxy_http
# fyi: trailing slash is important
# reference: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
+ # retry=0: https://stackoverflow.com/questions/683052/why-am-i-getting-an-apache-proxy-503-error
cat >>$vhost_file <<EOF
- ProxyPass "/" "http://$proxy/"
- ProxyPassReverse "/" "http://$proxy/"
+ProxyPass "/" "http://$proxy/" retry=0
+ProxyPassReverse "/" "http://$proxy/"
EOF
fi
-
if $ssl; then
+ a2enmod -q headers
https_arg=" https"
common_ssl_conf=/etc/apache2/common-ssl.conf
cat >>$vhost_file <<EOF
- SSLCertificateFile $cert_dir/fullchain.pem
- SSLCertificateKeyFile $cert_dir/privkey.pem
- Include $common_ssl_conf
- # From cerbot generated config example, taken 4/2017,
- # should be rechecked once a year or so.
- Header always set Strict-Transport-Security "max-age=31536000"
- SSLUseStapling on
- Header always set Content-Security-Policy upgrade-insecure-requests
-EOF
-
- cat >/etc/apache2/conf-enabled/local-custom.conf <<'EOF'
-# vhost_combined with %D (request time in microseconds)
-# this file is just a convenient place to drop it.
-LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined
-SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
+SSLCertificateFile $cert_dir/fullchain.pem
+SSLCertificateKeyFile $cert_dir/privkey.pem
+Include $common_ssl_conf
+# From cerbot generated config example, taken 4/2017,
+# should be rechecked once a year or so.
+Header always set Strict-Transport-Security "max-age=31536000"
+SSLUseStapling on
+Header always set Content-Security-Policy upgrade-insecure-requests
EOF
echo "$0: creating $redir_file"
cat >$redir_file <<EOF
<VirtualHost *:80>
- ServerName $h
- ServerAdmin webmaster@localhost
- DocumentRoot /var/www/html
+ServerName $h
+ServerAdmin webmaster@localhost
+DocumentRoot /var/www/html
- ErrorLog \${APACHE_LOG_DIR}/error.log
- CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined
+ErrorLog \${APACHE_LOG_DIR}/error.log
+CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined
- RewriteEngine on
- RewriteCond %{SERVER_NAME} =$h
- RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+RewriteEngine on
+RewriteCond %{SERVER_NAME} =$h
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
EOF
if ! $listen_80; then
# this is a copy of a file certbot, see below.
echo "$0: creating $common_ssl_conf"
cat >$common_ssl_conf <<'EOF'
-# Baseline setting to Include for SSL sites
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
EOF
- upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
- if ! diff -c <(wget -q -O - $upstream) $common_ssl_conf; then
+ upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+ if ! diff -u <(wget -q -O - $upstream) $common_ssl_conf; then
cat <<EOF
WARNING!!!!!!!!!
WARNING!!!!!!!!!
fi # end if $ssl
cat >>$vhost_file <<'EOF'
- ErrorLog ${APACHE_LOG_DIR}/error.log
- CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined
+ErrorLog ${APACHE_LOG_DIR}/error.log
+CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined
</VirtualHost>
EOF
fi
- a2enmod ssl rewrite # rewrite needed for httpredir
+ a2enmod -q ssl rewrite # rewrite needed for httpredir
service apache2 restart
# I rarely look at how much traffic I get, so let's keep that info
EOF
cat >$vhost_file <<EOF
server {
- server_name $h www.$h;
- root $root;
- listen $port $ssl_arg;
- listen [::]:$port $ssl_arg;
-
+ server_name $h www.$h;
+ root $root;
+ listen $port $ssl_arg;
+ listen [::]:$port $ssl_arg;
+ location $root {
+ autoindex off;
+ }
EOF
if $ssl; then
cat >>$vhost_file <<EOF
- ssl_certificate $cert_dir/fullchain.pem;
- ssl_certificate_key $cert_dir/privkey.pem;
- include $common_ssl_conf;
+ ssl_certificate $cert_dir/fullchain.pem;
+ ssl_certificate_key $cert_dir/privkey.pem;
+ include $common_ssl_conf;
EOF
cat >$redir_file <<EOF
server {
- server_name $h www.$h;
- listen 80 $http2_arg;
- listen [::]:80 $http2_arg;
- return 301 https://$server_name$request_uri;
+ server_name $h www.$h;
+ listen 80 $http2_arg;
+ listen [::]:80 $http2_arg;
+ return 301 https://$server_name$request_uri;
}
EOF
fi # end if $ssl
if [[ $proxy ]]; then
cat >>$vhost_file <<EOF
- location / {
- proxy_set_header Host \$host;
- proxy_set_header X-Real-IP \$remote_addr;
- proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Ssl on;
- proxy_set_header X-Forwarded-Port $port;
- proxy_pass http://$proxy;
- }
+ location / {
+ proxy_set_header Host \$host;
+ proxy_set_header X-Real-IP \$remote_addr;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Ssl on;
+ proxy_set_header X-Forwarded-Port $port;
+ proxy_pass http://$proxy;
+ }
EOF
fi
service nginx restart
fi ####### end if nginx
+
+cat >/etc/apache2/conf-enabled/local-custom.conf <<'EOF'
+# vhost_combined with %D (request time in microseconds)
+# this file is just a convenient place to drop it.
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" vhost_time_combined
+SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
+EOF
iankelling.org / git / basic-https-conf / blobdiff