X-Git-Url: https://iankelling.org/git/?p=basic-https-conf;a=blobdiff_plain;f=apache-site;h=a4f295ac68f0bd9de1e0981085e6e667c890eaff;hp=d99bf9698c48169bd8ccefb58df238a7104719db;hb=75fa1938d9e9bd00dfab294deac75b3a749e4929;hpb=bcdbffa4898135bc42772e1b9b706dc2acadfbdd diff --git a/apache-site b/apache-site index d99bf96..a4f295a 100755 --- a/apache-site +++ b/apache-site @@ -13,6 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" + set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR @@ -25,41 +27,44 @@ location for storing certs. EXTRA_SETTINGS_FILE can be - for stdin -p PORT --i Insecure, no ssl --c CERT_DIR Default is /p/c/machine_specific/\$HOSTNAME/webservercerts --h|--help Print help and exit --r DocumentRoot --- Subsequent arguments are never treated as options +-i Insecure, no ssl +-c CERT_DIR In priority: this arg, $ACME_TINY_WRAPPER_CERT_DIR, + $HOME/webservercerts, if the other options aren't set. +-r DocumentRoot +-h|--help Print help and exit -Note: options and non-options can be in any order. +Note: Uses GNU getopt options parsing style EOF exit $1 } ##### begin command line parsing ######## -cert_dir=/p/c/machine_specific/$HOSTNAME/webservercerts +cert_dir="$ACME_TINY_WRAPPER_CERT_DIR" +if [[ ! $cert_dir ]]; then + cert_dir=$HOME/webservercerts +fi ssl=true extra_settings= -args=() port="*:443" -while [[ $1 ]]; do +temp=$(getopt -l help ic:p:r:h "$@") || usage 1 +eval set -- "$temp" +while true; do case $1 in - -i) ssl=false; shift ;; # i for insecure + -i) ssl=false; shift ;; -c) cert_dir="$2"; shift 2 ;; -p) port="$2"; shift 2 ;; -r) root="$2"; shift 2 ;; --) shift; break ;; - -?*|-h|--help) usage ;; - *) args+=("$1"); shift ;; + -h|--help) usage ;; + *) echo "$0: Internal error!" ; exit 1 ;; esac done -args+=("$@") -if (( ${#args[@]} == 2 )); then - read extra_settings h <<<"${args[@]}" +if (( ${#@} == 2 )); then + read extra_settings h <<<"${@}" else - read h <<<"${args[@]}" + read h <<<"${@}" fi if [[ ! $h ]]; then @@ -86,10 +91,10 @@ fi # https://mozilla.github.io/server-side-tls/ssl-config-generator/ -sudo rm -f /etc/apache2/sites-enabled/000-default.conf +rm -f /etc/apache2/sites-enabled/000-default.conf -sudo mkdir -p $root -sudo dd of=/etc/apache2/sites-enabled/$h.conf < ServerName $h ServerAlias www.$h @@ -97,24 +102,32 @@ sudo dd of=/etc/apache2/sites-enabled/$h.conf < ServerAdmin webmaster@localhost DocumentRoot /var/www/html - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined + CustomLog ${APACHE_LOG_DIR}/httpsredir-access.log combined RewriteEngine on # ian: removed so it's for all sites @@ -123,8 +136,11 @@ RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] EOF - sudo mkdir -p /etc/letsencrypt - sudo dd of=/etc/letsencrypt/options-ssl-apache.conf <<'EOF' + mkdir -p /etc/letsencrypt + + base_file=/etc/letsencrypt/options-ssl-apache.conf + # this is from cerbot, see below. + dd of=$base_file <<'EOF' # Baseline setting to Include for SSL sites SSLEngine on @@ -149,14 +165,33 @@ LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common #Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" EOF + upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf + if ! diff -c <(wget -q -O - $upstream) $base_file; then + cat < # vim: syntax=apache ts=4 sw=4 sts=4 sr noet EOF -sudo a2enmod ssl rewrite # rewrite needed for httpredir -sudo service apache2 restart +a2enmod ssl rewrite # rewrite needed for httpredir +service apache2 restart + +# I rarely look at how much traffic I get, so let's keep that info +# around for longer than the default of 2 weeks. +sed -ri --follow-symlinks 's/^(\s*rotate\s).*/\1 365/' /etc/logrotate.d/apache2