X-Git-Url: https://iankelling.org/git/?p=basic-https-conf;a=blobdiff_plain;f=web-conf;h=274f1eb91191274651dd6acacaec6a43a53ef74f;hp=b27ec1a5bbd139d3f64024b88661bc104a1968a4;hb=HEAD;hpb=bfb81969e91a5c33f68aa085e7525d8681fdbc32
diff --git a/web-conf b/web-conf
index b27ec1a..eb87f17 100755
--- a/web-conf
+++ b/web-conf
@@ -1,17 +1,21 @@
#!/bin/bash
-# Copyright (C) 2016 Ian Kelling
+# This file is part of web-conf which configures web servers
+# Copyright (C) 2024 Ian Kelling
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
-# http://www.apache.org/licenses/LICENSE-2.0
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# SPDX-License-Identifier: GPL-3.0-or-later
[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
@@ -41,14 +45,21 @@ distro-setup, and log-quiet.
EXTRA_SETTINGS_FILE can be - for stdin
+-a IPv4_ADDR IP address to listen on. Default all addresses.
+ ipv6 address support could be added to this script.
+-c CERT_FOLDER No letsencrypt. use fullchain.pem and privkey.pem in this folder.
-e EMAIL Contact address for let's encrypt. Default is
root@\$(hostname --fqdn')
which is root@$(hostname --fqdn) on this host.
-f [ADDR:]PORT Enable proxy to [ADDR:]PORT. ADDR default is 127.0.0.1
-i Insecure, no ssl.
+-l Allow failure of restarting apache/nginx. Useful for scripts where
+ we want to do the configuration, but don't mind if the web
+ server has some preexisting problem or other problem to fix later.
-p PORT Main port to listen on, default 443. 80 implies -i.
-r DIR DocumentRoot
--s Allow symlinks from the doucmentroot
+-s Allow symlinks from the doucment root
+-t No settings on documentroot.
-h|--help Print help and exit
Note: Uses GNU getopt options parsing style
@@ -62,15 +73,25 @@ symlinkarg=-
ssl=true
extra_settings=
port=443
-temp=$(getopt -l help e:if:p:r:sh "$@") || usage 1
+do_root_settings=true
+temp=$(getopt -l help a:c:e:if:lp:r:sth "$@") || usage 1
+vhostip='*'
+allow_server_fail=false
eval set -- "$temp"
while true; do
case $1 in
+ -a)
+ listenip="$2:"
+ vhostip="$2"
+ shift 2 ;;
+ -c) oob_cert_dir="$2"; shift 2 ;;
-e) email="$2"; shift 2 ;;
-f) proxy="$2"; shift 2 ;;
-i) ssl=false; shift ;;
+ -l) allow_server_fail=true; shift ;;
-p) port="$2"; shift 2 ;;
-r) root="$2"; shift 2 ;;
+ -t) do_root_settings=false; shift ;;
-s) symlinkarg=+; shift ;;
--) shift; break ;;
-h|--help) usage ;;
@@ -111,10 +132,21 @@ fi
##### end command line parsing ########
se=/etc/$t/sites-enabled
-cert_dir=/etc/letsencrypt/live/$h
+if [[ $oob_cert_dir ]]; then
+ cert_dir="$oob_cert_dir"
+else
+ cert_dir=/etc/letsencrypt/live/$h
+fi
mkdir -p $root
-vhost_file=$se/$h.conf
+case $port in
+ 80|443)
+ vhost_file=$se/$h.conf
+ ;;
+ *)
+ vhost_file=$se/$h-$port.conf
+ ;;
+esac
redir_file=$se/$h-redir.conf
if [[ $port == 80 ]]; then
@@ -124,7 +156,7 @@ if [[ $port == 80 ]]; then
fi
-if $ssl; then
+if [[ ! $oob_cert_dir ]] && $ssl; then
$this_dir/certbot-setup $t
@@ -137,10 +169,16 @@ if $ssl; then
# --hsts --staple-ocsp --uir --must-staple
certbot certonly -n --email $email --no-self-upgrade \
--agree-tos --${t%2} -d $h
- rm $vhost_file
+ # cleanup the call to ourselves a short bit ago
+ rm $se/$h.conf
fi
-
-
+ # these scripts only run on renew, that is kinda dumb.
+ export RENEWED_LINEAGE=/etc/letsencrypt/live/$h
+ for script in /etc/letsencrypt/renewal-hooks/deploy/*; do
+ if [[ -x $script ]]; then
+ "$script"
+ fi
+ done
fi
@@ -170,16 +208,20 @@ if [[ $t == apache2 ]]; then
done
done
-
+ echo "$0: creating $vhost_file"
cat >$vhost_file <
+
ServerName $h
ServerAlias www.$h
DocumentRoot $root
+EOF
+ if $do_root_settings; then
+ cat >>$vhost_file <
Options -Indexes ${symlinkarg}FollowSymlinks
EOF
+ fi
if [[ $extra_settings ]]; then
cat -- $extra_settings >>$vhost_file
@@ -221,8 +263,22 @@ SSLUseStapling on
Header always set Content-Security-Policy upgrade-insecure-requests
EOF
- echo "$0: creating $redir_file"
- cat >$redir_file </dev/null <<'EOF'
+#https://webmasters.stackexchange.com/questions/124635/apache-redirect-http-to-https-without-preventing-http
+
+Redirect permanent "/" "https://mydomain.ltd/"
+
+# or, with generic rewrite, we use this on gnu.org
+RewriteEngine on
+RewriteCond %{HTTP:Upgrade-Insecure-Requests} "^1$"
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=307]
+EOF
+
+ cat >$redir_file <
ServerName $h
ServerAdmin webmaster@localhost
@@ -236,10 +292,11 @@ RewriteCond %{SERVER_NAME} =$h
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
EOF
- if ! $listen_80; then
- cat >>$redir_file <<'EOF'
+ if ! $listen_80; then
+ cat >>$redir_file <<'EOF'
Listen 80
EOF
+ fi
fi
# this is a copy of a file certbot, see below.
@@ -249,7 +306,7 @@ EOF
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org
SSLEngine on
@@ -292,13 +349,20 @@ EOF
if ! $listen_port; then
# reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
cat >>$vhost_file <&2
+ fi
+ else
+ service apache2 restart
+ fi
# I rarely look at how much traffic I get, so let's keep that info
# around for longer than the default of 2 weeks.
@@ -355,12 +419,20 @@ EOF
server {
server_name $h www.$h;
root $root;
- listen $port $ssl_arg;
+ listen $listenip$port $ssl_arg;
+EOF
+ if [[ ! $listenip ]]; then
+ cat >>$vhost_file <>$vhost_file <>$vhost_file <$redir_file <$redir_file <&2
+ fi
+ else
+ service nginx restart
+ fi
fi ####### end if nginx