iankelling.org
/
git
/
basic-https-conf
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
b6d31ac
)
make nginx script have roughly parity
author
Ian Kelling
<ian@iankelling.org>
Thu, 30 Mar 2017 23:51:01 +0000
(16:51 -0700)
committer
Ian Kelling
<ian@iankelling.org>
Thu, 30 Mar 2017 23:51:01 +0000
(16:51 -0700)
apache-site
patch
|
blob
|
history
nginx-site
patch
|
blob
|
history
diff --git
a/apache-site
b/apache-site
index f537369ea2b1c9355d3c95cced18e582c54036fc..9a22d2aad73a308d4bffc0b4fd6c6e2a85e2dcf7 100755
(executable)
--- a/
apache-site
+++ b/
apache-site
@@
-26,10
+26,10
@@
ssl config provided by let's encrypt and my standard
location for storing certs.
EXTRA_SETTINGS_FILE can be - for stdin
location for storing certs.
EXTRA_SETTINGS_FILE can be - for stdin
--p PORT
--i Insecure, no ssl
-c CERT_DIR In priority: this arg, $ACME_TINY_WRAPPER_CERT_DIR,
$HOME/webservercerts, if the other options aren't set.
-c CERT_DIR In priority: this arg, $ACME_TINY_WRAPPER_CERT_DIR,
$HOME/webservercerts, if the other options aren't set.
+-i Insecure, no ssl
+-p PORT Main port to listen on, default 443
-r DocumentRoot
-h|--help Print help and exit
-r DocumentRoot
-h|--help Print help and exit
@@
-62,9
+62,9
@@
while true; do
done
if (( ${#@} == 2 )); then
done
if (( ${#@} == 2 )); then
- read extra_settings h <<<"${@}"
+ read
-r
extra_settings h <<<"${@}"
else
else
- read h <<<"${@}"
+ read
-r
h <<<"${@}"
fi
if [[ ! $h ]]; then
fi
if [[ ! $h ]]; then
diff --git
a/nginx-site
b/nginx-site
index e2c046fcb6e233d0285c0c2b67788ba1b6c3f9ea..5e555c74f90a4ef121cb84e26823260e66e31837 100755
(executable)
--- a/
nginx-site
+++ b/
nginx-site
@@
-1,4
+1,4
@@
-#!/bin/bash
-l
+#!/bin/bash
# Copyright (C) 2016 Ian Kelling
# Licensed under the Apache License, Version 2.0 (the "License");
# Copyright (C) 2016 Ian Kelling
# Licensed under the Apache License, Version 2.0 (the "License");
@@
-13,6
+13,8
@@
# See the License for the specific language governing permissions and
# limitations under the License.
# See the License for the specific language governing permissions and
# limitations under the License.
+[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
@@
-27,33
+29,47
@@
ssl config provided by let's encrypt and my standard
location for storing certs.
EXTRA_SETTINGS_FILE can be - for stdin
location for storing certs.
EXTRA_SETTINGS_FILE can be - for stdin
--p PORT Proxy to PORT
--h|--help Print help and exit
+-c CERT_DIR In priority: this arg, $ACME_TINY_WRAPPER_CERT_DIR,
+ $HOME/webservercerts, if the other options aren't set.
+-p PORT Port to listen on, default 443
+-f PORT Enable proxy to PORT on localhost
+-r DocumentRoot
+-h|--help Print help and exit
TODO: add https redir site.
TODO: add https redir site.
+
+Note: Uses GNU getopt options parsing style
EOF
exit $1
}
##### begin command line parsing ########
EOF
exit $1
}
##### begin command line parsing ########
+cert_dir="$ACME_TINY_WRAPPER_CERT_DIR"
+if [[ ! $cert_dir ]]; then
+ cert_dir=$HOME/webservercerts
+fi
+port=443
proxy_port=
extra_settings=
proxy_port=
extra_settings=
-args=()
-while [[ $1 ]]; do
+temp=$(getopt -l help: c:f:p:r:h "$@") || usage 1
+eval set -- "$temp"
+while true; do
case $1 in
case $1 in
- -p) proxy_port="$2"; shift 2 ;;
+ -c) cert_dir="$2"; shift 2 ;;
+ -p) port="$2"; shift 2 ;;
+ -f) proxy_port="$2"; shift 2 ;;
+ -r) root="$2"; shift 2 ;;
--) shift; break ;;
--) shift; break ;;
- -
?*|-
h|--help) usage ;;
- *)
args+=("$1"); shift
;;
+ -h|--help) usage ;;
+ *)
echo "$0: Internal error!" ; exit 1
;;
esac
done
esac
done
-args+=("$@")
-if (( ${#
args[@]
} == 2 )); then
- read
extra_settings h <<<"${args[@]
}"
+if (( ${#
@
} == 2 )); then
+ read
-r extra_settings h <<<"${@
}"
else
else
- read
h <<<"${args[@]
}"
+ read
-r h <<<"${@
}"
fi
if [[ ! $h ]]; then
fi
if [[ ! $h ]]; then
@@
-61,29
+77,38
@@
if [[ ! $h ]]; then
usage 1
fi
usage 1
fi
+if [[ ! $root ]]; then
+ root=/var/www/$h/html
+fi
+
##### end command line parsing ########
sudo rm -f /etc/nginx/sites-enabled/default
##### end command line parsing ########
sudo rm -f /etc/nginx/sites-enabled/default
-cdir=/p/c/machine_specific/$HOSTNAME/webservercerts
+if nginx -V |& grep -- '--with-http_v2_module\b' &>/dev/null; then
+ http2_arg=http2
+fi
+
sudo dd of=/etc/nginx/sites-enabled/$h.conf <<EOF
sudo dd of=/etc/nginx/sites-enabled/$h.conf <<EOF
+# ssecurty settings taken from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
+# using modern config. last checked 2017/2/20
server {
server_name $h www.$h;
server {
server_name $h www.$h;
- root
/var/www/$h/html
;
- listen
443 ssl
;
- listen [::]:
443 ssl
;
+ root
$root
;
+ listen
$port ssl $http2_arg
;
+ listen [::]:
$port ssl $http2_arg
;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
- ssl_certificate $cdir/$h-chained.pem;
- ssl_certificate_key $cdir/$h-domain.key;
+ ssl_certificate $c
ert_
dir/$h-chained.pem;
+ ssl_certificate_key $c
ert_
dir/$h-domain.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
- ssl_dhparam $cdir/dh2048.pem;
+ ssl_dhparam $c
ert_
dir/dh2048.pem;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
@@
-98,10
+123,14
@@
server {
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling on;
ssl_stapling_verify on;
+ # ian: todo: something is missing here, stapling is not enabled
+ # per ssllabs.com test. need to put root cert in chain?.
+ # ssl labs still says we are A+.
+ # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
## verify chain of trust of OCSP response using Root CA and Intermediate certs
## verify chain of trust of OCSP response using Root CA and Intermediate certs
-
#ssl_trusted_certificate $cdir/$h-fullchain
.pem;
+
ssl_trusted_certificate $cert_dir/$h-chained
.pem;
- # ian:
also not needed, our local resolver works
fine.
+ # ian:
left commented out, our local dns is expected to work
fine.
#resolver <IP DNS resolver>;
EOF
if [[ $extra_settings ]]; then
#resolver <IP DNS resolver>;
EOF
if [[ $extra_settings ]]; then
@@
-115,10
+144,11
@@
if [[ $proxy_port ]]; then
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
- proxy_set_header X-Forwarded-Port
443
;
+ proxy_set_header X-Forwarded-Port
$port
;
proxy_pass http://127.0.0.1:$proxy_port;
}
EOF
proxy_pass http://127.0.0.1:$proxy_port;
}
EOF
+fi
sudo tee -a /etc/nginx/sites-enabled/$h.conf <<EOF
sudo tee -a /etc/nginx/sites-enabled/$h.conf <<EOF