iankelling.org
/
git
/
basic-https-conf
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
6761d31
)
fix nginx, add non ssl
author
Ian Kelling
<ian@iankelling.org>
Wed, 26 Apr 2017 15:52:57 +0000
(08:52 -0700)
committer
Ian Kelling
<ian@iankelling.org>
Wed, 26 Apr 2017 15:52:57 +0000
(08:52 -0700)
web-conf
patch
|
blob
|
history
diff --git
a/web-conf
b/web-conf
index b953668ee5a6ad797ea92e8407e25356fb0c9c38..08d1c047f2bd649da80745acc075af18359a10a2 100755
(executable)
--- a/
web-conf
+++ b/
web-conf
@@
-33,7
+33,7
@@
EXTRA_SETTINGS_FILE can be - for stdin
root@\$(hostname -A|awk '{print $1}')
which is root@$(hostname -A|awk '{print $1}') on this host.
-f [ADDR:]PORT Enable proxy to [ADDR:]PORT. ADDR default is 127.0.0.1
root@\$(hostname -A|awk '{print $1}')
which is root@$(hostname -A|awk '{print $1}') on this host.
-f [ADDR:]PORT Enable proxy to [ADDR:]PORT. ADDR default is 127.0.0.1
--i Insecure, no ssl.
Not implemented for nginx.
+-i Insecure, no ssl.
-p PORT Main port to listen on, default 443. 80 implies -i.
-r DIR DocumentRoot
-h|--help Print help and exit
-p PORT Main port to listen on, default 443. 80 implies -i.
-r DIR DocumentRoot
-h|--help Print help and exit
@@
-112,8
+112,10
@@
if $ssl; then
f=$cert_dir/fullchain.pem
if [[ ! -e $f ]] || openssl x509 -checkend 86400 -noout -in $f; then
$0 -p 80 $t $h
f=$cert_dir/fullchain.pem
if [[ ! -e $f ]] || openssl x509 -checkend 86400 -noout -in $f; then
$0 -p 80 $t $h
- # adds every security option
- certbot certonly -n --hsts --staple-ocsp --uir --must-staple --email $email --staple-ocsp --no-self-upgrade --agree-tos --apache -d $h
+ # when generating an example config, add all relevant security options:
+ # --hsts --staple-ocsp --uir
+ certbot certonly -n --must-staple --email $email --no-self-upgrade \
+ --agree-tos --$t -d $h
rm $vhost_file
fi
fi
rm $vhost_file
fi
fi
@@
-294,8
+296,12
@@
if [[ $t == nginx ]]; then
cd /etc/nginx
[[ -e dh2048.pem ]] || openssl dhparam -out dh2048.pem 2048
cd /etc/nginx
[[ -e dh2048.pem ]] || openssl dhparam -out dh2048.pem 2048
- if nginx -V |& grep -- '--with-http_v2_module\b' &>/dev/null; then
- http2_arg=http2
+ if $ssl; then
+ ssl_arg=ssl
+ if nginx -V |& grep -- '--with-http_v2_module\b' &>/dev/null; then
+ # fun fact: nginx can be configured to do http2 without ssl.
+ ssl_arg+=" http2"
+ fi
fi
cat >$common_ssl_conf <<'EOF'
fi
cat >$common_ssl_conf <<'EOF'
@@
-333,14
+339,27
@@
EOF
server {
server_name $h www.$h;
root $root;
server {
server_name $h www.$h;
root $root;
- listen $port
ssl $http2
_arg;
- listen [::]:$port
ssl $http2
_arg;
+ listen $port
$ssl
_arg;
+ listen [::]:$port
$ssl
_arg;
- # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+EOF
+ if $ssl; then
+ cat >>$vhost_file <<EOF
ssl_certificate $cert_dir/fullchain.pem;
ssl_certificate_key $cert_dir/privkey.pem;
include $common_ssl_conf;
EOF
ssl_certificate $cert_dir/fullchain.pem;
ssl_certificate_key $cert_dir/privkey.pem;
include $common_ssl_conf;
EOF
+
+ cat >$redir_file <<EOF
+server {
+ server_name $h www.$h;
+ listen 80 $http2_arg;
+ listen [::]:80 $http2_arg;
+ return 301 https://$server_name$request_uri;
+}
+EOF
+ fi # end if $ssl
+
if [[ $extra_settings ]]; then
cat $extra_settings >>$vhost_file
fi
if [[ $extra_settings ]]; then
cat $extra_settings >>$vhost_file
fi
@@
-362,14
+381,6
@@
EOF
}
EOF
}
EOF
- cat >$redir_file <<EOF
-server {
- server_name $h www.$h;
- listen 80 $http2_arg;
- listen [::]:80 $http2_arg;
- return 301 https://$server_name$request_uri;
-}
-EOF
service nginx restart
service nginx restart