From 25c6d2d6bcf37d708fec0e529a88f035588c8b7d Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Fri, 25 Mar 2022 02:22:26 -0400
Subject: [PATCH] fixes and new options

---
 web-conf | 51 +++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 37 insertions(+), 14 deletions(-)

diff --git a/web-conf b/web-conf
index b27ec1a..6b18b2e 100755
--- a/web-conf
+++ b/web-conf
@@ -41,6 +41,8 @@ distro-setup, and log-quiet.
 
 
 EXTRA_SETTINGS_FILE can be - for stdin
+-a IPv4_ADDR      IP address to listen on. Default all addresses.
+                  ipv6 address support could be added to this script.
 -e EMAIL          Contact address for let's encrypt. Default is
                   root@\$(hostname --fqdn')
                   which is root@$(hostname --fqdn) on this host.
@@ -62,10 +64,15 @@ symlinkarg=-
 ssl=true
 extra_settings=
 port=443
-temp=$(getopt -l help e:if:p:r:sh "$@") || usage 1
+temp=$(getopt -l help a:e:if:p:r:sh "$@") || usage 1
+vhostip='*'
 eval set -- "$temp"
 while true; do
   case $1 in
+    -a)
+      listenip="$2:"
+      vhostip="$2"
+      shift 2 ;;
     -e) email="$2"; shift 2 ;;
     -f) proxy="$2"; shift 2 ;;
     -i) ssl=false; shift ;;
@@ -114,7 +121,14 @@ se=/etc/$t/sites-enabled
 cert_dir=/etc/letsencrypt/live/$h
 
 mkdir -p $root
-vhost_file=$se/$h.conf
+case $port in
+  80|443)
+    vhost_file=$se/$h.conf
+    ;;
+  *)
+    vhost_file=$se/$h-$port.conf
+    ;;
+esac
 redir_file=$se/$h-redir.conf
 
 if [[ $port == 80 ]]; then
@@ -137,10 +151,9 @@ if $ssl; then
     # --hsts --staple-ocsp --uir --must-staple
     certbot certonly -n --email $email --no-self-upgrade \
             --agree-tos --${t%2} -d $h
-    rm $vhost_file
+    # cleanup the call to ourselves a short bit ago
+    rm $se/$h.conf
   fi
-
-
 fi
 
 
@@ -170,9 +183,9 @@ if [[ $t == apache2 ]]; then
     done
   done
 
-
+  echo "$0: creating $vhost_file"
   cat >$vhost_file <<EOF
-<VirtualHost *:$port>
+<VirtualHost $vhostip:$port>
 ServerName $h
 ServerAlias www.$h
 DocumentRoot $root
@@ -221,8 +234,9 @@ SSLUseStapling on
 Header always set Content-Security-Policy upgrade-insecure-requests
 EOF
 
-    echo "$0: creating $redir_file"
-    cat >$redir_file <<EOF
+    if (( port == 443 )); then
+      echo "$0: creating $redir_file"
+      cat >$redir_file <<EOF
 <VirtualHost *:80>
 ServerName $h
 ServerAdmin webmaster@localhost
@@ -236,10 +250,11 @@ RewriteCond %{SERVER_NAME} =$h
 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
 </VirtualHost>
 EOF
-    if ! $listen_80; then
-      cat >>$redir_file <<'EOF'
+      if ! $listen_80; then
+        cat >>$redir_file <<'EOF'
 Listen 80
 EOF
+      fi
     fi
 
     # this is a copy of a file certbot, see below.
@@ -292,7 +307,7 @@ EOF
   if ! $listen_port; then
     # reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
     cat >>$vhost_file <<EOF
-listen ${port}${https_arg}
+listen ${listenip}${port}${https_arg}
 EOF
   fi
 
@@ -355,8 +370,14 @@ EOF
 server {
   server_name $h www.$h;
   root $root;
-  listen $port $ssl_arg;
+  listen $listenip$port $ssl_arg;
+EOF
+  if [[ ! $listenip ]]; then
+    cat >>$vhost_file <<EOF
   listen [::]:$port $ssl_arg;
+EOF
+  fi
+  cat >>$vhost_file <<EOF
   location $root {
     autoindex off;
   }
@@ -368,7 +389,8 @@ EOF
   include $common_ssl_conf;
 EOF
 
-    cat >$redir_file <<EOF
+    if (( port == 443 )); then
+      cat >$redir_file <<EOF
 server {
   server_name $h www.$h;
   listen 80 $http2_arg;
@@ -376,6 +398,7 @@ server {
   return 301 https://$server_name$request_uri;
 }
 EOF
+    fi
   fi # end if $ssl
 
   if [[ $extra_settings ]]; then
-- 
2.30.2