lhp
/
scripts
1
0
Fork 0
Code Issues 3 Pull Requests Packages Projects Releases Wiki Activity

Resolve "update_firewall.sh can intermitten failures if it's unable to resolve fwgw.lhprojects.net"

This commit is contained in:
Lutchy Horace 2023-06-06 22:56:44 +00:00
parent 421b9a57cc
commit d98e74b036
2 changed files with 88 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
createVhosts.sh
View File

@ -23,6 +23,12 @@ function usage
echo " Do not redirect HTTP to HTTPS"
echo " --servicename"
echo " The Nginx server service name to use to reload"
echo " --standalone"
echo " Instead of webroot, use acme.sh builtin server"
echo " --bindaddress"
echo " Listening address for acme.sh builtin server. Default is 0.0.0.0"
echo " --bindport"
echo " Listening port for acme.sh builtin server. Default is 8999"
echo " -d | --debug"
echo " Enable debug logging"
echo " -h | --help"
@ -38,7 +44,14 @@ function get_cert
if [ "$DEBUG" = "1" ]; then
_debug_arg="--debug"
fi
/root/.acme.sh/acme.sh --issue --domain "$_domain" --webroot /srv/http-content-combined/ --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt $_debug_arg
# set args for what mode acme.sh is going to run in
if [ "$_standalone" = true ]; then
_mode="--standalone --local-address $_bindaddress --httpport $_bindport"
else
_mode="--webroot $web_root"
fi
/root/.acme.sh/acme.sh --issue --domain "$_domain" $_mode --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt $_debug_arg
return $?
}
@ -69,7 +82,7 @@ function clean_up
function verify_vhost
{
local target=127.0.0.1
local verify_path=/srv/http-content-combined/.well-known/
local verify_path=$web_root/.well-known/
local verify_file_name=verify.$_domain.html
local verify_full_path=$verify_path$verify_file_name
local http_code
@ -90,10 +103,12 @@ function verify_vhost
fi
}
## define varables
_cwd="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
_bootstrap=${_cwd}/bootstrap.sh
_bb_myname=$(basename "$0")
_bb_mypath=$(realpath $BASH_SOURCE)
web_root=/srv/www/webroot
# Init script
if test -f "$_bootstrap"; then
@ -111,7 +126,7 @@ fi
# gain priviledges
become "$@"
OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,debug -n 'createVhosts' -- "$@")
OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,standalone,bindaddress:,bindport:,debug -n 'createVhosts' -- "$@")
if [ "$?" -gt '0' ]; then
echo 'Failed to set command line arguments'
exit 1;
@ -127,6 +142,9 @@ _listenip=""
_debug=false
_servicename=nginx
_confpath=/etc/nginx
_standalone=false
_bindaddress=0.0.0.0
_bindport=8999
while true; do
case "$1" in
--domain )
@ -153,6 +171,15 @@ while true; do
--confpath )
_confpath=$2
shift ;;
--standalone )
_standalone=true
shift ;;
--bindaddress )
_bindaddress=$2
shift ;;
--bindport )
_bindport=$2
shift ;;
-d | --debug )
_debug=true
shift ;;
@ -260,10 +287,10 @@ fi
## Begin issuing certificate
###########################################
echo -n "Checking if /srv/www/http-content-combined/ exists? "
if ! test -d /srv/www/http-content-combined; then
echo -n "Checking if $web_root exists? "
if ! test -d $web_root; then
echo "Creating..."
mkdir -p /srv/www/http-content-combined/
mkdir -p $web_root
else
echo "Yes!"
fi
@ -292,7 +319,7 @@ server {
access_log /var/log/nginx/${_domain}.access.log main;
location /.well-known {
root /srv/www/http-content-combined/;
root $web_root;
autoindex on;
}

75
update_firewall.sh
View File

@ -6,12 +6,47 @@
#
#
# Updates FirewallD on s3va.bugzbunny.net when my home IP address changes.
# Updates FirewallD when my home IP address changes.
#
# Define variables
CACHE_IP_FILE=/tmp/update_firewall.cache
HOME_IP=$(host fwgw.lhprojects.net | cut -d ' ' -f 4)
CACHE_IP_FILE=/var/cache/update_firewall.cache
get_home_ip () {
tmpfile=$(mktemp)
for i in {1..5};
do
host fwgw.lhprojects.net 1.1.1.1 > $tmpfile && s=0 && break || s=1 && sleep 3;
done
if [ $s -eq 0 ]; then
HOME_IP=$(cat $tmpfile | cut -d ' ' -f 4 | xargs)
else
echo "Error: Can't resolve fwgw.lhprojects.net"
rm $tmpfile
exit 1
fi
rm $tmpfile
}
remove_ip () {
# remove old entry
firewall-cmd --permanent --ipset=node_ips --remove-entry=$1 &> /dev/null
# reload firewall
firewall-cmd --reload &> /dev/null
}
add_ip () {
# add new entry
firewall-cmd --permanent --ipset=node_ips --add-entry=$1 &> /dev/null
# reload firewall
firewall-cmd --reload &> /dev/null
}
write_ip_cache () {
echo "$1" > $CACHE_IP_FILE
}
update_firewall () {
# check if cache IP is in the ipset entries
@ -19,36 +54,34 @@ update_firewall () {
found=false
for ip in $ipset_entries; do
if [ "$ip" = "$CACHE_IP" ]; then
# remove old entry
firewall-cmd --permanent --ipset=node_ips --remove-entry=$ip &> /dev/null
# add new entry
firewall-cmd --permanent --ipset=node_ips --add-entry=$HOME_IP &> /dev/null
# reload firewall
firewall-cmd --reload &> /dev/null
if [ "$ip" = "$1" ]; then
found=true
fi
done
if [ "$found" = false ]; then
echo "Error: Unable to remove old cache IP: '$CACHE_IP'; Not Found."
firewall-cmd --info-ipset=node_ips
exit 1
else
echo "$HOME_IP" > $CACHE_IP_FILE
echo "Error: IP '$1' not found in firewall entries."
echo "Info: Updating IP in firewall."
add_ip $HOME_IP
fi
}
# Get home ip
get_home_ip
# Check if we have cache IP
if test -f $CACHE_IP_FILE; then
CACHE_IP=$(cat $CACHE_IP_FILE)
if [ "$HOME_IP" != "$CACHE_IP" ]; then
update_firewall
if [ -z "$CACHE_IP" ]; then
update_firewall $HOME_IP
write_ip_cache $HOME_IP
elif [ "$HOME_IP" != "$CACHE_IP" ]; then
remove_ip $CACHE_IP
update_firewall $HOME_IP
write_ip_cache $HOME_IP
fi
else
echo "$HOME_IP" > $CACHE_IP_FILE
CACHE_IP=$HOME_IP
update_firewall
update_firewall $HOME_IP
write_ip_cache $HOME_IP
fi
exit 0