diff --git a/createVhosts.sh b/createVhosts.sh index e608538..7f54588 100755 --- a/createVhosts.sh +++ b/createVhosts.sh @@ -23,12 +23,6 @@ function usage echo " Do not redirect HTTP to HTTPS" echo " --servicename" echo " The Nginx server service name to use to reload" - echo " --standalone" - echo " Instead of webroot, use acme.sh builtin server" - echo " --bindaddress" - echo " Listening address for acme.sh builtin server. Default is 0.0.0.0" - echo " --bindport" - echo " Listening port for acme.sh builtin server. Default is 8999" echo " -d | --debug" echo " Enable debug logging" echo " -h | --help" @@ -44,14 +38,7 @@ function get_cert if [ "$DEBUG" = "1" ]; then _debug_arg="--debug" fi - # set args for what mode acme.sh is going to run in - if [ "$_standalone" = true ]; then - _mode="--standalone --local-address $_bindaddress --httpport $_bindport" - else - _mode="--webroot $web_root" - fi - - /root/.acme.sh/acme.sh --issue --domain "$_domain" $_mode --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt --server letsencrypt $_debug_arg + /root/.acme.sh/acme.sh --issue --domain "$_domain" --webroot /srv/http-content-combined/ --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt $_debug_arg return $? } @@ -82,7 +69,7 @@ function clean_up function verify_vhost { local target=127.0.0.1 - local verify_path=$web_root/.well-known/ + local verify_path=/srv/http-content-combined/.well-known/ local verify_file_name=verify.$_domain.html local verify_full_path=$verify_path$verify_file_name local http_code @@ -103,12 +90,10 @@ function verify_vhost fi } -## define varables _cwd="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" _bootstrap=${_cwd}/bootstrap.sh _bb_myname=$(basename "$0") _bb_mypath=$(realpath $BASH_SOURCE) -web_root=/srv/www/webroot # Init script if test -f "$_bootstrap"; then @@ -126,7 +111,7 @@ fi # gain priviledges become "$@" -OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,standalone,bindaddress:,bindport:,debug -n 'createVhosts' -- "$@") +OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,debug -n 'createVhosts' -- "$@") if [ "$?" -gt '0' ]; then echo 'Failed to set command line arguments' exit 1; @@ -141,10 +126,6 @@ _backend="" _listenip="" _debug=false _servicename=nginx -_confpath=/etc/nginx -_standalone=false -_bindaddress=0.0.0.0 -_bindport=8999 while true; do case "$1" in --domain ) @@ -171,15 +152,6 @@ while true; do --confpath ) _confpath=$2 shift ;; - --standalone ) - _standalone=true - shift ;; - --bindaddress ) - _bindaddress=$2 - shift ;; - --bindport ) - _bindport=$2 - shift ;; -d | --debug ) _debug=true shift ;; @@ -203,30 +175,28 @@ if [[ $_domain = false ]]; then fi if test -n "$_root"; then - echo -n "Checking if $_root exists? " + echo -n "Checking if $_root exists?" if ! test -d "$_root"; then - echo "Creating..." + echo " Creating..." mkdir -p "$_root" else - echo "Yes!" + echo " Yes!" fi _rootpath="root $_root;" fi -_check_host=failed +_check_host=success _locationblock_http="" _locationblock_https="" if test -n "$_backend"; then echo "Verifying backend(s)..." - if validate_host "$_backend"; then - _check_host=success + if ! validate_host "$_backend"; then + _check_host=failed fi - if [ "$_check_host" = "success" ]; then - # Include backend for HTTP traffic if donotredirect is enabled - # - if [ "$_donotredirect" = "true" ]; then - + # Include backend for HTTP traffic if donotredirect is enabled + # + if [ "$_donotredirect" = "true" ]; then ##Begin HEREDOC _locationblock_http=$(cat <<- EOF proxy_pass $_backend; @@ -234,7 +204,19 @@ _locationblock_http=$(cat <<- EOF EOF ) ##End HEREDOC + fi + if [ "$_check_host" = "success" ]; then + # Include backend for HTTP traffic if donotredirect is enabled + # + if [ "$_donotredirect" = "true" ]; then +##Begin HEREDOC +_locationblock_http=$(cat <<- EOF + proxy_pass $_backend; + include proxy_params; +EOF +) +##End HEREDOC fi ##Begin HEREDOC @@ -243,8 +225,7 @@ _locationblock_https=$(cat <<- EOF include proxy_params; EOF ) -##End HEREDOC - +##End HEREDOC else err "Invalid hostname: $_backend. Not resolvable!" fi @@ -263,12 +244,12 @@ if test -z "$_root" -a -z "$_backend"; then err "You must specify either --root or --backend!" fi -echo -n "Checking if we should redirect? " +echo -n "Checking if we should redirect?" if [ "$_donotredirect" = "false" ]; then - echo "Yes, enabling redirect!" + echo " Yes, enabling redirect!" _locationblock_http=" return 302 https://${_domain}\$request_uri;" else - echo "No!" + echo " No!" fi echo -n "Checking if conf path '$_confpath' exists? " @@ -276,7 +257,7 @@ if test -d "$_confpath"; then echo "Yes!" else echo "No!" - clean_up "Conf path doesn't exists!" + clean_up fi ## @@ -287,12 +268,12 @@ fi ## Begin issuing certificate ########################################### -echo -n "Checking if $web_root exists? " -if ! test -d $web_root; then - echo "Creating..." - mkdir -p $web_root +echo -n "Checking if /srv/http-content-combined/ exists?" +if ! test -d /srv/http-content-combined; then + echo " Creating..." + mkdir -p /srv/http-content-combined/ else - echo "Yes!" + echo " Yes!" fi _vhost_conf_file=$_confpath/conf.d/${_domain}.conf @@ -319,7 +300,7 @@ server { access_log /var/log/nginx/${_domain}.access.log main; location /.well-known { - root $web_root; + root /srv/http-content-combined/; autoindex on; } diff --git a/update_firewall.sh b/update_firewall.sh deleted file mode 100755 index 390dc4b..0000000 --- a/update_firewall.sh +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/env bash - -# Copyright (C) 2021 by LHProjects -# -# Permission is granted to use, copy, modify, and/or distribute this work for any purpose with or without fee. This work is offered as-is, with absolutely no warranty whatsoever. The author is not responsible for any damages that result from using this work. -# -# - -# Updates FirewallD when my home IP address changes. -# - -# Define variables -CACHE_IP_FILE=/var/cache/update_firewall.cache - -get_home_ip () { - tmpfile=$(mktemp) - - for i in {1..5}; - do - host fwgw.lhprojects.net 1.1.1.1 > $tmpfile && s=0 && break || s=1 && sleep 3; - done - - if [ $s -eq 0 ]; then - HOME_IP=$(cat $tmpfile | cut -d ' ' -f 4 | xargs) - else - echo "Error: Can't resolve fwgw.lhprojects.net" - rm $tmpfile - exit 1 - fi - rm $tmpfile -} - -remove_ip () { - # remove old entry - firewall-cmd --permanent --ipset=node_ips --remove-entry=$1 &> /dev/null - # reload firewall - firewall-cmd --reload &> /dev/null -} - -add_ip () { - # add new entry - firewall-cmd --permanent --ipset=node_ips --add-entry=$1 &> /dev/null - # reload firewall - firewall-cmd --reload &> /dev/null -} - -write_ip_cache () { - echo "$1" > $CACHE_IP_FILE -} - -update_firewall () { - # check if cache IP is in the ipset entries - ipset_entries=$(firewall-cmd --ipset=node_ips --get-entries 2> /dev/null) - - found=false - for ip in $ipset_entries; do - if [ "$ip" = "$1" ]; then - found=true - fi - done - - if [ "$found" = false ]; then - echo "Error: IP '$1' not found in firewall entries." - echo "Info: Updating IP in firewall." - add_ip $HOME_IP - fi -} - -# Get home ip -get_home_ip - -# Check if we have cache IP -if test -f $CACHE_IP_FILE; then - CACHE_IP=$(cat $CACHE_IP_FILE) - if [ -z "$CACHE_IP" ]; then - update_firewall $HOME_IP - write_ip_cache $HOME_IP - elif [ "$HOME_IP" != "$CACHE_IP" ]; then - remove_ip $CACHE_IP - update_firewall $HOME_IP - write_ip_cache $HOME_IP - fi -else - update_firewall $HOME_IP - write_ip_cache $HOME_IP -fi -exit 0 \ No newline at end of file