From 6f757f2ab793d1cea8c4e0278d94cd0d6eda05c8 Mon Sep 17 00:00:00 2001 From: Lutchy Horace Date: Thu, 11 Nov 2021 17:13:39 -0500 Subject: [PATCH 1/7] Let's keep spaces consistent --- createVhosts.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/createVhosts.sh b/createVhosts.sh index 7f54588..74735cc 100755 --- a/createVhosts.sh +++ b/createVhosts.sh @@ -175,12 +175,12 @@ if [[ $_domain = false ]]; then fi if test -n "$_root"; then - echo -n "Checking if $_root exists?" + echo -n "Checking if $_root exists? " if ! test -d "$_root"; then - echo " Creating..." + echo "Creating..." mkdir -p "$_root" else - echo " Yes!" + echo "Yes!" fi _rootpath="root $_root;" fi @@ -244,12 +244,12 @@ if test -z "$_root" -a -z "$_backend"; then err "You must specify either --root or --backend!" fi -echo -n "Checking if we should redirect?" +echo -n "Checking if we should redirect? " if [ "$_donotredirect" = "false" ]; then - echo " Yes, enabling redirect!" + echo "Yes, enabling redirect!" _locationblock_http=" return 302 https://${_domain}\$request_uri;" else - echo " No!" + echo "No!" fi echo -n "Checking if conf path '$_confpath' exists? " @@ -268,12 +268,12 @@ fi ## Begin issuing certificate ########################################### -echo -n "Checking if /srv/http-content-combined/ exists?" +echo -n "Checking if /srv/http-content-combined/ exists? " if ! test -d /srv/http-content-combined; then - echo " Creating..." + echo "Creating..." mkdir -p /srv/http-content-combined/ else - echo " Yes!" + echo "Yes!" fi _vhost_conf_file=$_confpath/conf.d/${_domain}.conf From 63c1ca72e3369d5af12b3797bd9796dd111d2799 Mon Sep 17 00:00:00 2001 From: Lutchy Horace Date: Wed, 11 May 2022 12:43:18 -0400 Subject: [PATCH 2/7] Initial draft --- update_firewall.sh | 54 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 update_firewall.sh diff --git a/update_firewall.sh b/update_firewall.sh new file mode 100644 index 0000000..6d277ac --- /dev/null +++ b/update_firewall.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash + +# Copyright (C) 2021 by LHProjects +# +# Permission is granted to use, copy, modify, and/or distribute this work for any purpose with or without fee. This work is offered as-is, with absolutely no warranty whatsoever. The author is not responsible for any damages that result from using this work. +# +# + +# Updates FirewallD on s3va.bugzbunny.net when my home IP address changes. +# + +# Define variables +CACHE_IP_FILE=/tmp/update_firewall.cache +HOME_IP=$(host fwgw.lhprojects.net | cut -d ' ' -f 4) + +update_firewall () { + # check if cache IP is in the ipset entries + ipset_entries=$(firewall-cmd --ipset=node_ips --get-entries 2> /dev/null) + + found=false + for ip in $ipset_entries; do + if [ "$ip" = "$CACHE_IP" ]; then + # remove old entry + firewall-cmd --permanent --ipset=node_ips --remove-entry=$ip &> /dev/null + # add new entry + firewall-cmd --permanent --ipset=node_ips --add-entry=$HOME_IP &> /dev/null + # reload firewall + firewall-cmd --reload &> /dev/null + found=true + fi + done + + if [ "$found" = false ]; then + echo "Error: Unable to remove old cache IP: '$CACHE_IP'; Not Found." + firewall-cmd --info-ipset=node_ips + exit 1 + else + echo "$HOME_IP" > $CACHE_IP_FILE + fi +} + +# Check if we have cache IP +if test -f $CACHE_IP_FILE; then + CACHE_IP=$(cat $CACHE_IP_FILE) + if [ "$HOME_IP" != "$CACHE_IP" ]; then + update_firewall + fi + +else + echo "$HOME_IP" > $CACHE_IP_FILE + CACHE_IP=$HOME_IP + update_firewall +fi +exit 0 \ No newline at end of file From 178fa8e5dd428836efa604f394e91d4c9aff2080 Mon Sep 17 00:00:00 2001 From: Lutchy Horace Date: Wed, 11 May 2022 18:47:39 -0400 Subject: [PATCH 3/7] Refactor createVhosts.sh script * Fixed line breaks * Remove duplicate block * Added error message to the cleanup process, conf dir is missing. --- createVhosts.sh | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/createVhosts.sh b/createVhosts.sh index 74735cc..cedadbe 100755 --- a/createVhosts.sh +++ b/createVhosts.sh @@ -126,6 +126,7 @@ _backend="" _listenip="" _debug=false _servicename=nginx +_confpath=/etc/nginx while true; do case "$1" in --domain ) @@ -185,31 +186,20 @@ if test -n "$_root"; then _rootpath="root $_root;" fi -_check_host=success +_check_host=failed _locationblock_http="" _locationblock_https="" if test -n "$_backend"; then echo "Verifying backend(s)..." - if ! validate_host "$_backend"; then - _check_host=failed - fi - - # Include backend for HTTP traffic if donotredirect is enabled - # - if [ "$_donotredirect" = "true" ]; then -##Begin HEREDOC -_locationblock_http=$(cat <<- EOF - proxy_pass $_backend; - include proxy_params; -EOF -) -##End HEREDOC + if validate_host "$_backend"; then + _check_host=success fi if [ "$_check_host" = "success" ]; then # Include backend for HTTP traffic if donotredirect is enabled # if [ "$_donotredirect" = "true" ]; then + ##Begin HEREDOC _locationblock_http=$(cat <<- EOF proxy_pass $_backend; @@ -217,6 +207,7 @@ _locationblock_http=$(cat <<- EOF EOF ) ##End HEREDOC + fi ##Begin HEREDOC @@ -225,7 +216,8 @@ _locationblock_https=$(cat <<- EOF include proxy_params; EOF ) -##End HEREDOC +##End HEREDOC + else err "Invalid hostname: $_backend. Not resolvable!" fi @@ -257,7 +249,7 @@ if test -d "$_confpath"; then echo "Yes!" else echo "No!" - clean_up + clean_up "Conf path doesn't exists!" fi ## From c1499d5e74f99b0545ed794bec15f8f3c6283600 Mon Sep 17 00:00:00 2001 From: Lutchy Horace Date: Wed, 11 May 2022 18:48:08 -0400 Subject: [PATCH 4/7] Set +x to update_firewall.sh --- update_firewall.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 update_firewall.sh diff --git a/update_firewall.sh b/update_firewall.sh old mode 100644 new mode 100755 From 421b9a57cc31cb0b82ee70e0711294853a26f0b7 Mon Sep 17 00:00:00 2001 From: Lutchy Horace Date: Wed, 11 May 2022 18:55:27 -0400 Subject: [PATCH 5/7] Moved /srv/http-combined-content to /srv/www/http-combined-content --- createVhosts.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/createVhosts.sh b/createVhosts.sh index cedadbe..465985b 100755 --- a/createVhosts.sh +++ b/createVhosts.sh @@ -260,10 +260,10 @@ fi ## Begin issuing certificate ########################################### -echo -n "Checking if /srv/http-content-combined/ exists? " -if ! test -d /srv/http-content-combined; then +echo -n "Checking if /srv/www/http-content-combined/ exists? " +if ! test -d /srv/www/http-content-combined; then echo "Creating..." - mkdir -p /srv/http-content-combined/ + mkdir -p /srv/www/http-content-combined/ else echo "Yes!" fi @@ -292,7 +292,7 @@ server { access_log /var/log/nginx/${_domain}.access.log main; location /.well-known { - root /srv/http-content-combined/; + root /srv/www/http-content-combined/; autoindex on; } From d98e74b0367fcc9daea95655db4dbeae89ab8391 Mon Sep 17 00:00:00 2001 From: Lutchy Horace Date: Tue, 6 Jun 2023 22:56:44 +0000 Subject: [PATCH 6/7] Resolve "update_firewall.sh can intermitten failures if it's unable to resolve fwgw.lhprojects.net" --- createVhosts.sh | 41 ++++++++++++++++++++----- update_firewall.sh | 75 +++++++++++++++++++++++++++++++++------------- 2 files changed, 88 insertions(+), 28 deletions(-) diff --git a/createVhosts.sh b/createVhosts.sh index 465985b..63937e7 100755 --- a/createVhosts.sh +++ b/createVhosts.sh @@ -23,6 +23,12 @@ function usage echo " Do not redirect HTTP to HTTPS" echo " --servicename" echo " The Nginx server service name to use to reload" + echo " --standalone" + echo " Instead of webroot, use acme.sh builtin server" + echo " --bindaddress" + echo " Listening address for acme.sh builtin server. Default is 0.0.0.0" + echo " --bindport" + echo " Listening port for acme.sh builtin server. Default is 8999" echo " -d | --debug" echo " Enable debug logging" echo " -h | --help" @@ -38,7 +44,14 @@ function get_cert if [ "$DEBUG" = "1" ]; then _debug_arg="--debug" fi - /root/.acme.sh/acme.sh --issue --domain "$_domain" --webroot /srv/http-content-combined/ --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt $_debug_arg + # set args for what mode acme.sh is going to run in + if [ "$_standalone" = true ]; then + _mode="--standalone --local-address $_bindaddress --httpport $_bindport" + else + _mode="--webroot $web_root" + fi + + /root/.acme.sh/acme.sh --issue --domain "$_domain" $_mode --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt $_debug_arg return $? } @@ -69,7 +82,7 @@ function clean_up function verify_vhost { local target=127.0.0.1 - local verify_path=/srv/http-content-combined/.well-known/ + local verify_path=$web_root/.well-known/ local verify_file_name=verify.$_domain.html local verify_full_path=$verify_path$verify_file_name local http_code @@ -90,10 +103,12 @@ function verify_vhost fi } +## define varables _cwd="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" _bootstrap=${_cwd}/bootstrap.sh _bb_myname=$(basename "$0") _bb_mypath=$(realpath $BASH_SOURCE) +web_root=/srv/www/webroot # Init script if test -f "$_bootstrap"; then @@ -111,7 +126,7 @@ fi # gain priviledges become "$@" -OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,debug -n 'createVhosts' -- "$@") +OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,standalone,bindaddress:,bindport:,debug -n 'createVhosts' -- "$@") if [ "$?" -gt '0' ]; then echo 'Failed to set command line arguments' exit 1; @@ -127,6 +142,9 @@ _listenip="" _debug=false _servicename=nginx _confpath=/etc/nginx +_standalone=false +_bindaddress=0.0.0.0 +_bindport=8999 while true; do case "$1" in --domain ) @@ -153,6 +171,15 @@ while true; do --confpath ) _confpath=$2 shift ;; + --standalone ) + _standalone=true + shift ;; + --bindaddress ) + _bindaddress=$2 + shift ;; + --bindport ) + _bindport=$2 + shift ;; -d | --debug ) _debug=true shift ;; @@ -260,10 +287,10 @@ fi ## Begin issuing certificate ########################################### -echo -n "Checking if /srv/www/http-content-combined/ exists? " -if ! test -d /srv/www/http-content-combined; then +echo -n "Checking if $web_root exists? " +if ! test -d $web_root; then echo "Creating..." - mkdir -p /srv/www/http-content-combined/ + mkdir -p $web_root else echo "Yes!" fi @@ -292,7 +319,7 @@ server { access_log /var/log/nginx/${_domain}.access.log main; location /.well-known { - root /srv/www/http-content-combined/; + root $web_root; autoindex on; } diff --git a/update_firewall.sh b/update_firewall.sh index 6d277ac..390dc4b 100755 --- a/update_firewall.sh +++ b/update_firewall.sh @@ -6,12 +6,47 @@ # # -# Updates FirewallD on s3va.bugzbunny.net when my home IP address changes. +# Updates FirewallD when my home IP address changes. # # Define variables -CACHE_IP_FILE=/tmp/update_firewall.cache -HOME_IP=$(host fwgw.lhprojects.net | cut -d ' ' -f 4) +CACHE_IP_FILE=/var/cache/update_firewall.cache + +get_home_ip () { + tmpfile=$(mktemp) + + for i in {1..5}; + do + host fwgw.lhprojects.net 1.1.1.1 > $tmpfile && s=0 && break || s=1 && sleep 3; + done + + if [ $s -eq 0 ]; then + HOME_IP=$(cat $tmpfile | cut -d ' ' -f 4 | xargs) + else + echo "Error: Can't resolve fwgw.lhprojects.net" + rm $tmpfile + exit 1 + fi + rm $tmpfile +} + +remove_ip () { + # remove old entry + firewall-cmd --permanent --ipset=node_ips --remove-entry=$1 &> /dev/null + # reload firewall + firewall-cmd --reload &> /dev/null +} + +add_ip () { + # add new entry + firewall-cmd --permanent --ipset=node_ips --add-entry=$1 &> /dev/null + # reload firewall + firewall-cmd --reload &> /dev/null +} + +write_ip_cache () { + echo "$1" > $CACHE_IP_FILE +} update_firewall () { # check if cache IP is in the ipset entries @@ -19,36 +54,34 @@ update_firewall () { found=false for ip in $ipset_entries; do - if [ "$ip" = "$CACHE_IP" ]; then - # remove old entry - firewall-cmd --permanent --ipset=node_ips --remove-entry=$ip &> /dev/null - # add new entry - firewall-cmd --permanent --ipset=node_ips --add-entry=$HOME_IP &> /dev/null - # reload firewall - firewall-cmd --reload &> /dev/null + if [ "$ip" = "$1" ]; then found=true fi done if [ "$found" = false ]; then - echo "Error: Unable to remove old cache IP: '$CACHE_IP'; Not Found." - firewall-cmd --info-ipset=node_ips - exit 1 - else - echo "$HOME_IP" > $CACHE_IP_FILE + echo "Error: IP '$1' not found in firewall entries." + echo "Info: Updating IP in firewall." + add_ip $HOME_IP fi } +# Get home ip +get_home_ip + # Check if we have cache IP if test -f $CACHE_IP_FILE; then CACHE_IP=$(cat $CACHE_IP_FILE) - if [ "$HOME_IP" != "$CACHE_IP" ]; then - update_firewall + if [ -z "$CACHE_IP" ]; then + update_firewall $HOME_IP + write_ip_cache $HOME_IP + elif [ "$HOME_IP" != "$CACHE_IP" ]; then + remove_ip $CACHE_IP + update_firewall $HOME_IP + write_ip_cache $HOME_IP fi - else - echo "$HOME_IP" > $CACHE_IP_FILE - CACHE_IP=$HOME_IP - update_firewall + update_firewall $HOME_IP + write_ip_cache $HOME_IP fi exit 0 \ No newline at end of file From 94835e5a3c45f9dafa32de31f72eedafe5ea2d76 Mon Sep 17 00:00:00 2001 From: Lutchy Horace Date: Wed, 7 Jun 2023 07:29:13 -0400 Subject: [PATCH 7/7] Closes #10 --- createVhosts.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/createVhosts.sh b/createVhosts.sh index 63937e7..e608538 100755 --- a/createVhosts.sh +++ b/createVhosts.sh @@ -51,7 +51,7 @@ function get_cert _mode="--webroot $web_root" fi - /root/.acme.sh/acme.sh --issue --domain "$_domain" $_mode --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt $_debug_arg + /root/.acme.sh/acme.sh --issue --domain "$_domain" $_mode --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt --server letsencrypt $_debug_arg return $? }