Closes #10

Resolve "update_firewall.sh can intermitten failures if it's unable to resolve fwgw.lhprojects.net"

Closes #9

See merge request lhprojects-information-network/scripts!7

createVhosts.sh

@@ -23,6 +23,12 @@ function usage
     echo "        Do not redirect HTTP to HTTPS"
     echo "    --servicename"
     echo "        The Nginx server service name to use to reload"
+    echo "    --standalone"
+    echo "        Instead of webroot, use acme.sh builtin server"
+    echo "    --bindaddress"
+    echo "        Listening address for acme.sh builtin server. Default is 0.0.0.0"
+    echo "    --bindport"
+    echo "        Listening port for acme.sh builtin server. Default is 8999"
     echo "    -d | --debug"
     echo "        Enable debug logging"
     echo "    -h | --help"
@@ -38,7 +44,14 @@ function get_cert
     if [ "$DEBUG" = "1" ]; then
         _debug_arg="--debug"
     fi
-	/root/.acme.sh/acme.sh --issue --domain "$_domain" --webroot /srv/http-content-combined/ --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt $_debug_arg
+    # set args for what mode acme.sh is going to run in
+    if [ "$_standalone" = true ]; then
+        _mode="--standalone --local-address $_bindaddress --httpport $_bindport"
+    else
+        _mode="--webroot $web_root"
+    fi
+
+	/root/.acme.sh/acme.sh --issue --domain "$_domain" $_mode --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt --server letsencrypt $_debug_arg
     return $?
 }
 
@@ -69,7 +82,7 @@ function clean_up
 function verify_vhost
 {
     local target=127.0.0.1
-    local verify_path=/srv/http-content-combined/.well-known/
+    local verify_path=$web_root/.well-known/
     local verify_file_name=verify.$_domain.html
     local verify_full_path=$verify_path$verify_file_name
     local http_code
@@ -90,10 +103,12 @@ function verify_vhost
     fi
 }
 
+## define varables
 _cwd="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 _bootstrap=${_cwd}/bootstrap.sh
 _bb_myname=$(basename "$0")
 _bb_mypath=$(realpath $BASH_SOURCE)
+web_root=/srv/www/webroot
 
 # Init script
 if test -f "$_bootstrap"; then
@@ -111,7 +126,7 @@ fi
 # gain priviledges
 become "$@"
 
-OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,debug -n 'createVhosts' -- "$@")
+OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,standalone,bindaddress:,bindport:,debug -n 'createVhosts' -- "$@")
 if [ "$?" -gt '0' ]; then
     echo 'Failed to set command line arguments'
     exit 1;
@@ -126,6 +141,10 @@ _backend=""
 _listenip=""
 _debug=false
 _servicename=nginx
+_confpath=/etc/nginx
+_standalone=false
+_bindaddress=0.0.0.0
+_bindport=8999
 while true; do
 	case "$1" in
 		--domain )
@@ -152,6 +171,15 @@ while true; do
         --confpath )
             _confpath=$2
             shift ;;
+        --standalone )
+            _standalone=true
+            shift ;;
+        --bindaddress )
+            _bindaddress=$2
+            shift ;;
+        --bindport )
+            _bindport=$2
+            shift ;;
         -d | --debug )
             _debug=true
             shift ;;
@@ -175,41 +203,30 @@ if [[ $_domain = false ]]; then
 fi
 
 if test -n "$_root"; then
-    echo -n "Checking if $_root exists?"
+    echo -n "Checking if $_root exists? "
     if ! test -d "$_root"; then
-        echo " Creating..."
+        echo "Creating..."
         mkdir -p "$_root"
     else
-        echo " Yes!"
+        echo "Yes!"
     fi
     _rootpath="root $_root;"
 fi
 
-_check_host=success
+_check_host=failed
 _locationblock_http=""
 _locationblock_https=""
 if test -n "$_backend"; then
     echo "Verifying backend(s)..."
-	if ! validate_host "$_backend"; then
-        _check_host=failed
-    fi
-
-    # Include backend for HTTP traffic if donotredirect is enabled
-    #
-    if [ "$_donotredirect" = "true" ]; then
-##Begin HEREDOC
-_locationblock_http=$(cat  <<- EOF
-        proxy_pass $_backend;
-        include proxy_params;
-EOF
-)
-##End HEREDOC
+	if validate_host "$_backend"; then
+        _check_host=success
     fi
 
     if [ "$_check_host" = "success" ]; then
         # Include backend for HTTP traffic if donotredirect is enabled
         #
         if [ "$_donotredirect" = "true" ]; then
+
 ##Begin HEREDOC
 _locationblock_http=$(cat  <<- EOF
         proxy_pass $_backend;
@@ -217,6 +234,7 @@ _locationblock_http=$(cat  <<- EOF
 EOF
 )
 ##End HEREDOC
+
         fi
 
 ##Begin HEREDOC
@@ -225,7 +243,8 @@ _locationblock_https=$(cat  <<- EOF
         include proxy_params;
 EOF
 )
-##End HEREDOC
+##End   HEREDOC
+
     else
         err "Invalid hostname: $_backend. Not resolvable!"
     fi
@@ -244,12 +263,12 @@ if test -z "$_root" -a -z "$_backend"; then
     err "You must specify either --root or --backend!"
 fi
 
-echo -n "Checking if we should redirect?"
+echo -n "Checking if we should redirect? "
 if [ "$_donotredirect" = "false" ]; then
-    echo " Yes, enabling redirect!"
+    echo "Yes, enabling redirect!"
     _locationblock_http="       return 302 https://${_domain}\$request_uri;"
 else
-    echo " No!"
+    echo "No!"
 fi
 
 echo -n "Checking if conf path '$_confpath' exists? "
@@ -257,7 +276,7 @@ if test -d "$_confpath"; then
     echo "Yes!"
 else 
     echo "No!"
-    clean_up
+    clean_up "Conf path doesn't exists!"
 fi
 
 ##
@@ -268,12 +287,12 @@ fi
 ## Begin issuing certificate
 ###########################################
 
-echo -n "Checking if /srv/http-content-combined/ exists?"
-if ! test -d /srv/http-content-combined; then
-    echo " Creating..."
-    mkdir -p /srv/http-content-combined/
+echo -n "Checking if $web_root exists? "
+if ! test -d $web_root; then
+    echo "Creating..."
+    mkdir -p $web_root
 else
-    echo " Yes!"
+    echo "Yes!"
 fi
 
 _vhost_conf_file=$_confpath/conf.d/${_domain}.conf
@@ -300,7 +319,7 @@ server {
     access_log /var/log/nginx/${_domain}.access.log main;
 
     location /.well-known {
-        root /srv/http-content-combined/;
+        root $web_root;
         autoindex on;
     }
 

update_firewall.sh

@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2021 by LHProjects <copyright@lhpmail.us>
+#
+# Permission is granted to use, copy, modify, and/or distribute this work for any purpose with or without fee. This work is offered as-is, with absolutely no warranty whatsoever. The author is not responsible for any damages that result from using this work. 
+#
+#
+
+# Updates FirewallD when my home IP address changes.
+#
+
+# Define variables
+CACHE_IP_FILE=/var/cache/update_firewall.cache
+
+get_home_ip () {
+	tmpfile=$(mktemp)
+
+	for i in {1..5}; 
+	do 
+		host fwgw.lhprojects.net 1.1.1.1 > $tmpfile && s=0 && break || s=1 && sleep 3;
+	done
+
+	if [ $s -eq 0 ]; then
+		HOME_IP=$(cat $tmpfile | cut -d ' ' -f 4 | xargs)
+	else
+		echo "Error: Can't resolve fwgw.lhprojects.net"
+		rm $tmpfile
+		exit 1
+	fi
+	rm $tmpfile
+}
+
+remove_ip () {
+	# remove old entry
+	firewall-cmd --permanent --ipset=node_ips --remove-entry=$1 &> /dev/null
+	# reload firewall
+	firewall-cmd --reload &> /dev/null
+}
+
+add_ip () {
+	# add new entry
+	firewall-cmd --permanent --ipset=node_ips --add-entry=$1 &> /dev/null
+	# reload firewall
+	firewall-cmd --reload &> /dev/null
+}
+
+write_ip_cache () {
+	echo "$1" > $CACHE_IP_FILE
+}
+
+update_firewall () {
+	# check if cache IP is in the ipset entries
+	ipset_entries=$(firewall-cmd --ipset=node_ips --get-entries 2> /dev/null)
+
+	found=false
+	for ip in $ipset_entries; do
+		if [ "$ip" = "$1" ]; then
+			found=true
+		fi
+	done
+
+	if [ "$found" = false ]; then
+		echo "Error: IP '$1' not found in firewall entries."
+		echo "Info: Updating IP in firewall."
+		add_ip $HOME_IP
+	fi
+}
+
+# Get home ip
+get_home_ip
+
+# Check if we have cache IP
+if test -f $CACHE_IP_FILE; then
+	CACHE_IP=$(cat $CACHE_IP_FILE)
+	if [ -z "$CACHE_IP" ]; then
+		update_firewall $HOME_IP
+		write_ip_cache $HOME_IP
+	elif [ "$HOME_IP" != "$CACHE_IP" ]; then
+		remove_ip $CACHE_IP
+		update_firewall $HOME_IP
+		write_ip_cache $HOME_IP
+	fi
+else
+	update_firewall $HOME_IP
+	write_ip_cache $HOME_IP
+fi
+exit 0