Compare commits
10 Commits
dce6be0601
...
94835e5a3c
Author | SHA1 | Date |
---|---|---|
Lutchy Horace | 94835e5a3c | |
Lutchy Horace | 0d4a01c97b | |
Lutchy Horace | d98e74b036 | |
Lutchy Horace | 421b9a57cc | |
Lutchy Horace | c1499d5e74 | |
Lutchy Horace | 178fa8e5dd | |
Lutchy Horace | be51283e33 | |
Lutchy Horace | 63c1ca72e3 | |
Lutchy Horace | a44a673758 | |
Lutchy Horace | 6f757f2ab7 |
|
@ -23,6 +23,12 @@ function usage
|
||||||
echo " Do not redirect HTTP to HTTPS"
|
echo " Do not redirect HTTP to HTTPS"
|
||||||
echo " --servicename"
|
echo " --servicename"
|
||||||
echo " The Nginx server service name to use to reload"
|
echo " The Nginx server service name to use to reload"
|
||||||
|
echo " --standalone"
|
||||||
|
echo " Instead of webroot, use acme.sh builtin server"
|
||||||
|
echo " --bindaddress"
|
||||||
|
echo " Listening address for acme.sh builtin server. Default is 0.0.0.0"
|
||||||
|
echo " --bindport"
|
||||||
|
echo " Listening port for acme.sh builtin server. Default is 8999"
|
||||||
echo " -d | --debug"
|
echo " -d | --debug"
|
||||||
echo " Enable debug logging"
|
echo " Enable debug logging"
|
||||||
echo " -h | --help"
|
echo " -h | --help"
|
||||||
|
@ -38,7 +44,14 @@ function get_cert
|
||||||
if [ "$DEBUG" = "1" ]; then
|
if [ "$DEBUG" = "1" ]; then
|
||||||
_debug_arg="--debug"
|
_debug_arg="--debug"
|
||||||
fi
|
fi
|
||||||
/root/.acme.sh/acme.sh --issue --domain "$_domain" --webroot /srv/http-content-combined/ --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt $_debug_arg
|
# set args for what mode acme.sh is going to run in
|
||||||
|
if [ "$_standalone" = true ]; then
|
||||||
|
_mode="--standalone --local-address $_bindaddress --httpport $_bindport"
|
||||||
|
else
|
||||||
|
_mode="--webroot $web_root"
|
||||||
|
fi
|
||||||
|
|
||||||
|
/root/.acme.sh/acme.sh --issue --domain "$_domain" $_mode --cert-file /etc/ssl/"${_domain}".crt --key-file /etc/ssl/"${_domain}".key --fullchain-file /etc/ssl/"${_domain}"-fullchain.crt --server letsencrypt $_debug_arg
|
||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -69,7 +82,7 @@ function clean_up
|
||||||
function verify_vhost
|
function verify_vhost
|
||||||
{
|
{
|
||||||
local target=127.0.0.1
|
local target=127.0.0.1
|
||||||
local verify_path=/srv/http-content-combined/.well-known/
|
local verify_path=$web_root/.well-known/
|
||||||
local verify_file_name=verify.$_domain.html
|
local verify_file_name=verify.$_domain.html
|
||||||
local verify_full_path=$verify_path$verify_file_name
|
local verify_full_path=$verify_path$verify_file_name
|
||||||
local http_code
|
local http_code
|
||||||
|
@ -90,10 +103,12 @@ function verify_vhost
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
## define varables
|
||||||
_cwd="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
_cwd="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||||
_bootstrap=${_cwd}/bootstrap.sh
|
_bootstrap=${_cwd}/bootstrap.sh
|
||||||
_bb_myname=$(basename "$0")
|
_bb_myname=$(basename "$0")
|
||||||
_bb_mypath=$(realpath $BASH_SOURCE)
|
_bb_mypath=$(realpath $BASH_SOURCE)
|
||||||
|
web_root=/srv/www/webroot
|
||||||
|
|
||||||
# Init script
|
# Init script
|
||||||
if test -f "$_bootstrap"; then
|
if test -f "$_bootstrap"; then
|
||||||
|
@ -111,7 +126,7 @@ fi
|
||||||
# gain priviledges
|
# gain priviledges
|
||||||
become "$@"
|
become "$@"
|
||||||
|
|
||||||
OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,debug -n 'createVhosts' -- "$@")
|
OPTS=$(getopt -o h,d -l domain:,root:,backend:,listenip:,desc:,donotredirect,servicename:,confpath:,standalone,bindaddress:,bindport:,debug -n 'createVhosts' -- "$@")
|
||||||
if [ "$?" -gt '0' ]; then
|
if [ "$?" -gt '0' ]; then
|
||||||
echo 'Failed to set command line arguments'
|
echo 'Failed to set command line arguments'
|
||||||
exit 1;
|
exit 1;
|
||||||
|
@ -126,6 +141,10 @@ _backend=""
|
||||||
_listenip=""
|
_listenip=""
|
||||||
_debug=false
|
_debug=false
|
||||||
_servicename=nginx
|
_servicename=nginx
|
||||||
|
_confpath=/etc/nginx
|
||||||
|
_standalone=false
|
||||||
|
_bindaddress=0.0.0.0
|
||||||
|
_bindport=8999
|
||||||
while true; do
|
while true; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
--domain )
|
--domain )
|
||||||
|
@ -152,6 +171,15 @@ while true; do
|
||||||
--confpath )
|
--confpath )
|
||||||
_confpath=$2
|
_confpath=$2
|
||||||
shift ;;
|
shift ;;
|
||||||
|
--standalone )
|
||||||
|
_standalone=true
|
||||||
|
shift ;;
|
||||||
|
--bindaddress )
|
||||||
|
_bindaddress=$2
|
||||||
|
shift ;;
|
||||||
|
--bindport )
|
||||||
|
_bindport=$2
|
||||||
|
shift ;;
|
||||||
-d | --debug )
|
-d | --debug )
|
||||||
_debug=true
|
_debug=true
|
||||||
shift ;;
|
shift ;;
|
||||||
|
@ -175,41 +203,30 @@ if [[ $_domain = false ]]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test -n "$_root"; then
|
if test -n "$_root"; then
|
||||||
echo -n "Checking if $_root exists?"
|
echo -n "Checking if $_root exists? "
|
||||||
if ! test -d "$_root"; then
|
if ! test -d "$_root"; then
|
||||||
echo " Creating..."
|
echo "Creating..."
|
||||||
mkdir -p "$_root"
|
mkdir -p "$_root"
|
||||||
else
|
else
|
||||||
echo " Yes!"
|
echo "Yes!"
|
||||||
fi
|
fi
|
||||||
_rootpath="root $_root;"
|
_rootpath="root $_root;"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_check_host=success
|
_check_host=failed
|
||||||
_locationblock_http=""
|
_locationblock_http=""
|
||||||
_locationblock_https=""
|
_locationblock_https=""
|
||||||
if test -n "$_backend"; then
|
if test -n "$_backend"; then
|
||||||
echo "Verifying backend(s)..."
|
echo "Verifying backend(s)..."
|
||||||
if ! validate_host "$_backend"; then
|
if validate_host "$_backend"; then
|
||||||
_check_host=failed
|
_check_host=success
|
||||||
fi
|
|
||||||
|
|
||||||
# Include backend for HTTP traffic if donotredirect is enabled
|
|
||||||
#
|
|
||||||
if [ "$_donotredirect" = "true" ]; then
|
|
||||||
##Begin HEREDOC
|
|
||||||
_locationblock_http=$(cat <<- EOF
|
|
||||||
proxy_pass $_backend;
|
|
||||||
include proxy_params;
|
|
||||||
EOF
|
|
||||||
)
|
|
||||||
##End HEREDOC
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$_check_host" = "success" ]; then
|
if [ "$_check_host" = "success" ]; then
|
||||||
# Include backend for HTTP traffic if donotredirect is enabled
|
# Include backend for HTTP traffic if donotredirect is enabled
|
||||||
#
|
#
|
||||||
if [ "$_donotredirect" = "true" ]; then
|
if [ "$_donotredirect" = "true" ]; then
|
||||||
|
|
||||||
##Begin HEREDOC
|
##Begin HEREDOC
|
||||||
_locationblock_http=$(cat <<- EOF
|
_locationblock_http=$(cat <<- EOF
|
||||||
proxy_pass $_backend;
|
proxy_pass $_backend;
|
||||||
|
@ -217,6 +234,7 @@ _locationblock_http=$(cat <<- EOF
|
||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
##End HEREDOC
|
##End HEREDOC
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
##Begin HEREDOC
|
##Begin HEREDOC
|
||||||
|
@ -226,6 +244,7 @@ _locationblock_https=$(cat <<- EOF
|
||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
##End HEREDOC
|
##End HEREDOC
|
||||||
|
|
||||||
else
|
else
|
||||||
err "Invalid hostname: $_backend. Not resolvable!"
|
err "Invalid hostname: $_backend. Not resolvable!"
|
||||||
fi
|
fi
|
||||||
|
@ -244,12 +263,12 @@ if test -z "$_root" -a -z "$_backend"; then
|
||||||
err "You must specify either --root or --backend!"
|
err "You must specify either --root or --backend!"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo -n "Checking if we should redirect?"
|
echo -n "Checking if we should redirect? "
|
||||||
if [ "$_donotredirect" = "false" ]; then
|
if [ "$_donotredirect" = "false" ]; then
|
||||||
echo " Yes, enabling redirect!"
|
echo "Yes, enabling redirect!"
|
||||||
_locationblock_http=" return 302 https://${_domain}\$request_uri;"
|
_locationblock_http=" return 302 https://${_domain}\$request_uri;"
|
||||||
else
|
else
|
||||||
echo " No!"
|
echo "No!"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo -n "Checking if conf path '$_confpath' exists? "
|
echo -n "Checking if conf path '$_confpath' exists? "
|
||||||
|
@ -257,7 +276,7 @@ if test -d "$_confpath"; then
|
||||||
echo "Yes!"
|
echo "Yes!"
|
||||||
else
|
else
|
||||||
echo "No!"
|
echo "No!"
|
||||||
clean_up
|
clean_up "Conf path doesn't exists!"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -268,12 +287,12 @@ fi
|
||||||
## Begin issuing certificate
|
## Begin issuing certificate
|
||||||
###########################################
|
###########################################
|
||||||
|
|
||||||
echo -n "Checking if /srv/http-content-combined/ exists?"
|
echo -n "Checking if $web_root exists? "
|
||||||
if ! test -d /srv/http-content-combined; then
|
if ! test -d $web_root; then
|
||||||
echo " Creating..."
|
echo "Creating..."
|
||||||
mkdir -p /srv/http-content-combined/
|
mkdir -p $web_root
|
||||||
else
|
else
|
||||||
echo " Yes!"
|
echo "Yes!"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_vhost_conf_file=$_confpath/conf.d/${_domain}.conf
|
_vhost_conf_file=$_confpath/conf.d/${_domain}.conf
|
||||||
|
@ -300,7 +319,7 @@ server {
|
||||||
access_log /var/log/nginx/${_domain}.access.log main;
|
access_log /var/log/nginx/${_domain}.access.log main;
|
||||||
|
|
||||||
location /.well-known {
|
location /.well-known {
|
||||||
root /srv/http-content-combined/;
|
root $web_root;
|
||||||
autoindex on;
|
autoindex on;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,87 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Copyright (C) 2021 by LHProjects <copyright@lhpmail.us>
|
||||||
|
#
|
||||||
|
# Permission is granted to use, copy, modify, and/or distribute this work for any purpose with or without fee. This work is offered as-is, with absolutely no warranty whatsoever. The author is not responsible for any damages that result from using this work.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
# Updates FirewallD when my home IP address changes.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Define variables
|
||||||
|
CACHE_IP_FILE=/var/cache/update_firewall.cache
|
||||||
|
|
||||||
|
get_home_ip () {
|
||||||
|
tmpfile=$(mktemp)
|
||||||
|
|
||||||
|
for i in {1..5};
|
||||||
|
do
|
||||||
|
host fwgw.lhprojects.net 1.1.1.1 > $tmpfile && s=0 && break || s=1 && sleep 3;
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $s -eq 0 ]; then
|
||||||
|
HOME_IP=$(cat $tmpfile | cut -d ' ' -f 4 | xargs)
|
||||||
|
else
|
||||||
|
echo "Error: Can't resolve fwgw.lhprojects.net"
|
||||||
|
rm $tmpfile
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
rm $tmpfile
|
||||||
|
}
|
||||||
|
|
||||||
|
remove_ip () {
|
||||||
|
# remove old entry
|
||||||
|
firewall-cmd --permanent --ipset=node_ips --remove-entry=$1 &> /dev/null
|
||||||
|
# reload firewall
|
||||||
|
firewall-cmd --reload &> /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
add_ip () {
|
||||||
|
# add new entry
|
||||||
|
firewall-cmd --permanent --ipset=node_ips --add-entry=$1 &> /dev/null
|
||||||
|
# reload firewall
|
||||||
|
firewall-cmd --reload &> /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
write_ip_cache () {
|
||||||
|
echo "$1" > $CACHE_IP_FILE
|
||||||
|
}
|
||||||
|
|
||||||
|
update_firewall () {
|
||||||
|
# check if cache IP is in the ipset entries
|
||||||
|
ipset_entries=$(firewall-cmd --ipset=node_ips --get-entries 2> /dev/null)
|
||||||
|
|
||||||
|
found=false
|
||||||
|
for ip in $ipset_entries; do
|
||||||
|
if [ "$ip" = "$1" ]; then
|
||||||
|
found=true
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ "$found" = false ]; then
|
||||||
|
echo "Error: IP '$1' not found in firewall entries."
|
||||||
|
echo "Info: Updating IP in firewall."
|
||||||
|
add_ip $HOME_IP
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Get home ip
|
||||||
|
get_home_ip
|
||||||
|
|
||||||
|
# Check if we have cache IP
|
||||||
|
if test -f $CACHE_IP_FILE; then
|
||||||
|
CACHE_IP=$(cat $CACHE_IP_FILE)
|
||||||
|
if [ -z "$CACHE_IP" ]; then
|
||||||
|
update_firewall $HOME_IP
|
||||||
|
write_ip_cache $HOME_IP
|
||||||
|
elif [ "$HOME_IP" != "$CACHE_IP" ]; then
|
||||||
|
remove_ip $CACHE_IP
|
||||||
|
update_firewall $HOME_IP
|
||||||
|
write_ip_cache $HOME_IP
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
update_firewall $HOME_IP
|
||||||
|
write_ip_cache $HOME_IP
|
||||||
|
fi
|
||||||
|
exit 0
|
Loading…
Reference in New Issue