-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path25-servers
executable file
·161 lines (122 loc) · 4.58 KB
/
25-servers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#!/bin/bash
# We expect /config/servers to be a folder contains Nginx fragments. These fragments should be
# the block of Nginx configuration that would be placed inside "server {}", but without the
# listen directive.
set -e
set -x
# Check that the Let's Encrypt email file is set.
if [ ! -e /config/letsencrypt.email ]; then
echo "The /config/letsencrypt.email file does not exist; you must create it for SSL issuance. This "
echo "file should contain the email address to associate SSL certificates with, and nothing more."
exit 1
fi
# Check that the Let's Encrypt domain issuance file is set.
if [ ! -e /config/letsencrypt.domains ]; then
echo "The /config/letsencrypt.domains file does not exist; you must create it for SSL issuance. This "
echo "file should be a newline-delimited list of domain names that SSL certificates should be issued "
echo "for. Note that you will need server configuration that runs servers on all of these "
echo "domains so that the SSL certificates can be issued."
exit 1
fi
# Create the directory for server configuration
mkdir /etc/nginx/servers
# Get the server fragments.
for a in /config/servers/*; do
echo "Generating a HTTP server for $a..."
FRAGMENT=$(basename $a)
if [ "${FRAGMENT:(-4)}" == ".ssl" ]; then
continue
fi
CONTENT=$(cat $a)
cat >/etc/nginx/servers/http-$FRAGMENT.conf <<EOF
server {
listen *:80;
$CONTENT
location /.well-known/ {
root /srv/letsencrypt-webroot;
}
include error.conf;
}
EOF
done
# Start Nginx with just HTTP servers
echo "Generated HTTP servers before SSL issuance; now starting Nginx..."
/usr/sbin/nginx
while [ ! -e /run/nginx.pid ]; do
echo "Waiting for /run/nginx.pid to appear for Let's Encrypt issuance..."
sleep 1
done
# Make the webroot that we will store certificates in
mkdir /srv/letsencrypt-webroot
# If the Let's Encrypt folder doesn't exist, create it
if [ ! -d /certs ]; then
echo "Unable to issue certificates because there is no volume mapped to /certs. You need to "
echo "volume mount /certs to the Docker container so there is persistent storage for the "
echo "private key files that are issued!"
exit 1
fi
# Link the Let's Encrypt folder into the configuration directory
ln -s /certs /etc/letsencrypt
# Get the email address to use for issuance
LETS_ENCRYPT_EMAIL=$(cat /config/letsencrypt.email)
# Get the domains to issue SSL certificates for
LETS_ENCRYPT_DOMAINS=$(cat /config/letsencrypt.domains)
# Create the preamble for the Let's Encrypt weekly reissuance script.
echo "#!/bin/bash" > /etc/cron.weekly/letsencrypt
chmod a+x /etc/cron.weekly/letsencrypt
# Perform the Let's Encrypt certificate issuance for all domains
for DOMAIN in $LETS_ENCRYPT_DOMAINS; do
echo "Obtaining SSL certificate for $DOMAIN..."
/srv/letsencrypt/letsencrypt-auto certonly --keep --debug --agree-tos --webroot -w /srv/letsencrypt-webroot --email $LETS_ENCRYPT_EMAIL -d $DOMAIN || true
echo "/srv/letsencrypt/letsencrypt-auto certonly --keep --debug --agree-tos --webroot -w /srv/letsencrypt-webroot --email $LETS_ENCRYPT_EMAIL -d $DOMAIN" >> /etc/cron.weekly/letsencrypt
done
# Shutdown the Nginx server
echo "Stopping HTTP-only Nginx..."
kill -KILL $(pidof nginx)
rm /run/nginx.pid
# Now generate HTTPS servers for fragments.
for a in /config/servers/*; do
if [ ! -e $a.ssl ]; then
echo "WARNING: $a.ssl does not exist, so this server can't run in SSL mode. You need"
echo "to create $a.ssl with the SSL-only options, such as the path to the Let's Encrypt"
echo "certificates that were just generated for the domain (if any)."
continue
fi
echo "Generating a HTTPS server for $a..."
FRAGMENT=$(basename $a)
if [ "${FRAGMENT:(-4)}" == ".ssl" ]; then
continue
fi
CONTENT=$(cat $a)
CONTENT_SSL=$(cat $a.ssl)
cat >/etc/nginx/servers/https-$FRAGMENT.conf <<EOF
server {
listen *:443;
ssl on;
$CONTENT_SSL
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
$CONTENT
location /.well-known/ {
root /srv/letsencrypt-webroot;
}
include error.conf;
}
EOF
done
# Check syntax
/usr/sbin/nginx -t
if [ $? -ne 0 ]; then
echo "Nginx syntax check fail"
exit 1
fi
# Run Nginx
/usr/sbin/nginx
# Wait for /run/nginx.pid to appear and copy it.
while [ ! -e /run/nginx.pid ]; do
echo "Waiting for /run/nginx.pid to appear..."
sleep 1
done
cp /run/nginx.pid /run/watch/nginx