road to v1.2.1
This commit is contained in:
parent
78c1e5c676
commit
f618c73e6c
|
@ -28,7 +28,10 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
|
|||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
mkdir /acme-challenge && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
|
|
@ -28,7 +28,10 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
|
|||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
mkdir /acme-challenge && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
|
|
@ -35,7 +35,9 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
|
|||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
|
|
@ -35,7 +35,9 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
|
|||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
|
|
@ -28,7 +28,9 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
|
|||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
|
|
@ -8,3 +8,4 @@ ssl_session_timeout 1d;
|
|||
ssl_session_cache shared:MozSSL:10m;
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
|
@ -0,0 +1,3 @@
|
|||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
server {
|
||||
%LISTEN_HTTP%
|
||||
server_name _;
|
||||
%USE_HTTPS%
|
||||
%MULTISITE_DISABLE_DEFAULT_SERVER%
|
||||
}
|
|
@ -1,6 +1,3 @@
|
|||
server {
|
||||
%LISTEN_HTTP%
|
||||
%USE_HTTPS%
|
||||
server_name _;
|
||||
location / {
|
||||
return 444;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
daemon on;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
server {
|
||||
listen 0.0.0.0:%HTTP_PORT% default_server;
|
||||
server_name _;
|
||||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
||||
location / {
|
||||
return 444;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -100,8 +100,8 @@ http {
|
|||
# custom http confs
|
||||
include /http-confs/*.conf;
|
||||
|
||||
# disable default server when MULTISITE=yes
|
||||
%MULTISITE_DISABLE_DEFAULT_SERVER%
|
||||
# default server when MULTISITE=yes
|
||||
%MULTISITE_DEFAULT_SERVER%
|
||||
|
||||
# server config(s)
|
||||
%INCLUDE_SERVER%
|
||||
|
|
|
@ -9,3 +9,4 @@ ssl_session_cache shared:MozSSL:10m;
|
|||
%STRICT_TRANSPORT_SECURITY%
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
location ^~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
MULTISITE="${MULTISITE-no}"
|
||||
LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
|
||||
LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
|
||||
HTTP_PORT="${HTTP_PORT-8080}"
|
||||
HTTPS_PORT="${HTTPS_PORT-8443}"
|
||||
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
|
||||
|
|
|
@ -64,6 +64,9 @@ rsyslogd
|
|||
crond
|
||||
|
||||
# start nginx
|
||||
if [ -f "/tmp/nginx.pid" ] ; then
|
||||
nginx -s quit
|
||||
fi
|
||||
echo "[*] Running nginx ..."
|
||||
su -s "/usr/sbin/nginx" nginx
|
||||
|
||||
|
@ -97,6 +100,7 @@ fi
|
|||
# start the autoconf manager
|
||||
if [ -S "/var/run/docker.sock" ] ; then
|
||||
echo "[*] Running autoconf ..."
|
||||
touch /var/log/autoconf.log
|
||||
/opt/autoconf/autoconf.py > /var/log/autoconf.log 2>&1 &
|
||||
LOGS="$LOGS /var/log/autoconf.log"
|
||||
fi
|
||||
|
|
|
@ -20,6 +20,12 @@ if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
|||
apk add $ADDITIONAL_MODULES
|
||||
fi
|
||||
|
||||
# start nginx with temp conf for let's encrypt challenges
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
|
||||
nginx -c /etc/nginx/nginx-temp.conf
|
||||
fi
|
||||
|
||||
# include server block(s)
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
includes=""
|
||||
|
@ -31,6 +37,48 @@ else
|
|||
replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
|
||||
fi
|
||||
|
||||
# setup default server block if multisite
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" "include /etc/nginx/multisite-default-server.conf;"
|
||||
if [ "$(has_value LISTEN_HTTP yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" ""
|
||||
fi
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-default-server-https.conf;"
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
|
||||
if [ "$(has_value HTTP2 yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" "http2"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
|
||||
if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" ""
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" ""
|
||||
fi
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" ""
|
||||
fi
|
||||
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" ""
|
||||
fi
|
||||
|
||||
# custom log format
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LOG_FORMAT%" "$LOG_FORMAT"
|
||||
|
||||
|
@ -49,7 +97,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
|||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
|
||||
if [ ! -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
|
||||
echo "[*] Performing Let's Encrypt challenge for $SERVER_NAME ..."
|
||||
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT
|
||||
/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
|
||||
fi
|
||||
fi
|
||||
echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
|
@ -208,30 +256,9 @@ replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
|
|||
|
||||
# disable default site
|
||||
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;"
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-disable-default-server-https.conf;"
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
|
||||
if [ "$(has_value HTTP2 yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTP2%" "http2"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTP2%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
|
||||
if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_DHPARAM%" ""
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_CIPHERS%" ""
|
||||
fi
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%USE_HTTPS%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
|
||||
fi
|
||||
|
||||
# fail2ban setup
|
||||
|
|
|
@ -22,6 +22,9 @@ if [ "$MULTISITE" = "yes" ] ; then
|
|||
ROOT_FOLDER="${ROOT_FOLDER}/$1"
|
||||
fi
|
||||
|
||||
# generate Let's Encrypt certificate before copying configs
|
||||
# in case we are in autoconf mode and nginx is already running
|
||||
|
||||
# copy stub confs
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
mkdir "$NGINX_PREFIX"
|
||||
|
@ -138,7 +141,7 @@ if [ "$REMOTE_PHP" != "" ] ; then
|
|||
replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "include ${NGINX_PREFIX}fastcgi.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf
|
||||
cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf && chown root:nginx ${NGINX_PREFIX}fastcgi.conf
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
|
||||
else
|
||||
|
@ -322,20 +325,23 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
|
|||
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
else
|
||||
FIRST_SERVER_NAME="$1"
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$1}"
|
||||
if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ] ; then
|
||||
echo "[*] Performing Let's Encrypt challenge for $1 ..."
|
||||
certbot certonly --standalone -n --preferred-challenges http -d "$1" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$1}"
|
||||
/opt/scripts/certbot-new.sh "$1" "$EMAIL_LETS_ENCRYPT"
|
||||
fi
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;"
|
||||
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
|
||||
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
|
||||
|
|
|
@ -1,6 +0,0 @@
|
|||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
location / {
|
||||
proxy_pass http://myapp3:3000;
|
||||
}
|
|
@ -1,6 +0,0 @@
|
|||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
location / {
|
||||
proxy_pass http://mytomcat:8080/sample;
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/sh
|
||||
|
||||
# generate certificate
|
||||
certbot certonly --webroot -w /acme-challenge -n -d "$1" --email "$2" --agree-tos
|
||||
|
||||
# fix rights
|
||||
chown -R root:nginx /etc/letsencrypt
|
||||
chmod -R 740 /etc/letsencrypt
|
||||
find /etc/letsencrypt -type d -exec chmod 750 {} \;
|
|
@ -1,30 +1,9 @@
|
|||
#!/bin/sh
|
||||
|
||||
function replace_in_file() {
|
||||
# escape slashes
|
||||
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
|
||||
replace=$(echo "$3" | sed "s/\//\\\\\//g")
|
||||
sed -i "s/$pattern/$replace/g" "$1"
|
||||
}
|
||||
|
||||
# disable HTTP
|
||||
servers="$(find /etc/nginx -name server.conf)"
|
||||
for f in $servers ; do
|
||||
replace_in_file "$f" "listen" "#listen"
|
||||
done
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
sleep 10
|
||||
fi
|
||||
|
||||
# ask a new certificate if needed
|
||||
# ask new certificates if needed
|
||||
certbot renew
|
||||
|
||||
# enable HTTP again
|
||||
for f in $servers ; do
|
||||
replace_in_file "$f" "#listen" "listen"
|
||||
done
|
||||
|
||||
# fix rights
|
||||
chown -R root:nginx /etc/letsencrypt
|
||||
chmod -R 740 /etc/letsencrypt
|
||||
find /etc/letsencrypt -type d -exec chmod 750 {} \;
|
||||
|
|
Loading…
Reference in New Issue