Browse Source

More improve to create certs SSL LE;

HucSte 2 years ago
parent
commit
c8a4cbe948
11 changed files with 213 additions and 92 deletions
  1. 2 2
      README.md
  2. 1 1
      TODO
  3. 5 1
      config/mssg
  4. 1 0
      launcher
  5. 1 0
      samples/cfg.ini
  6. 2 2
      samples/headers.cfg
  7. 1 1
      samples/ssl.cfg
  8. 3 77
      scripts/create_vhosts
  9. 99 0
      scripts/mng_headers
  10. 97 7
      scripts/mng_ssl
  11. 1 1
      scripts/system

+ 2 - 2
README.md

@@ -203,8 +203,8 @@ Le script vous demandera lors de la création de domaine si vous voulez utiliser
 Si le projet [MySecureShell][3] est installé et actif, le script va tenter de modifier
  la configuration lié à l'utilisateur système du $domain pour que son shell soit
  géré par MSS. <br />
- _Ce script n'installe pas et ne configure pas MSS.  C'est à vous de le faire,
- avant, si besoin._
+ **Ce script n'installe pas et ne configure pas MSS.  C'est à vous de le faire,
+ avant, si besoin.**
 
 Si l'outil [SSLH][4] est installé, avant, et détecté lors de la création du $domain,
  le script modifiera un des fichiers de config nginx lié au $domain, pour que la

+ 1 - 1
TODO

@@ -1,6 +1,6 @@
 => Let's Encrypt:  Y|N? OK!
 (see explains below...)
-- manage_ssl: detect if letsencrypt client exists. OK!
+Create User LE!
 
 => Perishable Press: Y|N?
 

+ 5 - 1
config/mssg

@@ -13,11 +13,13 @@ mssg_ask_domain="Quel nom de domaine ? "
 mssg_ask_email_letsencrypt="Veuillez écrire un email de contact ? (nécessaire pour le script lié à Let'sEncrypt) : "
 mssg_ask_fpm_server_min="Combien de serveurs FPM, au minimum, voulez-vous ?"
 mssg_ask_fpm_server_max="Combien de serveurs FPM, au maximum, voulez-vous ?"
+mssg_ask_get_certs_letsencrypt="Voulez-vous essayer de générer de véritables certificats avec Let's Encrypt ? "
 mssg_ask_git_install_letsencrypt="Voulez-vous installer Let's Encrypt à partir de son dépôt Git ? "
 mssg_ask_group_exists="À quel groupe existant, voulez-vous l'ajouter ? "
 mssg_ask_header_csp="Voulez-vous gèrer les entêtes HTTP CSP - Content Security Policy ? \n ATTENTION : Cela peut bloquer l'accès à vos ressources CSS, JS, etc ..."
 mssg_ask_header_frame="Voulez-vous gèrer les entêtes HTTP Frame ? (Frame && X-Frame) "
 mssg_ask_header_report_uri="HTTP::CSP: Avez-vous une url de rapport ? (report_uri) : "
+mssg_ask_header_sts="Voulez-vous gérer les entêtes HTTP STS - Strict Transport Secrutity ? \n À utiliser, avec HTTPS ... préférer l'utilisation ! "
 mssg_ask_id="Avec quel ID voulez-vous pouvoir vous connecter ? "
 mssg_ask_limit_conn="Voulez-vous limiter le nombre de connexions autorisées, en même temps, à partir d'une adresse ip ? "
 mssg_ask_log_php="Voulez-vous journaliser les erreurs PHP ?"
@@ -27,7 +29,9 @@ mssg_ask_restart_ok="Est-ce que le serveur a redémarré correctement ? "
 mssg_ask_sure_mng_domain="Etes-vous sûr de vouloir gèrer ce domaine '%s' ? "
 mssg_ask_test_cfg="Voulez-vous tester la config du serveur ? "
 mssg_ask_test_cfg_ok="Est-ce que que la config du serveur semble correcte ? "
-mssg_ask_test_letsencrypt="Est-ce que le test de création des certificats Let's Encrypt est correct ? "
+mssg_ask_test_letsencrypt="Voulez-vous générer des certificats de test par Let's Encrypt ? "
+mssg_ask_test_letsencrypt_ok="Est-ce que le TEST de création des certificats Let's Encrypt est correct ? "
+mssg_ask_letsencrypt_certs_ok="Est-ce que la création des certificats Let's Encrypt est correct ? "
 mssg_ask_unprotect_ssl_key="Voulez-vous déprotéger la clé SSL du serveur, pour que le serveur web puisse redémarrer automatiquement, tout seul ?"
 mssg_ask_use_letsencrypt="Voulez-vous utiliser les services de Let's Encrypt ? "
 mssg_ask_use_name_default="Voulez-vous utiliser le nom utilisateur : "

+ 1 - 0
launcher

@@ -64,6 +64,7 @@ function launcher() {
         . "${pwd}/scripts/create_vhosts"
         . "${pwd}/scripts/mng_ssl"
         . "${pwd}/scripts/mng_ssh"
+        . "${pwd}/scripts/mng_headers"
         create_vhost
 
     else

+ 1 - 0
samples/cfg.ini

@@ -6,6 +6,7 @@ user=user
 le_client=letsencrypt
 le_cmd=/usr/bin/letsencrypt
 le_file_cfg=none
+le_test=false
 
 [ssl]
 ssl_algo=rsa

+ 2 - 2
samples/headers.cfg

@@ -30,8 +30,8 @@ add_header Access-Control-Allow-Origin "$domain" always;
 #add_header Public-Key-Pins "pin-sha256='X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=';pin-sha256='MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=';pin-sha256='isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg=';includeSubdomains; max-age=2592000" always;
 ## HTTP STS - Strict Transport Security; use 'includeSubdomains' 2 manage subdomains.
 ## HTTP STS - Strict Transport Security: 31536000 == 1Y!
-#add_header Strict-Transport-Security "max-age=$ssl_long_seconds; preload" always;
-##add_header Strict-Transport-Security "max-age=$ssl_long_seconds; includeSubdomains; preload" always;
+#add_header Strict-Transport-Security "max-age=$ssl_seconds; preload" always;
+##add_header Strict-Transport-Security "max-age=$ssl_seconds; includeSubdomains; preload" always;
 # manage X-Content-Type-Options: only one option "nosniff"
 add_header X-Content-Type-Options "nosniff" always;
 # manage X-Download-Options

+ 1 - 1
samples/ssl.cfg

@@ -19,7 +19,7 @@ ssl_ciphers 'ECDH:DH:AES:!aNULL:!eNULL:!NULL:!DES:!3DES:!DSS:!EXPORT:!LOW:!MEDIU
 
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
-ssl_session_ticket_key $file_tk;
+#ssl_session_ticket_key $file_tk;
 ssl_session_timeout 24h;
 
 ssl_stapling on;

+ 3 - 77
scripts/create_vhosts

@@ -53,12 +53,12 @@ function create_vhost() {
 
     limit_connections
 
-    modif_headers
+    mng_create_headers
 
     use_php
 
     # redirections
-    printf "\n${mssg_menu_redirect_301} \n"
+    display_mssg "" "${mssg_menu_redirect_301}"
     use_301_to_www
     use_301_from_www
 
@@ -78,7 +78,7 @@ function create_vhost() {
     chmod_system
     enable_domain
 
-    printf "\n ${mssg_create_final} \n"
+    display_mssg ""  "${mssg_create_final}"
 
     }
 
@@ -212,80 +212,6 @@ function manage_returns_errors() {
 
 }
 
-function modif_headers() {
-
-    echo "=> Manage headers!"
-
-    if [[ -f "${dir_domain_nginx_cfg}/headers.cfg" ]]; then
-        sed -i -e "s#\$domain#$domain#g" "${dir_domain_nginx_cfg}/headers.cfg"
-
-        # mng CSP
-        if confirm "${mssg_ask_header_csp}"; then
-            sed -i -e "s/#add_header Content-Security-Policy\(.*\)/add_header Content-Security-Policy\1/" "${dir_domain_nginx_cfg}/headers.cfg"
-
-            # mng CSP report uri
-            if confirm "${mssg_ask_header_report_uri}"; then
-                echo "${mssg_ask_report_uri}"
-                read uri
-
-                if [ -n "${uri}" ]; then
-                    sed -i -e "s#\$report-uri#report-uri $uri#g" "${dir_domain_nginx_cfg}/headers.cfg"
-                else
-                    sed -i -e "s#; \$report-uri;#;#g" "${dir_domain_nginx_cfg}/headers.cfg"
-                fi
-
-            else
-
-                sed -i -e "s#; \$report-uri;#;#g" "${dir_domain_nginx_cfg}/headers.cfg"
-
-            fi
-
-            display_mssg "OK" "modif" "${dir_domain_nginx_cfg}/headers.cfg"
-
-        fi
-
-        # mng Frame
-        if confirm "${mssg_ask_header_frame}"; then
-            sed -i -e "s/#add_header \(.*\)Frame-Options\(.*\)/add_header \1Frame-Options\2/g" "${dir_domain_nginx_cfg}/headers.cfg"
-
-            printf "\n${mssg_menu_header_frame}\n"
-            PS3="${mssg_make_choice}"
-            options=("REFUS" "MEME_ORIGIN" "ALLOUER")
-            select option in "${options[@]}"; do
-                choice="$REPLY"
-                case "${choice}" in
-                    1) frame_option="DENY"; frame_ancestor="block"; break ;;
-                    2) frame_option="SAMEORIGIN"; frame_ancestor="self"; break;;
-                    3)
-                        echo "${mssg_write_url}"
-                        read url
-                        frame_option="ALLOW-FROM ${url}"
-                        frame_ancestor="all"
-
-                        unset url
-                        break
-                    ;;
-                    #*)
-                        #display_mssg "KO" "nonexistent_choice"
-                        #manage_user
-                    #;;
-                esac
-            done
-
-            sed -i -e "s#\(.*\)frame-ancestors 'self'\;\(.*\)#\1frame-ancestors '${frame_ancestor}'\;\2#g" "${dir_domain_nginx_cfg}/headers.cfg"
-            sed -i -e "s/add_header \(.*\)Frame-Options \"DENY\" always;/add_header \1Frame-Options \"${frame_option}\" always;/g" "${dir_domain_nginx_cfg}/headers.cfg"
-
-            unset frame_option frame_ancestor
-        fi
-
-    else
-
-        display_mssg "KO" "modif" "${dir_domain_nginx_cfg}/headers.cfg"
-
-    fi
-
-    }
-
 function use_301_from_www() {
 
 

+ 99 - 0
scripts/mng_headers

@@ -0,0 +1,99 @@
+#!/bin/bash
+#set -x
+
+if ! ${EXEC}; then exit; fi
+
+##########
+### Functions
+##########
+
+function mng_create_headers() {
+
+    display_mssg "" "=> Manage headers!"
+
+    if [[ -f "${dir_domain_nginx_cfg}/headers.cfg" ]]; then
+        sed -i -e "s#\$domain#$domain#g" "${dir_domain_nginx_cfg}/headers.cfg"
+
+        # mng CSP
+        if confirm "${mssg_ask_header_csp}"; then
+            sed -i -e "s/#add_header Content-Security-Policy\(.*\)/add_header Content-Security-Policy\1/" "${dir_domain_nginx_cfg}/headers.cfg"
+
+            # mng CSP report uri
+            if confirm "${mssg_ask_header_report_uri}"; then
+                echo "${mssg_ask_report_uri}"
+                read uri
+
+                if [ -n "${uri}" ]; then
+                    sed -i -e "s#\$report-uri#report-uri $uri#g" "${dir_domain_nginx_cfg}/headers.cfg"
+                else
+                    sed -i -e "s#; \$report-uri;#;#g" "${dir_domain_nginx_cfg}/headers.cfg"
+                fi
+
+            else
+
+                sed -i -e "s#; \$report-uri;#;#g" "${dir_domain_nginx_cfg}/headers.cfg"
+
+            fi
+
+            display_mssg "OK" "modif" "${dir_domain_nginx_cfg}/headers.cfg"
+
+        fi
+
+        # mng Frame
+        if confirm "${mssg_ask_header_frame}"; then
+            sed -i -e "s/#add_header \(.*\)Frame-Options\(.*\)/add_header \1Frame-Options\2/g" "${dir_domain_nginx_cfg}/headers.cfg"
+
+            printf "\n${mssg_menu_header_frame}\n"
+            PS3="${mssg_make_choice}"
+            options=("REFUS" "MEME_ORIGIN" "ALLOUER")
+            select option in "${options[@]}"; do
+                choice="$REPLY"
+                case "${choice}" in
+                    1) frame_option="DENY"; frame_ancestor="block"; break ;;
+                    2) frame_option="SAMEORIGIN"; frame_ancestor="self"; break;;
+                    3)
+                        echo "${mssg_write_url}"
+                        read url
+                        frame_option="ALLOW-FROM ${url}"
+                        frame_ancestor="all"
+
+                        unset url
+                        break
+                    ;;
+                    #*)
+                        #display_mssg "KO" "nonexistent_choice"
+                        #manage_user
+                    #;;
+                esac
+            done
+
+            sed -i -e "s#\(.*\)frame-ancestors 'self'\;\(.*\)#\1frame-ancestors '${frame_ancestor}'\;\2#g" "${dir_domain_nginx_cfg}/headers.cfg"
+            sed -i -e "s/add_header \(.*\)Frame-Options \"DENY\" always;/add_header \1Frame-Options \"${frame_option}\" always;/g" "${dir_domain_nginx_cfg}/headers.cfg"
+
+            unset frame_option frame_ancestor
+        fi
+
+    else
+
+        display_mssg "KO" "modif" "${dir_domain_nginx_cfg}/headers.cfg"
+
+    fi
+
+    }
+
+function mng_ssl_headers() {
+
+    display_mssg "" "=> Manage headers!"
+
+    if [[ -f "${dir_domain_nginx_cfg}/headers.cfg" ]]; then
+
+        # mng HTTP STS
+        if sed -i -e "s/#add_header Strict-Transport-Security \"max-age=\$ssl_seconds; preload\" always\;/add_header Strict-Transport-Security \"max-age=${ssl_seconds}; preload\" always\;/" "${dir_domain_nginx_cfg}/headers.cfg"; then
+            display_mssg "OK" "modif" "${dir_domain_nginx_cfg}/headers.cfg"
+        else
+            display_mssg "KO" "modif" "${dir_domain_nginx_cfg}/headers.cfg"
+        fi
+
+    fi
+
+    }

+ 97 - 7
scripts/mng_ssl

@@ -223,6 +223,60 @@ function letsencrypt_cfg_domains() {
 
 }
 
+function letsencrypt_del_fake_certs() {
+
+    if [[ "$(get_cfg_site "le_test")" == "true" ]]; then
+
+        case "${letsencrypt_client}" in
+            "letsencrypt")
+                if rm -rf /etc/letsencrypt/archive/${domain}; then
+                    display_mssg "OK" "del_dir" "/etc/letsencrypt/archive/${domain}"
+                else
+                    display_mssg "KO" "del_dir" "/etc/letsencrypt/archive/${domain}"
+                fi
+                if rm -rf /etc/letsencrypt/live/${domain}; then
+                    display_mssg "OK" "del_dir" "/etc/letsencrypt/live/${domain}"
+                else
+                    display_mssg "KO" "del_dir" "/etc/letsencrypt/live/${domain}"
+                fi
+                if rm -rf /etc/letsencrypt/renewal/${domain}.conf; then
+                    display_mssg "OK" "del_file" "/etc/letsencrypt/renewal/${domain}.conf"
+                else
+                    display_mssg "KO" "del_file" "/etc/letsencrypt/renewal/${domain}.conf"
+                fi
+            ;;
+            "Lukas")
+                if rm -rf /opt/letsencrypt.sh/certs/${domain}; then
+                    display_mssg "OK" "del_dir" "/opt/letsencrypt.sh/certs/${domain}"
+                else
+                    display_mssg "KO" "del_dir" "/opt/letsencrypt.sh/certs/${domain}"
+                fi
+            ;;
+            "Neilpang")
+                if rm -rf "${dir_domain_ssl}"; then
+                    display_mssg "OK" "del_dir" "${dir_domain_ssl}"
+                else
+                    display_mssg "KO" "del_dir" "${dir_domain_ssl}"
+                fi
+                # attempt to recreate dir
+                if mkdir -p "${dir_domain_ssl}"; then
+                    display_mssg "OK" "dir" "${dir_domain_ssl}"
+                else
+                    display_mssg "KO" "dir" "${dir_domain_ssl}"
+                fi
+            ;;
+        esac
+
+        if sed -i -e "s#le_test=true#le_test=false#" "${file_cfg_site}"; then
+            display_mssg "OK" "modif" "${file_cfg_site}"
+        else
+            display_mssg "KO" "modif" "${file_cfg_site}"
+        fi
+
+    fi
+
+}
+
 function letsencrypt_get_certs() {
 
     display_mssg "" "${mssg_menu_LE_certs}"
@@ -312,8 +366,20 @@ function letsencrypt_install() {
     [ ${letsencrypt_exists} -eq 0 ] && letsencrypt_git_install
 
     if [ ! -d "${dir_domain_web_challenge}" ]; then
-        mkdir -p "${dir_domain_web_challenge}"
-        cp -r "${dir_samples}/index.html" "${dir_domain_web_challenge}"
+        if mkdir -p "${dir_domain_web_challenge}"; then
+            display_mssg "OK" "dir" "${dir_domain_web_challenge}"
+            chown -R "${user}":"${group}" "${dir_domain_web_challenge}"
+            chmod 0755 -R "${dir_domain_web_challenge}"
+        else
+            display_mssg "K0" "dir" "${dir_domain_web_challenge}"
+        fi
+    fi
+    if [ ! -f "${dir_domain_web_challenge}/index.html" ]; then
+        if cp "${dir_samples}/index.html" "${dir_domain_web_challenge}"; then
+            display_mssg "OK" "cp_files" "${dir_samples}/index.html"
+        else
+            display_mssg "K0" "cp_files" "${dir_samples}/index.html"
+        fi
     fi
 
     if sed -i -e "s#ssl_use=\(.*\)#ssl_use=1#;s#ssl_CA=\(.*\)#ssl_CA=letsencrypt#;s#le_client=letsencrypt#le_client=${letsencrypt_client}#;s#le_cmd=\(.*\)#le_cmd=${letsencrypt_cmd}#" "${file_cfg_site}"; then
@@ -407,6 +473,12 @@ function letsencrypt_test_certs() {
         ;;
     esac
 
+    if sed -i -e "s#le_test=\(.*\)#le_test=true#" "${file_cfg_site}"; then
+        display_mssg "OK" "modif" "${file_cfg_site}"
+    else
+        display_mssg "KO" "modif" "${file_cfg_site}"
+    fi
+
     }
 
 function letsencrypt_test_clients() {
@@ -426,8 +498,8 @@ function letsencrypt_test_clients() {
             if get_LE_cmd "${letsencrypt_scripts["${name}"]}"; then
                 display_mssg "OK" "le_cmd_exists" "${letsencrypt_descriptions["${name}"]}"
                 letsencrypt_cmds+=("${name}")
-            else
-                display_mssg "KO" "le_cmd_exists" "${letsencrypt_descriptions["${name}"]}"
+            #else
+                #display_mssg "KO" "le_cmd_exists" "${letsencrypt_descriptions["${name}"]}"
             fi
 
         done
@@ -453,6 +525,9 @@ function letsencrypt_test_clients() {
 
     fi
 
+    display_mssg "" "=> Let's Encrypt client: $letsencrypt_client"
+    display_mssg "" "=> Let's Encrypt cmd: $letsencrypt_cmd"
+
 }
 
 function make_certificate_chains() {
@@ -762,7 +837,7 @@ function use_ssl() {
             display_mssg "KO" "dir" "${dir_domain_ssl}"
         fi
 
-        if sed -i -e "s#\#include \(.*\)/well_known.cfg\;#include \1/well_known.cfg\;#g" "${file_domain}"; then
+        if sed -i -e "s#\#include \(.*\)/well_known.cfg\;#include \1/well_known.cfg\;#;s#include \(.*\)/hidden.cfg\;#\include \1/hidden.cfg\;#" "${file_domain}"; then
             display_mssg "OK" "modif" "${file_domain}"
         else
             display_mssg "KO" "modif" "${file_domain}"
@@ -780,12 +855,22 @@ function use_ssl() {
 
                     letsencrypt_install
                     letsencrypt_cfg
-                    letsencrypt_test_certs
 
                     if confirm "${mssg_ask_test_letsencrypt}"; then
+                        letsencrypt_test_certs
+
+                        confirm "${mssg_ask_test_letsencrypt_ok}" || {
+                            sed -i -e "s#ssl_use=1#ssl_use=0#" "${file_cfg_site}"
+                            stop
+                        }
+                    fi
+
+                    if confirm "${mssg_ask_get_certs_letsencrypt}"; then
+                        letsencrypt_del_fake_certs
                         letsencrypt_get_certs
-                        letsencrypt_ln_certs
+                        confirm "${mssg_ask_letsencrypt_certs_ok}" && letsencrypt_ln_certs || stop
                     else
+                        sed -i -e "s#ssl_use=\(.*\))#ssl_use=0#" "${file_cfg_site}"
                         stop
                     fi
 
@@ -797,6 +882,11 @@ function use_ssl() {
                     ssl_others # this is not verify: -I'm not really sure that's run, and funny!
                 fi
 
+                if confirm "${mssg_ask_header_sts}"; then
+                    . "${pwd}/scripts/mng_headers"
+                    mng_ssl_headers
+                fi
+
                 if sed -i -e "s/#//g;s#listen 443 \(.*\)#\#listen 443 \1#;s#listen [::]:443 \(.*\)#\#listen [::]:443 \1#" "${dir_domain_nginx_cfg}/port_https.cfg"; then
                     display_mssg "OK" "modif" "${dir_domain_nginx_cfg}/port_https.cfg"
                 else

+ 1 - 1
scripts/system

@@ -688,7 +688,7 @@ function set_variables() {
     dir_domain_php_sessions="${dir_domain}${dir_php_sessions}"
     dir_domain_ssl="${dir_domain}/etc/ssl"
     dir_domain_web="${dir_domain}/www"
-    dir_domain_web_challenge="${dir_domain}/${dir_challenge}"
+    dir_domain_web_challenge="${dir_domain_web}/${dir_challenge}"
 
     dir_htaccess="${dir_domain}/${dir_htaccess}"
     dir_ssl_cert_domain="${dir_ssl_certs}/${domain}"