Matt Lyons-Wood lyonzy
catchdave
/ replace_synology_ssl_certs.sh
Last active
May 10, 2024 22:46
CLI script to programmatically replace SSL certs on Synology NAS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # *** For DSM v7.x *** | |
| # | |
| # How to use this script: | |
| # 1. Get your 3 PEM files ready to copy over from your local machine/update server (privkey.pem, fullchain.pem, cert.pem) | |
| # and put into a directory (this will be $CERT_DIRECTORY). | |
| # Personally, I use this script (https://gist.github.com/catchdave/3f6f412bbf0f0cec32469fb0c9747295) to automate steps 1 & 4. | |
| # 2. Ensure you have a user setup on synology that has ssh access (and ssh access is setup). | |
| # This user will need to be able to sudo as root (i.e. add this line to sudoers, <USER> is the user you create): |
mrgarymartin
/ firewall.sh
Created
February 23, 2018 20:35
Updated version to whitelist all cloudflare ips in firewalld
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| #https://techstat.net/automatic-whitelist-cloudflare-ips-firewalld-bash-script-via-cron-job/ | |
| SERVER_IP=xxx.xxx.xxx.xxx | |
| for i in $(curl "https://www.cloudflare.com/ips-v4"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=80 protocol=tcp accept'; done | |
| for i in $(curl "https://www.cloudflare.com/ips-v4"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=443 protocol=tcp accept'; done | |
| for i in $(curl "https://www.cloudflare.com/ips-v6"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv6" source address="'$i'" port port=80 protocol=tcp accept'; done | |
| for i in $(curl "https://www.cloudflare.com/ips-v6"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv6" source address="'$i'" port port=443 protocol=tcp accept'; done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Based on a template iptables config file, create a new | |
| # iptables file that includes whitelist rules for CloudFlare's | |
| # servers to connect to our HTTP and HTTPS ports. This is useful | |
| # if you want to really lock down your web server so that it only | |
| # communicates with cloudflare's servers, not with the general public. | |
| # It works like this: | |
| # * Get an up-to-date list of CloudFlare's server IPs | |
| # * Read in config template from /etc/sysconfig/iptables.template | |
| # * Output an iptables configuration file /etc/sysconfig/iptables |