Nicholas-Wilson-YourIoT/le-urvpn.sh

## le-urvpn.sh
#!/bin/sh
#
# It is written and tested for Ubuntu 16.04 on Binary Lane using a $4/month Linux VPS.
#
# It does the following:
# 1) Updates everything and installs all requirements
# 2) Uses Certbot to request a Lets Encrypt Certificate
# 3) Builds a HTTPS proxy to use proper certificates
# 4) Writes out an automatic renewal cron for Lets Encrypt (as the certs expire every 3 months)
#
# I recommend running it from /opt on your server. In my installation I called it 'le-urvpn.sh'
# Run it with the following:
# bash /opt/le-urvpn.sh
#
# Alternatively you can make it executable and run it without specifying bash, but this is a one
# time script, so it seems unnecessary.
#
# Built based on these resources below:
# https://gist.github.com/hisnameisjimmy/56f9414076ca39a79bfa07eefa89759e
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
# PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
# OR OTHER DEALINGS IN THE SOFTWARE.
#

RED='\033[0;31m'
CYAN='\033[0;36m'
NC='\033[0m'

# Gathering variables to use for the rest of the script
echo -en "${CYAN}Enter your domain name [my.fqdn.com]: ${NC}"
read name
NAME="${name,,}"
echo -en "${CYAN}Enter your email address [somebody@somewhere.com]: ${NC}"
read email
EMAIL="${email,,}"
echo "These parameters are used exclusively by LetsEncrypt to register your SSL certificate and provide notifications:"
echo "Domain: $NAME"
echo "E-Mail: $EMAIL"
read -p "$(echo -e ${CYAN}"Does this look OK?  [Y/N]: "${NC})" -n 1 REPLY
echo    # (optional) move to a new line
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
    echo -e "${RED}Please re-run $0 and re-enter the params.${NC}"
    exit 1
fi

# Install relevant packages
echo -e "${CYAN}Updating and installing relevant packages${NC}"
apt-get update
echo y | apt-get upgrade
apt-get -f install
echo y | apt-get install software-properties-common
echo y | add-apt-repository universe
echo y | add-apt-repository ppa:certbot/certbot
apt-get update
echo y | apt-get install nginx certbot
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

# Lets Encrypt certificate request, run it non-interactively (-n) so we don't have to agree to anything
echo -e "${CYAN}Requesting Certificate for $NAME${NC}"
service nginx stop
certbot -n certonly -d $NAME --standalone --agree-tos --preferred-challenges http-01 --email $EMAIL
service nginx start

# NGINX Proxy
echo -e "${CYAN}Writing nginx proxy configuration${NC}"
service nginx stop
printf "server_tokens off;\n\
	add_header X-Frame-Options SAMEORIGIN;\n\
	add_header X-XSS-Protection \"1; mode=block\";\n\
	server {\n\
	listen 443 ssl default_server http2;\n\
	server_name $NAME;\n\
	ssl_dhparam /etc/ssl/certs/dhparam.pem;\n\
	ssl_certificate /etc/letsencrypt/live/$NAME/fullchain.pem;\n\
	ssl_certificate_key /etc/letsencrypt/live/$NAME/privkey.pem;\n\
	ssl_session_cache shared:SSL:10m;\n\
	ssl_session_timeout 10m;\n\
	keepalive_timeout 300;\n\
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n\
	ssl_prefer_server_ciphers on;\n\
	ssl_stapling on;\n\
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
	add_header Strict-Transport-Security max-age=31536000;\n\
	add_header X-Frame-Options DENY;\n\
	error_log /var/log/nginx.log;\n\
	proxy_cache off;\n\
	proxy_store off;\n\
	location / {\n\
	proxy_set_header Referer \"\";\n\
	proxy_pass https://localhost:18443;\n\
	proxy_set_header Host \$host;\n\
	proxy_set_header X-Real-IP \$remote_addr;\n\
	proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;\n\
	proxy_http_version 1.1;\n\
	proxy_set_header Upgrade \$http_upgrade;\n\
	proxy_set_header Connection \"upgrade\";\n\
	}\n\
	}\n\
 " > /etc/nginx/sites-enabled/default
service nginx start

# Automatic LE Certificate renewals - This creates a crontab for you
echo -e "${CYAN}Writing Crontab for LetsEncrypt renewals to /etc/cron.monthly/le-urvpn-renew${NC}"
echo -e "#!/bin/sh\n\
service nginx stop\n\
echo y | certbot renew --standalone --preferred-challenges http-01\n\
service nginx start\n\
" > /etc/cron.monthly/le-urvpn-renew
chmod +x /etc/cron.monthly/le-urvpn-renew

echo -e "${CYAN}\n\n\n\nINSTALLATION COMPLETE! \n${NC}"
echo -e "${CYAN}If the bad gateway persists for longer than a couple minutes, try restarting the server${NC}"
	#!/bin/sh
	#
	# It is written and tested for Ubuntu 16.04 on Binary Lane using a $4/month Linux VPS.
	#
	# It does the following:
	# 1) Updates everything and installs all requirements
	# 2) Uses Certbot to request a Lets Encrypt Certificate
	# 3) Builds a HTTPS proxy to use proper certificates
	# 4) Writes out an automatic renewal cron for Lets Encrypt (as the certs expire every 3 months)
	#
	# I recommend running it from /opt on your server. In my installation I called it 'le-urvpn.sh'
	# Run it with the following:
	# bash /opt/le-urvpn.sh
	#
	# Alternatively you can make it executable and run it without specifying bash, but this is a one
	# time script, so it seems unnecessary.
	#
	# Built based on these resources below:
	# https://gist.github.com/hisnameisjimmy/56f9414076ca39a79bfa07eefa89759e
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
	# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
	# PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
	# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
	# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
	# OR OTHER DEALINGS IN THE SOFTWARE.
	#

	RED='\033[0;31m'
	CYAN='\033[0;36m'
	NC='\033[0m'

	# Gathering variables to use for the rest of the script
	echo -en "${CYAN}Enter your domain name [my.fqdn.com]: ${NC}"
	read name
	NAME="${name,,}"
	echo -en "${CYAN}Enter your email address [somebody@somewhere.com]: ${NC}"
	read email
	EMAIL="${email,,}"
	echo "These parameters are used exclusively by LetsEncrypt to register your SSL certificate and provide notifications:"
	echo "Domain: $NAME"
	echo "E-Mail: $EMAIL"
	read -p "$(echo -e ${CYAN}"Does this look OK? [Y/N]: "${NC})" -n 1 REPLY
	echo # (optional) move to a new line
	if [[ ! $REPLY =~ ^[Yy]$ ]]
	then
	echo -e "${RED}Please re-run $0 and re-enter the params.${NC}"
	exit 1
	fi

	# Install relevant packages
	echo -e "${CYAN}Updating and installing relevant packages${NC}"
	apt-get update
	echo y \| apt-get upgrade
	apt-get -f install
	echo y \| apt-get install software-properties-common
	echo y \| add-apt-repository universe
	echo y \| add-apt-repository ppa:certbot/certbot
	apt-get update
	echo y \| apt-get install nginx certbot
	openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

	# Lets Encrypt certificate request, run it non-interactively (-n) so we don't have to agree to anything
	echo -e "${CYAN}Requesting Certificate for $NAME${NC}"
	service nginx stop
	certbot -n certonly -d $NAME --standalone --agree-tos --preferred-challenges http-01 --email $EMAIL
	service nginx start

	# NGINX Proxy
	echo -e "${CYAN}Writing nginx proxy configuration${NC}"
	service nginx stop
	printf "server_tokens off;\n\
	add_header X-Frame-Options SAMEORIGIN;\n\
	add_header X-XSS-Protection \"1; mode=block\";\n\
	server {\n\
	listen 443 ssl default_server http2;\n\
	server_name $NAME;\n\
	ssl_dhparam /etc/ssl/certs/dhparam.pem;\n\
	ssl_certificate /etc/letsencrypt/live/$NAME/fullchain.pem;\n\
	ssl_certificate_key /etc/letsencrypt/live/$NAME/privkey.pem;\n\
	ssl_session_cache shared:SSL:10m;\n\
	ssl_session_timeout 10m;\n\
	keepalive_timeout 300;\n\
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n\
	ssl_prefer_server_ciphers on;\n\
	ssl_stapling on;\n\
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
	add_header Strict-Transport-Security max-age=31536000;\n\
	add_header X-Frame-Options DENY;\n\
	error_log /var/log/nginx.log;\n\
	proxy_cache off;\n\
	proxy_store off;\n\
	location / {\n\
	proxy_set_header Referer \"\";\n\
	proxy_pass https://localhost:18443;\n\
	proxy_set_header Host \$host;\n\
	proxy_set_header X-Real-IP \$remote_addr;\n\
	proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;\n\
	proxy_http_version 1.1;\n\
	proxy_set_header Upgrade \$http_upgrade;\n\
	proxy_set_header Connection \"upgrade\";\n\
	}\n\
	}\n\
	" > /etc/nginx/sites-enabled/default
	service nginx start

	# Automatic LE Certificate renewals - This creates a crontab for you
	echo -e "${CYAN}Writing Crontab for LetsEncrypt renewals to /etc/cron.monthly/le-urvpn-renew${NC}"
	echo -e "#!/bin/sh\n\
	service nginx stop\n\
	echo y \| certbot renew --standalone --preferred-challenges http-01\n\
	service nginx start\n\
	" > /etc/cron.monthly/le-urvpn-renew
	chmod +x /etc/cron.monthly/le-urvpn-renew

	echo -e "${CYAN}\n\n\n\nINSTALLATION COMPLETE! \n${NC}"
	echo -e "${CYAN}If the bad gateway persists for longer than a couple minutes, try restarting the server${NC}"