This script generate a yourdomain.conf in /etc/nginx/sites-enabled/ and generate a Let's Encrypt certificate with certbot (You have to install certbot manually!)
| #!/bin/bash | |
| # Shell script to add a subdomain to nginx with let's encrypt | |
| DOMAIN="" | |
| PROXY=false | |
| DOCROOT="/var/www/html/" | |
| function usage() | |
| { | |
| echo "This script generate a yourdomain.conf in /etc/nginx/sites-enabled/ and generate a Let's Encrypt certificate with certbot (You have to install certbot manually!)" | |
| echo "" | |
| echo "./add_domain.sh" | |
| echo "\t-h --help" | |
| echo "\t--domain=yourdomain.org" | |
| echo "\t--proxy=1 or 0" | |
| echo "\t--port=ProxyPort" | |
| echo "\t--docroot=/var/www/html/" | |
| echo "" | |
| } | |
| #root check (root is necessary for certbot) | |
| if (($EUID != 0)); then | |
| echo "Please run with sudo or run as root :)" | |
| exit | |
| fi | |
| while [ "$1" != "" ]; do | |
| PARAM=`echo $1 | awk -F= '{print $1}'` | |
| VALUE=`echo $1 | awk -F= '{print $2}'` | |
| case $PARAM in | |
| -h | --help) | |
| usage | |
| exit | |
| ;; | |
| --domain) | |
| DOMAIN=$VALUE | |
| ;; | |
| --proxy) | |
| PROXY=$VALUE | |
| ;; | |
| --port) | |
| PORT=$VALUE | |
| ;; | |
| --docroot) | |
| DOCROOT=$VALUE | |
| ;; | |
| *) | |
| echo "ERROR: unknown parameter \"$PARAM\"" | |
| usage | |
| exit 1 | |
| ;; | |
| esac | |
| shift | |
| done | |
| INTERNLOCATION="ERROR" | |
| if ((PROXY != 0)); then | |
| INTERNLOCATION=$(cat <<-END | |
| proxy_set_header X-Real-IP \$remote_addr; | |
| proxy_set_header Host \$host; | |
| proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; | |
| proxy_pass http://127.0.0.1:$PORT; | |
| END | |
| ) | |
| fi | |
| if ((PROXY != 1)); then | |
| INTERNLOCATION="root $DOCROOT;" | |
| fi | |
| echo "Running certbot for $DOMAIN...." | |
| certbot --nginx certonly -d $DOMAIN | |
| echo "Generate /etc/nginx/sites-enabled/$DOMAIN.conf...." | |
| cat > /etc/nginx/sites-enabled/$DOMAIN.conf <<DELIM | |
| ## http://$DOMAIN redirects to https://$DOMAIN | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name $DOMAIN www.$DOMAIN; | |
| location / { | |
| return 301 https://$DOMAIN$request_uri; | |
| } | |
| } | |
| ## https://www.$DOMAIN redirects to https://$DOMAIN | |
| server { | |
| listen 443 ssl http2; | |
| server_name www.$DOMAIN; | |
| ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; | |
| ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; | |
| include /etc/nginx/snippets/le.conf; | |
| location / { | |
| return 301 https://$DOMAIN$request_uri; | |
| } | |
| } | |
| ## Serves https://$DOMAIN | |
| server { | |
| server_name $DOMAIN; | |
| listen 443 ssl http2; | |
| ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; | |
| ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; | |
| include /etc/nginx/snippets/le.conf; | |
| location / { | |
| $INTERNLOCATION | |
| } | |
| } | |
| DELIM | |
| echo "Reloading nginx config...." | |
| sudo service nginx reload | |
| echo "Domain $DOMAIN successfully added!!" | |
| exit 1 |
| ssl_session_timeout 1d; | |
| ssl_session_cache shared:SSL:50m; | |
| ssl_session_tickets off; | |
| ssl_protocols TLSv1.2; | |
| ssl_ciphers EECDH+AESGCM:EECDH+AES; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_prefer_server_ciphers on; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; | |
| add_header X-Frame-Options SAMEORIGIN; | |
| add_header X-Content-Type-Options nosniff; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment