This script generate a yourdomain.conf in /etc/nginx/sites-enabled/ and generate a Let's Encrypt certificate with certbot (You have to install certbot manually!)
#!/bin/bash | |
# Shell script to add a subdomain to nginx with let's encrypt | |
DOMAIN="" | |
PROXY=false | |
DOCROOT="/var/www/html/" | |
function usage() | |
{ | |
echo "This script generate a yourdomain.conf in /etc/nginx/sites-enabled/ and generate a Let's Encrypt certificate with certbot (You have to install certbot manually!)" | |
echo "" | |
echo "./add_domain.sh" | |
echo "\t-h --help" | |
echo "\t--domain=yourdomain.org" | |
echo "\t--proxy=1 or 0" | |
echo "\t--port=ProxyPort" | |
echo "\t--docroot=/var/www/html/" | |
echo "" | |
} | |
#root check (root is necessary for certbot) | |
if (($EUID != 0)); then | |
echo "Please run with sudo or run as root :)" | |
exit | |
fi | |
while [ "$1" != "" ]; do | |
PARAM=`echo $1 | awk -F= '{print $1}'` | |
VALUE=`echo $1 | awk -F= '{print $2}'` | |
case $PARAM in | |
-h | --help) | |
usage | |
exit | |
;; | |
--domain) | |
DOMAIN=$VALUE | |
;; | |
--proxy) | |
PROXY=$VALUE | |
;; | |
--port) | |
PORT=$VALUE | |
;; | |
--docroot) | |
DOCROOT=$VALUE | |
;; | |
*) | |
echo "ERROR: unknown parameter \"$PARAM\"" | |
usage | |
exit 1 | |
;; | |
esac | |
shift | |
done | |
INTERNLOCATION="ERROR" | |
if ((PROXY != 0)); then | |
INTERNLOCATION=$(cat <<-END | |
proxy_set_header X-Real-IP \$remote_addr; | |
proxy_set_header Host \$host; | |
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; | |
proxy_pass http://127.0.0.1:$PORT; | |
END | |
) | |
fi | |
if ((PROXY != 1)); then | |
INTERNLOCATION="root $DOCROOT;" | |
fi | |
echo "Running certbot for $DOMAIN...." | |
certbot --nginx certonly -d $DOMAIN | |
echo "Generate /etc/nginx/sites-enabled/$DOMAIN.conf...." | |
cat > /etc/nginx/sites-enabled/$DOMAIN.conf <<DELIM | |
## http://$DOMAIN redirects to https://$DOMAIN | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name $DOMAIN www.$DOMAIN; | |
location / { | |
return 301 https://$DOMAIN$request_uri; | |
} | |
} | |
## https://www.$DOMAIN redirects to https://$DOMAIN | |
server { | |
listen 443 ssl http2; | |
server_name www.$DOMAIN; | |
ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; | |
include /etc/nginx/snippets/le.conf; | |
location / { | |
return 301 https://$DOMAIN$request_uri; | |
} | |
} | |
## Serves https://$DOMAIN | |
server { | |
server_name $DOMAIN; | |
listen 443 ssl http2; | |
ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; | |
include /etc/nginx/snippets/le.conf; | |
location / { | |
$INTERNLOCATION | |
} | |
} | |
DELIM | |
echo "Reloading nginx config...." | |
sudo service nginx reload | |
echo "Domain $DOMAIN successfully added!!" | |
exit 1 |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_tickets off; | |
ssl_protocols TLSv1.2; | |
ssl_ciphers EECDH+AESGCM:EECDH+AES; | |
ssl_ecdh_curve secp384r1; | |
ssl_prefer_server_ciphers on; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; | |
add_header X-Frame-Options SAMEORIGIN; | |
add_header X-Content-Type-Options nosniff; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment