Skip to content

Instantly share code, notes, and snippets.

@xorenio
Last active December 22, 2017 15:09
Show Gist options
  • Save xorenio/3ea57998d76075f271a821b6d7585bce to your computer and use it in GitHub Desktop.
Save xorenio/3ea57998d76075f271a821b6d7585bce to your computer and use it in GitHub Desktop.
Trying to automate nginx with SSL's
#!/bin/bash
# /home
## parts of this are sourced from
## http://clubmate.fi/how-to-make-an-nginx-server-block-manually-or-with-a-shell-script/
# Functions
ok() { echo -e '\e[32m'$1'\e[m'; } # Green
die() { echo -e '\e[1;31m'$1'\e[m'; exit 1; }
# Variables
NGINX_AVAILABLE_VHOSTS='/etc/nginx/sites-available'
NGINX_ENABLED_VHOSTS='/etc/nginx/sites-enabled'
WEB_DIR='/var/sites'
WEB_USER='www-data'
UNIXUSER=$(echo "$2" | awk '{print tolower($0)}')
NGINX_SCHEME='$scheme'
NGINX_REQUEST_URI='$request_uri'
DOMAIN=$(echo "$1" | awk '{print tolower($0)}')
DOMAINFIRSTLETTER="${DOMAIN:0:1}"
ABC='[a-zA-Z]';
SERVERIP=$(hostname -I)
DNSIP=$(host -4 ${DOMAIN})
isSameIP=$(echo $DNSIP | grep -c $SERVERIP)
if [ $isSameIP -eq 1 ]; then
if [ ! -d /etc/letsencrypt/live/${DOMAIN} ]; then
bash /home/certbot.sh ${DOMAIN}
fi
else
if [ $# -lt "3" ]; then
if [ ${3} -eq 1 ]; then
bash /home/certbot.sh ${DOMAIN}
fi
else
bash /home/certbot.sh ${DOMAIN}
fi
fi
# Sanity check
[ $(id -g) != "0" ] && die "Script must be run as root."
[ $# -lt "2" ] && die "Usage: $(basename $0) <domain.com> <shell-user[john]> <get-cert-override[1|0]>"
# if id ${UNIXUSER} >/dev/null 2>&1; then
# # User exists
# echo ""
# else
# echo ""
# # Create user
# fi
if [ "$DOMAINFIRSTLETTER" -eq "$DOMAINFIRSTLETTER" ] 2>/dev/null; then
DOMAINCHARACTER=${DOMAINFIRSTLETTER}
fi
if [[ $DOMAINFIRSTLETTER =~ ${ABC} ]]; then
DOMAINCHARACTER=${DOMAINFIRSTLETTER}
fi
if [ -z ${DOMAINCHARACTER+x} ]; then
DOMAINCHARACTER="_"
fi
if [ ! -d ${WEB_DIR} ]; then
mkdir -p ${WEB_DIR}
fi
if [ ! -d ${WEB_DIR}/${DOMAINCHARACTER} ]; then
mkdir -p ${WEB_DIR}/${DOMAINCHARACTER}
fi
if [ ! -d ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN} ]; then
mkdir -p ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}
fi
# Create nginx config file
cat > $NGINX_AVAILABLE_VHOSTS/${DOMAIN} <<EOF
# Created at: $(date "+%Y-%m-%d_%H-%M-%S")
server {
# Just the server name
server_name ${DOMAIN} www.${DOMAIN};
listen 443 ssl;
root ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}/public_html;
# Logs
access_log ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}/logs/access.log;
error_log ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}/logs/error.log;
# Includes
include snippets/defaults.conf;
EOF
isInFile=$(cat $NGINX_AVAILABLE_VHOSTS/${DOMAIN} | grep -c "ssl_certificate")
if [ $isInFile -eq 0 ]; then
#string not contained in file
tail -n 1 "$NGINX_AVAILABLE_VHOSTS/${DOMAIN}" | wc -c | xargs -I {} truncate "$NGINX_AVAILABLE_VHOSTS/${DOMAIN}" -s -{}
if [ -d /etc/letsencrypt/live/${DOMAIN} ]; then
cat >> $NGINX_AVAILABLE_VHOSTS/${DOMAIN} <<EOF
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
EOF
fi
fi
cat >> $NGINX_AVAILABLE_VHOSTS/${DOMAIN} <<EOF
}
EOF
# Creating {public,log} directories
mkdir -p ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}/{public_html,logs}
# Creating index.html file
cat > ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}/public_html/index.html <<EOF
<!DOCTYPE html>
<html lang="en">
<head>
<title>${DOMAIN}</title>
<meta charset="utf-8" />
</head>
<body class="container" style="text-align:center;">
<header><h1>${DOMAIN}<h1></header>
<div id="wrapper">
Hello World
</div>
<footer>© $(date +%Y)</footer>
</body>
</html>
EOF
# Changing permissions
chown -R $UNIXUSER:$WEB_USER ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}
# Enable site by creating symbolic link
if [ ! -f $NGINX_ENABLED_VHOSTS/${DOMAIN} ]; then
ln -s $NGINX_AVAILABLE_VHOSTS/${DOMAIN} $NGINX_ENABLED_VHOSTS/${DOMAIN}
fi
if [ ! -d ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}/"config" ]; then
chown -R $UNIXUSER:$WEB_USER $NGINX_AVAILABLE_VHOSTS/${DOMAIN} ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}/"config"
fi
if [ ! -f ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}/"config"/${DOMAIN} ]; then
ln -s $NGINX_AVAILABLE_VHOSTS/${DOMAIN} ${WEB_DIR}/${DOMAINCHARACTER}/${DOMAIN}/"config"/${DOMAIN}
fi
# Restart
#echo "Do you wish to restart nginx?"
#select yn in "Yes" "No"; do
# case $yn in
# Yes ) /etc/init.d/nginx restart ; break;;
# No ) exit;;
# esac
#done
#
#ok "Site Created for $1"
service nginx restart -s
echo -e '\e[32m'${DOMAIN}'\e[m has been successfully setup!'
echo ""
echo "Nginx configs: $NGINX_ENABLED_VHOSTS/${DOMAIN}"
echo "Nginx configs: $NGINX_AVAILABLE_VHOSTS/${DOMAIN}"
echo ""
exit 1;
#!/bin/bash
## for nginx config of your domain please use the following for port 80
## Edited --
## just point at web.xoren.io and dont set a port 80 config make it fallback on the default and this will do all of the work for you
# server {
# listen 443 ssl;
# server_name music.xoren.io;
# ...
# }
## EDIT #2
## if you need to debug and set port 80
#server {
# listen 80;
# server_name music.xoren.io
# include /etc/nginx/snippets/well-known-dir.conf;
#}
red='\033[0;31m'
green='\033[0;32m'
NC='\033[0m'
array=( $@ )
_len=${#array[@]}
_args=${array[@]}
DIR=/tmp/letsencrypt-auto
DIR2=/tmp/letsencrypt-auto/.well-known
DIR3=/tmp/letsencrypt-auto/.well-known/acme-challenge
if [ ! -d ${DIR} ]; then
mkdir -p ${DIR}
echo "Making file structure."
fi
if [! -d ${DIR2} ]; then
mkdir -p ${DIR2}
echo "Making file structure."
fi
if [! -d ${DIR3} ]; then
mkdir -p ${DIR3}
echo "Making file structure."
fi
function install {
if [ ! "${_len}" -ge "1" ]; then
echo ""
echo -e "${red}Warning Incorrect usage${NC}"
echo ""
echo -e "$0 ${green}<domain(s)>${NC}"
echo ""
echo -e "EXAMPLE: $0 ${green}www.xoren.io xoren.io${NC}"
echo ""
exit 0;
else
for DOMAIN in "${_args}"
do :
echo ""
echo -e 'Requesting domain verification from letsencrypt for v\e[32m'${DOMAIN}'\e[m'
echo ""
if [ -d /etc/letsencrypt/live/${DOMAIN} ] && [ -f /etc/letsencrypt/live/${DOMAIN}/README ]; then
echo 'v\e[32mSuccess\e[m: Domain verification found on local'
else
letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=${DIR} ${DOMAIN}
fi
done
fi
}
install
exit 1;
# /etc/nginx/sites-available
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
#server_name 193.70.97.131;
server_name _;
server_tokens off;
more_clear_headers Server;
#if ($http_user_agent ~ (agent1|Cheesebot|Catall Spider) ) {
# return 403;
#}
include snippets/well-known-dir.conf;
}
server {
listen 443 default_server ssl;
#server_name 193.70.97.131;
#server_name _;
root /var/www/;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include snippets/defaults.conf;
}
# /etc/nginx/snippets
server_tokens off;
more_clear_headers Server;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
more_set_headers "Server: nginx xoren";
more_set_headers "X-Powered-By: xoren";
#gzip on;
#gzip_disable "msie6";
#gzip_min_length 1000;
#gzip_vary on;
#gzip_proxied any;
#gzip_comp_level 6;
#gzip_buffers 16 8k;
#gzip_http_version 1.0;
#gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
ssl on;
ssl_certificate /etc/letsencrypt/live/alpha.xoren.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alpha.xoren.io/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
index index.html index.php index.nginx-debian.html;
#location / {
# limit_req zone=lr_zone burst=1 nodelay;
# try_files $uri $uri/ /index.htm /index.html /index.php?$query_string =404;
#}
location ~* \.(?:css|js)$ {
#try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ /\.ht {
deny all;
}
include /etc/nginx/snippets/vhost-status.conf;
#!/bin/bash
# /home
die() { echo -e '\e[1;31m'$1'\e[m'; exit 1; }
chars=( {a..z} {A..Z} {0..9} \_ \* \+ \~ \! \§ \$ \% \& \( \) \= \? \{ \[ \] \} \| \> \< )
function rand_string {
local c=$1 ret=
while((c--)); do
ret+=${chars[$((RANDOM%${#chars[@]}))]}
done
printf '%s\n' "$ret"
}
array=( $@ )
_len=${#array[@]}
_args=${array[@]}
export MYSQL_PWD="Pa55Word"
if [ ${_len} -lt "2" ];then
echo "Usage: $(basename $0) <test-server[1|0]> <action>"
echo "Actions: "
echo "1: create-user"
echo "2: create-database"
echo "3: grant-access"
echo "4: backup-database"
echo "5: change-users-password"
echo "6: delete-user"
echo "7: delete-database"
echo "8: list-users "
echo "9: list-databases"
exit 1;
fi
if [[ ${2} == 1 || ${2} == 'create-user' ]]; then
USER=${3}
PASS=$(rand_string 12)
if [[ ${_len} -lt 4 ]]; then
WILD=1
else
WILD=${4}
fi
elif [[ ${2} == 2 || ${2} == 'create-database' ]]; then
DATABASENAME=${3}
elif [[ ${2} == 3 || ${2} == 'grant-access' ]]; then
USER=${3}
DATABASENAME=${4}
elif [[ ${2} == 4 || ${2} == 'backup-database' ]]; then
DATABASENAME=${3}
TIME=$(date "+%Y-%m-%d_%H-%M-%S");
elif [[ ${2} == 5 || ${2} == 'change-users-password' ]]; then
USER=${3}
if [[ ${_len} -lt 4 ]]; then
PASS=$(rand_string 12)
else
PASS=${4}
fi
elif [[ ${2} == 6 || ${2} == 'delete-user' ]]; then
USER=${3}
elif [[ ${2} == 7 || ${2} == 'delete-database' ]]; then
DATABASENAME=${3}
TIME=$(date "+%Y-%m-%d_%H-%M-%S");
# elif [[ ${2} == 8 || ${2} == 'list-users' ]]; then
# echo "Listing mysql users"
# elif [[ ${2} == 9 || ${2} == 'list-databases' ]]; then
# echo "Listing mysql databases"
fi
if [ ${1} == 1 ] ; then
HOST="51.254.83.109"
HOSTACCESS="51.254.83.109"
else
HOST="127.0.0.1"
HOSTACCESS="mysql.xoren.io"
fi
function createUser {
[ ${_len} -lt "3" ] && die "Usage: $(basename $0) <test-server[1|0]> create-user <username> <wildcard_permissions[1|0]>"
RUN=""
RESULT_VARIABLE="$(mysql --host=${HOST} --user="admin" -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '${USER}' AND Host = '193.70.97.131')")"
if [ $RESULT_VARIABLE = 0 ]; then
RUN+="CREATE USER '${USER}'@'193.70.97.131' IDENTIFIED BY '${PASS}';"
fi
RESULT=`mysql --host=${HOST} --user="admin" --skip-column-names -e "SHOW DATABASES LIKE '${USER}'"`
if [ "$RESULT" == "${USER}" ]; then
die "User already exists"
else
echo "Creating database ${USER}"
RUN+="CREATE DATABASE ${USER};"
fi
# | mysql --host=${HOST} --user="admin" --silent
echo "Granting access to \`${USER}\_%\`.* and \`${USER}\`.* for ${USER}"
if [[ ${_len} -eq 1 ]]; then
RUN+="GRANT ALL PRIVILEGES ON \`${USER}\_%\`.* TO '${USER}'@'193.70.97.131' IDENTIFIED BY '${PASS}';"
fi
# | mysql --host=${HOST} --user="admin" --silent
RUN+="GRANT ALL PRIVILEGES ON \`${USER}\`.* TO '${USER}'@'193.70.97.131' IDENTIFIED BY '${PASS}';"
# | mysql --host=${HOST} --user="admin" --silent
mysql --host=${HOST} --user="admin" --batch --silent -e "${RUN} FLUSH PRIVILEGES;";
echo "Success - Please use the following to access our database cluster"
echo "host : ${HOSTACCESS}"
echo "username : ${USER}"
echo "pass : ${PASS}"
}
function createDatabase {
[ ${_len} -lt "3" ] && die "Usage: $(basename $0) <test-server[1|0]> create-database <name_of_data>"
echo "Creating database ${DATABASENAME}"
RESULT=`mysql --host=${HOST} --user="admin" --skip-column-names -e "SHOW DATABASES LIKE '${DATABASENAME}'"`
if [ "$RESULT" == "${DATABASENAME}" ]; then
die "Database already exists"
exit;
else
echo "Creating database ${DATABASENAME}"
RUN+="CREATE DATABASE ${DATABASENAME};"
mysql --host=${HOST} --user="admin" --batch --silent -e "${RUN} FLUSH PRIVILEGES;";
fi
}
function grantAccess {
[ ${_len} -lt "4" ] && die "Usage: $(basename $0) <test-server[1|0]> grant-access <mysql_user> <name_of_data>"
echo "Granting access to ${DATABASENAME} for ${USER}"
RUN=""
RUN+="GRANT ALL PRIVILEGES ON \`${DATABASENAME}\`.* TO '${USER}'@'193.70.97.131';"
mysql --host=${HOST} --user="admin" --batch --silent -e "${RUN} FLUSH PRIVILEGES;";
}
function backupDatabase {
[ ${_len} -lt "3" ] && die "Usage: $(basename $0) <test-server[1|0]> backup-database <database_name>"
echo "Backing up database: ${DATABASENAME}"
mysqldump --host=${HOST} -u admin --single-transaction --no-data ${DATABASENAME} > ${TIME}_${DATABASENAME}_structure.sql
mysqldump --host=${HOST} -u admin ${DATABASENAME} > ${TIME}_${DATABASENAME}_data.sql
gzip *.sql
}
function changeUsersPassword {
[ ${_len} -lt "3" ] && die "Usage: $(basename $0) <test-server[1|0]> change-users-password <mysql_user> <password>"
RESULT_VARIABLE="$(mysql --host=${HOST} --user="admin" -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '${USER}' AND Host = '193.70.97.131')")"
RUN=""
if [ $RESULT_VARIABLE = 1 ]; then
echo "Changing ${USER}'s password to ${PASS}"
RUN+="SET PASSWORD FOR '${USER}'@'193.70.97.131' = PASSWORD('${PASS}');"
mysql --host=${HOST} --user="admin" --batch --silent -e "${RUN} FLUSH PRIVILEGES;";
echo "Success - Please use the following to access our database cluster"
echo "host : ${HOSTACCESS}"
echo "username : ${USER}"
echo "pass : ${PASS}"
else
die "User ${USER} doesn't exist";
fi
}
function deleteUser {
[ ${_len} -lt "3" ] && die "Usage: $(basename $0) <test-server[1|0]> delete-user <mysql_user>"
if [ ${USER} == "mysql" ]; then
die "Cant delete this user"
elif [ ${USER} == "root" ]; then
die "Cant delete this user"
elif [ ${USER} == "admin" ]; then
die "Cant delete this user"
elif [ ${USER} == "phpmyadmin" ]; then
die "Cant delete this user"
fi
RESULT_VARIABLE="$(mysql --host=${HOST} --user="admin" -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '${USER}' AND Host = '193.70.97.131')")"
RUN=""
if [ $RESULT_VARIABLE = 1 ]; then
echo "Deleting user ${USER}"
RUN+="DROP USER '${USER}'@'193.70.97.131';"
mysql --host=${HOST} --user="admin" --batch --silent -e "${RUN} FLUSH PRIVILEGES;";
 else
die "User ${USER} doesn't exist"
fi
}
function deleteDataBase {
[ ${_len} -lt "3" ] && die "Usage: $(basename $0) <test-server[1|0]> delete-database <database>"
if [ ${DATABASENAME} == "mysql" ]; then
die "Cant delete this database"
elif [ ${DATABASENAME} == "root" ]; then
die "Cant delete this database"
elif [ ${DATABASENAME} == "admin" ]; then
die "Cant delete this database"
elif [ ${DATABASENAME} == "performance_schema" ]; then
die "Cant delete this database"
elif [ ${DATABASENAME} == "phpmyadmin" ]; then
die "Cant delete this database"
elif [ ${DATABASENAME} == "information_schema" ]; then
die "Cant delete this database"
elif [ ${DATABASENAME} == "information_schema" ]; then
die "Cant delete this database"
fi
RESULT=`mysql --host=${HOST} --user="admin" --skip-column-names -e "SHOW DATABASES LIKE '${DATABASENAME}'"`
if [ "$RESULT" == "${DATABASENAME}" ]; then
echo "Deleting database ${DATABASENAME}"
RUN+="DROP DATABASE IF EXISTS \`${DATABASENAME}\`;"
mysql --host=${HOST} --user="admin" --batch --silent -e "${RUN} FLUSH PRIVILEGES;";
else
die "Database ${DATABASENAME} doesn't exist"
fi
}
function listUsers {
echo "==========="
echo " Users "
echo "==========="
RESULT=`mysql --host=${HOST} --user="admin" --skip-column-names -e "select User,Host from mysql.user WHERE Host = '193.70.97.131';"`
for User in "${RESULT}"
do :
# echo "${User}"
FIND="193.70.97.131"
REPLACE="\n"
echo -ne ${RESULT//${FIND}/${REPLACE}}
done
}
function listDatabases {
echo "==========="
echo " Databases "
echo "==========="
RESULT=`mysql --host=${HOST} --user="admin" --skip-column-names -e "SHOW DATABASES"`
for Database in "${RESULT}"
do :
echo "${Database}"
done
}
if [[ ${2} == 1 || ${2} == 'create-user' ]]; then
createUser
elif [[ ${2} == 2 || ${2} == 'create-database' ]]; then
createDatabase
elif [[ ${2} == 3 || ${2} == 'grant-access' ]]; then
grantAccess
elif [[ ${2} == 4 || ${2} == 'backup-database' ]]; then
backupDatabase
elif [[ ${2} == 5 || ${2} == 'change-users-password' ]]; then
changeUsersPassword
elif [[ ${2} == 6 || ${2} == 'delete-user' ]]; then
deleteUser
elif [[ ${2} == 7 || ${2} == 'delete-database' ]]; then
backupDatabase
deleteDataBase
elif [[ ${2} == 8 || ${2} == 'list-users' ]]; then
listUsers
elif [[ ${2} == 9 || ${2} == 'list-databases' ]]; then
listDatabases
fi
# /etc/nginx/snippets
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /tmp/letsencrypt-auto;
}
location / {
return 301 https://$host$request_uri;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment