forked from HamedAp/Ssh-User-management
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssl.sh
258 lines (210 loc) · 9.38 KB
/
ssl.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
#!/bin/bash
read -rp "Please enter the pointed domain / sub-domain name: " domain
systemctl stop apache2
RED="\033[31m"
GREEN="\033[32m"
YELLOW="\033[33m"
PLAIN='\033[0m'
red(){
echo -e "\033[31m\033[01m$1\033[0m"
}
green(){
echo -e "\033[32m\033[01m$1\033[0m"
}
yellow(){
echo -e "\033[33m\033[01m$1\033[0m"
}
REGEX=("debian" "ubuntu" "centos|red hat|kernel|oracle linux|alma|rocky" "'amazon linux'" "fedora")
RELEASE=("Debian" "Ubuntu" "CentOS" "CentOS" "Fedora")
PACKAGE_UPDATE=("apt-get update" "apt-get update" "yum -y update" "yum -y update" "yum -y update")
PACKAGE_INSTALL=("apt -y install" "apt -y install" "yum -y install" "yum -y install" "yum -y install")
PACKAGE_REMOVE=("apt -y remove" "apt -y remove" "yum -y remove" "yum -y remove" "yum -y remove")
PACKAGE_UNINSTALL=("apt -y autoremove" "apt -y autoremove" "yum -y autoremove" "yum -y autoremove" "yum -y autoremove")
[[ $EUID -ne 0 ]] && red "Note: Please run the script as the root user" && exit 1
CMD=("$(grep -i pretty_name /etc/os-release 2>/dev/null | cut -d \" -f2)" "$(hostnamectl 2>/dev/null | grep -i system | cut -d : -f2)" "$(lsb_release -sd 2>/dev/null)" "$(grep -i description /etc/lsb-release 2>/dev/null | cut -d \" -f2)" "$(grep . /etc/redhat-release 2>/dev/null)" "$(grep . /etc/issue 2>/dev/null | cut -d \\ -f1 | sed '/^[ ]*$/d')")
for i in "${CMD[@]}"; do
SYS="$i"
if [[ -n $SYS ]]; then
break
fi
done
for ((int = 0; int < ${#REGEX[@]}; int++)); do
if [[ $(echo "$SYS" | tr '[:upper:]' '[:lower:]') =~ ${REGEX[int]} ]]; then
SYSTEM="${RELEASE[int]}"
if [[ -n $SYSTEM ]]; then
break
fi
fi
done
[[ -z $SYSTEM ]] && red "Does not support the current OS, please use a supported one" && exit 1
if [[ ! $SYSTEM == "CentOS" ]]; then
${PACKAGE_UPDATE[int]}
fi
${PACKAGE_INSTALL[int]} curl wget sudo socat
if [[ $SYSTEM == "CentOS" ]]; then
${PACKAGE_INSTALL[int]} cronie
systemctl start crond
systemctl enable crond
else
${PACKAGE_INSTALL[int]} cron
systemctl start cron
systemctl enable cron
fi
autoEmail=$(date +%s%N | md5sum | cut -c 1-16)
yellow "Skipped entering email, using a fake email address: $acmeEmail"
curl https://get.acme.sh | sh -s email=$acmeEmail
source ~/.bashrc
bash ~/.acme.sh/acme.sh --upgrade --auto-upgrade
bash ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
if [[ -n $(~/.acme.sh/acme.sh -v 2>/dev/null) ]]; then
green "ACME.SH certificate application script installed successfully!"
else
red "Sorry, the ACME.SH certificate application script installation failed"
green "Suggestions:"
yellow "Check the server network connection"
fi
if [[ -z $(type -P lsof) ]]; then
if [[ ! $SYSTEM == "CentOS" ]]; then
${PACKAGE_UPDATE[int]}
fi
${PACKAGE_INSTALL[int]} lsof
fi
yellow "Checking if the port 80 is in use..."
sleep 1
if [[ $(lsof -i:"80" | grep -i -c "listen") -eq 0 ]]; then
green "Good! Port 80 is not in use"
sleep 1
else
red "Port 80 is currently in use, please close the service this service, which is using port 80:"
lsof -i:"80"
lsof -i:"80" | awk '{print $2}' | grep -v "PID" | xargs kill -9
sleep 1
fi
[[ -z $(~/.acme.sh/acme.sh -v 2>/dev/null) ]] && red "Unpacking ACME.SH, Getting ready..." && exit 1
WARPv4Status=$(curl -s4m8 https://www.cloudflare.com/cdn-cgi/trace -k | grep warp | cut -d= -f2)
WARPv6Status=$(curl -s6m8 https://www.cloudflare.com/cdn-cgi/trace -k | grep warp | cut -d= -f2)
if [[ $WARPv4Status =~ on|plus ]] || [[ $WARPv6Status =~ on|plus ]]; then
wg-quick down wgcf >/dev/null 2>&1
fi
ipv4=$(curl -s ipv4.icanhazip.com)
ipv6=$(curl -s6m8 ip.gs)
echo ""
yellow "When using port 80 application mode, first point your domain name to your server's public IP address. Otherwise the certificate application will be failed!"
echo ""
if [[ -n $ipv4 && -n $ipv6 ]]; then
echo -e "The public IPv4 address of server is: ${GREEN} $ipv4 ${PLAIN}"
echo -e "The public IPv6 address of server is: ${GREEN} $ipv6 ${PLAIN}"
elif [[ -n $ipv4 && -z $ipv6 ]]; then
echo -e "The public IPv4 address of server is: ${GREEN} $ipv4 ${PLAIN}"
elif [[ -z $ipv4 && -n $ipv6 ]]; then
echo -e "The public IPv6 address of server is: ${GREEN} $ipv6 ${PLAIN}"
fi
echo ""
[[ -z $domain ]] && red "Given domain is invalid. Please use example.com / sub.example.com" && exit 1
green "The given domain name:$domain" && sleep 1
domainIP=$(curl -sm8 ipget.net/?ip="${domain}")
if [[ $domainIP == $ipv6 ]]; then
bash ~/.acme.sh/acme.sh --issue -d ${domain} --standalone -k ec-256 --listen-v6 --insecure
fi
if [[ $domainIP == $ipv4 ]]; then
bash ~/.acme.sh/acme.sh --issue -d ${domain} --standalone -k ec-256 --insecure
fi
if [[ -n $(echo $domainIP | grep nginx) ]]; then
yellow "The domain name analysis failed, please check whether the domain name is correctly entered, and whether the domain name has been pointed to the server's public IP address"
exit 1
elif [[ -n $(echo $domainIP | grep ":") || -n $(echo $domainIP | grep ".") ]]; then
if [[ $domainIP != $ipv4 ]] && [[ $domainIP != $ipv6 ]]; then
if [[ -n $(type -P wg-quick) && -n $(type -P wgcf) ]]; then
wg-quick up wgcf >/dev/null 2>&1
fi
green "Domain name ${domain} Currently pointed IP: ($domainIP)"
red "The current domain name's resolved IP does not match the public IP used of the server"
green "Suggestions:"
yellow "1. Please check whether domain is correctly pointed to the server's current public IP"
yellow "2. Please make sure that Cloudflare Proxy is closed (only DNS)"
exit 1
fi
fi
if command -v apt-get >/dev/null; then
mkdir /etc/apache2/ssl/
bash ~/.acme.sh/acme.sh --install-cert -d ${domain} --key-file /etc/apache2/ssl/${domain}.key --fullchain-file /etc/apache2/ssl/${domain}.crt --ecc
cat > /etc/apache2/conf-available/ssl-params.conf << ENDOFFILE
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
ENDOFFILE
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
echo "<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin ShaHaN@${domain}
ServerName ${domain}
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/${domain}.crt
SSLCertificateKeyFile /etc/apache2/ssl/${domain}.key
<FilesMatch '\.(cgi|shtml|phtml|php)$'>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>" > /etc/apache2/sites-available/default-ssl.conf
sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl
sudo a2enconf ssl-params
sudo apache2ctl configtest
sudo systemctl restart apache2
elif command -v yum >/dev/null; then
mkdir /etc/ssl/
bash ~/.acme.sh/acme.sh --install-cert -d ${domain} --key-file /etc/ssl/${domain}.key --fullchain-file /etc/ssl/${domain}.crt --ecc
cat > /etc/httpd/conf.d/${domain}.conf << ENDOFFILE
<VirtualHost *:443>
ServerName ${domain}
DocumentRoot /var/www/html/
SSLEngine on
SSLCertificateFile /etc/ssl/${domain}.crt
SSLCertificateKeyFile /etc/ssl/${domain}.key
</VirtualHost>
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.2
# SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off
ENDOFFILE
sudo apachectl configtest
systemctl restart httpd
fi
clear
printf "\nHTTPS Address : https://${domain} \n"