From 38c55adde7ad9e58a4cda0271b9ed847e7f160af Mon Sep 17 00:00:00 2001 From: Marwolf Date: Sat, 18 Aug 2018 19:51:03 -0400 Subject: [PATCH] Certbot with HTTPS is working --- Certbot.sh | 8 ++++ Linux_Installer.sh | 8 +++- docker-compose.yml | 21 ++++------ etc/nginx/HTTPS_default.conf.BAK | 72 +++++++++++++++----------------- etc/nginx/fastcgi.conf | 26 ------------ etc/nginx/nginx.conf | 63 ---------------------------- 6 files changed, 56 insertions(+), 142 deletions(-) create mode 100755 Certbot.sh delete mode 100644 etc/nginx/fastcgi.conf delete mode 100755 etc/nginx/nginx.conf diff --git a/Certbot.sh b/Certbot.sh new file mode 100755 index 0000000..9806500 --- /dev/null +++ b/Certbot.sh @@ -0,0 +1,8 @@ +sudo certbot certonly \ +--standalone \ +--preferred-challenges http \ +--agree-tos -n \ +--config-dir ./etc/letsencrypt \ +-d wolfkingdom.net \ +-m cleako@gmail.com \ +-q diff --git a/Linux_Installer.sh b/Linux_Installer.sh index 84fe754..56e80a0 100755 --- a/Linux_Installer.sh +++ b/Linux_Installer.sh @@ -76,7 +76,11 @@ if [ "$install" == "1" ]; then echo "" echo "Verifying the basics are installed." echo "" - sudo apt update && sudo apt install screen zip fail2ban unzip git build-essential apt-transport-https ca-certificates curl software-properties-common -y + sudo apt-get update + sudo apt-get install software-properties-common -y + sudo add-apt-repository ppa:certbot/certbot -y + sudo apt-get update + sudo apt-get install certbot screen zip fail2ban unzip git build-essential apt-transport-https ca-certificates curl software-properties-common -y echo "" echo "" echo "Do you have Docker installed? It is required for this." @@ -95,7 +99,7 @@ if [ "$install" == "1" ]; then echo "" curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $vers stable" - sudo apt update && sudo apt install docker-ce docker-compose -y + sudo apt-get update && sudo apt-get install docker-ce docker-compose -y else continue fi diff --git a/docker-compose.yml b/docker-compose.yml index baa8f61..a5c6f33 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,20 +2,22 @@ version: '3.1' services: nginx: - image: bitnami/nginx:latest + image: nginx:latest container_name: nginx volumes: - - "./etc/nginx:/opt/bitnami/nginx/conf/vhosts" - - "./Website:/opt/bitnami/nginx/html" - - "./etc/logs/nginx:/opt/bitnami/nginx/logs" + - "./etc/nginx:/etc/nginx/conf.d" + - "./Website:/var/www/html" + - "./etc/logs/nginx:/var/log/nginx" - "./etc/letsencrypt:/etc/letsencrypt" -# - "./etc/nginx/fastcgi.conf:/bitnami/nginx/conf/fastcgi.conf" ports: - - "80:8080" + - "80:80" - "443:443" environment: - NGINX_HOST=${NGINX_HOST} restart: always + depends_on: + - tomcat + - mysqldb myadmin: image: phpmyadmin/phpmyadmin @@ -35,8 +37,6 @@ services: command: chown -R 1001:1001 /bitnami volumes: - "./data/db/mysq:/bitnami/mariadb" - depends_on: - - nginx mysqldb: image: bitnami/mariadb:latest @@ -69,8 +69,6 @@ services: volumes: - "./Website:/usr/local/tomcat/webapps/ROOT" - "./etc/tomcat:/usr/local/tomcat/conf" - depends_on: - - nginx fix-ghost-permissions: image: 'bitnami/ghost:latest' @@ -78,9 +76,6 @@ services: command: chown -R 1001:1001 /bitnami/ghost volumes: - "./etc/ghost:/bitnami/ghost" - depends_on: - - mysqldb - - nginx ghost: image: bitnami/ghost:latest diff --git a/etc/nginx/HTTPS_default.conf.BAK b/etc/nginx/HTTPS_default.conf.BAK index ccb49d6..96fb245 100755 --- a/etc/nginx/HTTPS_default.conf.BAK +++ b/etc/nginx/HTTPS_default.conf.BAK @@ -8,42 +8,43 @@ upstream ghost { # HTTP server { - listen 8080 default_server; - listen [::]:8080 default_server ipv6only=on; + listen 80 default_server; + listen [::]:80 default_server ipv6only=on; server_name ${NGINX_HOST}; - error_log /opt/bitnami/nginx/logs/error.log; - access_log /opt/bitnami/nginx/logs/access.log; + error_log /var/log/nginx/error.log; + access_log /var/log/nginx/access.log; - location / { - root /opt/bitnami/nginx/html; + location ~ /.well-known/acme-challenge { + allow all; + root /var/www/html; } - rewrite ^ https://$http_host$request_uri? permanent; #Redirect traffic to HTTPS + rewrite ^ https://$http_host$request_uri? permanent; } # HTTPS server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ${NGINX_HOST}; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ${NGINX_HOST}; - error_log /opt/bitnami/nginx/logs/error.log; - access_log /opt/bitnami/nginx/logs/access.log; + error_log /var/log/nginx/error.log; + access_log /var/log/nginx/access.log; - add_header Strict-Transport-Security "max-age=31536000" always; - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 10m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;"; - ssl_stapling on; - ssl_stapling_verify on; - resolver 8.8.8.8 1.1.1.1; - ssl_certificate /etc/letsencrypt/live/${NGINX_HOST}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${NGINX_HOST}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/${NGINX_HOST}/chain.pem; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;"; + ssl_stapling on; + ssl_stapling_verify on; + resolver 8.8.8.8 1.1.1.1; + ssl_certificate /etc/letsencrypt/live/wolfkingdom.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wolfkingdom.net/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/wolfkingdom.net/chain.pem; root /app; index index.jsp index.html index.htm; @@ -51,30 +52,25 @@ server { client_max_body_size 100M; location / { - root /opt/bitnami/nginx/html; - } - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - proxy_pass http://certbot_upstream; + root /var/www/html; } ####### Proxies ####### # PHP proxy # location /board { -# fastcgi_pass php:9001; -# fastcgi_index index.php; -# include fastcgi.conf; -# root /app; +# fastcgi_pass php:9001; +# fastcgi_index index.php; +# include fastcgi.conf; +# root /app; # } location ~ \.htm$ { - root /opt/bitnami/nginx/html; + root /var/www/html; } # Ghost proxy location /blog { - proxy_pass http://ghost; + proxy_pass http://ghost; proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -84,9 +80,9 @@ server { # Tomcat proxy location ~ \.jsp$ { - proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://tomcat; } diff --git a/etc/nginx/fastcgi.conf b/etc/nginx/fastcgi.conf deleted file mode 100644 index 091738c..0000000 --- a/etc/nginx/fastcgi.conf +++ /dev/null @@ -1,26 +0,0 @@ - -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param REQUEST_SCHEME $scheme; -fastcgi_param HTTPS $https if_not_empty; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf deleted file mode 100755 index 6b07395..0000000 --- a/etc/nginx/nginx.conf +++ /dev/null @@ -1,63 +0,0 @@ -upstream tomcat { - server tomcat:8080; -} - -upstream ghost { - server ghost:2368; -} - -# HTTP -server { - listen 8080 default_server; - listen [::]:8080 default_server ipv6only=on; - server_name ${NGINX_HOST}; - - error_log /opt/bitnami/nginx/logs/error.log; - access_log /opt/bitnami/nginx/logs/access.log; - - root /app; - index index.jsp index.html index.htm; - - client_max_body_size 100M; - - location / { - try_files $uri $uri/ =404; - } - - ####### Proxies ####### - # PHP proxy -# location /board { -# fastcgi_pass php:9001; -# fastcgi_index index.php; -# include fastcgi.conf; -# root /app; -# } - - location ~ \.htm$ { - root /opt/bitnami/nginx/html; - } - - # Ghost proxy - location /blog { - proxy_pass http://ghost; - proxy_set_header Host $http_host; # required for docker client's sake - proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; - } - - # Tomcat proxy - location ~ \.jsp$ { - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://tomcat; - } - - location ~ /\.well-known/acme-challenge { - root /opt/bitnami/nginx/html; - allow all; - } - -}