ss-install-nginx-ssl.txt

#!/bin/bash

####################################################################################################
#### author: SlickStack ############################################################################
#### link: https://slickstack.io ###################################################################
#### mirror: https://mirrors.slickstack.io/bash/ss-install-nginx-ssl.txt ###########################
#### path: /var/www/ss-install-nginx-ssl ###########################################################
#### destination: n/a (not a boilerplate) ##########################################################
#### purpose: Reinstalls desired SSL cert (OpenSSL vs Lets Encrypt) to Nginx (idempotent) ##########
#### module version: Nginx 1.18.x ##################################################################
#### sourced by: ss-install-nginx ##################################################################
#### bash aliases: ss install nginx ssl, ss install ssl ############################################
####################################################################################################

## SS-CONFIG MUST BE PROPERLY CONFIGURED AND ON CURRENT BUILD BEFORE RUNNING SS-INSTALL ##
## ENSURE YOUR SS-CONFIG BUILD REMAINS CURRENT BY RUNNING SS-UPDATE OCCASIONALLY ##

## source ss-config ##
source /var/www/ss-config

## source ss-functions ##
source /var/www/ss-functions

## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS

####################################################################################################
#### SS-Install-Nginx-SSL: Message (Begin Script) ##################################################
####################################################################################################

## this is a simple message that announces to the shell the purpose of this bash script ##
## it will only be noticed by sudo users who manually call ss core bash scripts ##

## echo message ##
echo -e "${PURPLE}Running ss-install-nginx-ssl: Reinstalls desired SSL cert (OpenSSL vs Lets Encrypt) to Nginx (idempotent)... ${NOCOLOR}"
sleep "$SLEEP_MESSAGE_BEGIN"

####################################################################################################
#### SS-Install-Nginx-SSL: Install Lets Encrypt (Per SS-Config) ####################################
####################################################################################################

## here we update the Nginx config files to activate either OpenSSL or Lets Encrypt SSL ##
## this depends on your ss-config settings (both certs should exist regardless) ##

## install letsencrypt.conf (if preferred) ##
if [[ "$SSL_TYPE" == "letsencrypt" ]] || [[ "$SSL_TYPE" == "certbot" ]]; then 

    ## retrieve boilerplate ##
    wget -O "$TMP_LETSENCRYPT_CONF" "$MIRROR_LETSENCRYPT_CONF"

    ## protocols ##
    if [[ -z "$SSL_PROTOCOLS" ]]; then 
        sed -i "s/@SSL_PROTOCOLS/TLSv1.2 TLSv1.3/g" "$TMP_LETSENCRYPT_CONF"
    else 
        sed -i "s/@SSL_PROTOCOLS/${SSL_PROTOCOLS}/g" "$TMP_LETSENCRYPT_CONF"
    fi

    ## ciphers ##
    if [[ -z "$SSL_CIPHERS" ]]; then 
        sed -i "s/@SSL_CIPHERS/ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384/g" "$TMP_LETSENCRYPT_CONF"
    else 
        sed -i "s/@SSL_CIPHERS/${SSL_CIPHERS}/g" "$TMP_LETSENCRYPT_CONF"
    fi

    ## session timeout ##
    if [[ -z "$SSL_SESSION_TIMEOUT" ]]; then 
        sed -i "s/@SSL_SESSION_TIMEOUT/1d/g" "$TMP_LETSENCRYPT_CONF"
    else 
        sed -i "s/@SSL_SESSION_TIMEOUT/${SSL_SESSION_TIMEOUT}/g" "$TMP_LETSENCRYPT_CONF"
    fi

    ## session cache ##
    if [[ -z "$SSL_SESSION_CACHE" ]]; then 
        sed -i "s/@SSL_SESSION_CACHE/shared:SSL:64m/g" "$TMP_LETSENCRYPT_CONF"
    else 
        sed -i "s/@SSL_SESSION_CACHE/${SSL_SESSION_CACHE}/g" "$TMP_LETSENCRYPT_CONF"
    fi

    ## buffer size ##
    if [[ -z "$SSL_BUFFER_SIZE" ]]; then 
        sed -i "s/@SSL_BUFFER_SIZE/16k/g" "$TMP_LETSENCRYPT_CONF"
    else 
        sed -i "s/@SSL_BUFFER_SIZE/${SSL_BUFFER_SIZE}/g" "$TMP_LETSENCRYPT_CONF"
    fi
    
    ## move file ##
    cp "$TMP_LETSENCRYPT_CONF" "$PATH_LETSENCRYPT_CONF"
    rm /etc/nginx/conf.d/openssl.conf*
    rm /etc/nginx/conf.d/thirdparty.conf*
    echo -e "${PURPLE}Exiting ss-install-nginx-ssl: Lets Encrypt installation to the Nginx server appears to have been successful... ${NOCOLOR}"

fi

## here we modify the live Nginx configuration files to activate Lets Encrypt certificates ##
## this snippet will only be executed if Lets Encrypt certs appear to be successful ##
  
####################################################################################################
#### SS-Install-Nginx-SSL: Install OpenSSL (Per SS-Config) #########################################
####################################################################################################

## install letsencrypt.conf (if preferred) ##
if [[ "$SSL_TYPE" == "openssl" ]] || [[ -z "$SSL_TYPE" ]]; then 

    ## retrieve Lets Encrypt and OpenSSL sub-config file ##
    wget -O "$TMP_OPENSSL_CONF" "$MIRROR_OPENSSL_CONF"

    ## protocols ##
    if [[ -z "$SSL_PROTOCOLS" ]]; then 
        sed -i "s/@SSL_PROTOCOLS/TLSv1.2 TLSv1.3/g" "$TMP_OPENSSL_CONF"
    else 
        sed -i "s/@SSL_PROTOCOLS/${SSL_PROTOCOLS}/g" "$TMP_OPENSSL_CONF"
    fi

    ## ciphers ##
    if [[ -z "$SSL_CIPHERS" ]]; then 
        sed -i "s/@SSL_CIPHERS/ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384/g" "$TMP_OPENSSL_CONF"
    else 
        sed -i "s/@SSL_CIPHERS/${SSL_CIPHERS}/g" "$TMP_OPENSSL_CONF"
    fi

    ## session timeout ##
    if [[ -z "$SSL_SESSION_TIMEOUT" ]]; then 
        sed -i "s/@SSL_SESSION_TIMEOUT/1d/g" "$TMP_OPENSSL_CONF"
    else 
        sed -i "s/@SSL_SESSION_TIMEOUT/${SSL_SESSION_TIMEOUT}/g" "$TMP_OPENSSL_CONF"
    fi

    ## session cache ##
    if [[ -z "$SSL_SESSION_CACHE" ]]; then 
        sed -i "s/@SSL_SESSION_CACHE/shared:SSL:64m/g" "$TMP_OPENSSL_CONF"
    else 
        sed -i "s/@SSL_SESSION_CACHE/${SSL_SESSION_CACHE}/g" "$TMP_OPENSSL_CONF"
    fi

    ## buffer size ##
    if [[ -z "$SSL_BUFFER_SIZE" ]]; then 
        sed -i "s/@SSL_BUFFER_SIZE/16k/g" "$TMP_OPENSSL_CONF"
    else 
        sed -i "s/@SSL_BUFFER_SIZE/${SSL_BUFFER_SIZE}/g" "$TMP_OPENSSL_CONF"
    fi

## here we modify the live Nginx configuration files to activate Lets Encrypt certificates ##
## this snippet will only be executed if Lets Encrypt certs appear to be successful ##

    ## copy SSL sub-config file to /etc/nginx/conf.d/ and delete conflicting files ##
    cp "$TMP_OPENSSL_CONF" /etc/nginx/conf.d/openssl.conf
    rm /etc/nginx/conf.d/letsencrypt.conf*
    rm /etc/nginx/conf.d/thirdparty.conf*
    echo -e "${PURPLE}Exiting ss-install-nginx-ssl: OpenSSL installation to the Nginx server appears to have been successful... ${NOCOLOR}"
    
fi

####################################################################################################
#### SS-Install-Nginx-SSL: Install Third Party SSL (Per SS-Config) #################################
####################################################################################################



## install thirdparty.conf ##
if [[ "$SSL_TYPE" == "thirdparty" ]]; then 

    ## retrieve boilerplate ##
    wget -O "$TMP_THIRDPARTY_CONF" "$MIRROR_THIRDPARTY_CONF"

    ## protocols ##
    if [[ -z "$SSL_PROTOCOLS" ]]; then 
        sed -i "s/@SSL_PROTOCOLS/TLSv1.2 TLSv1.3/g" "$TMP_THIRDPARTY_CONF"
    else 
        sed -i "s/@SSL_PROTOCOLS/${SSL_PROTOCOLS}/g" "$TMP_THIRDPARTY_CONF"
    fi

    ## ciphers ##
    if [[ -z "$SSL_CIPHERS" ]]; then 
        sed -i "s/@SSL_CIPHERS/ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384/g" "$TMP_THIRDPARTY_CONF"
    else 
        sed -i "s/@SSL_CIPHERS/${SSL_CIPHERS}/g" "$TMP_THIRDPARTY_CONF"
    fi

    ## session timeout ##
    if [[ -z "$SSL_SESSION_TIMEOUT" ]]; then 
        sed -i "s/@SSL_SESSION_TIMEOUT/1d/g" "$TMP_THIRDPARTY_CONF"
    else 
        sed -i "s/@SSL_SESSION_TIMEOUT/${SSL_SESSION_TIMEOUT}/g" "$TMP_THIRDPARTY_CONF"
    fi

    ## session cache ##
    if [[ -z "$SSL_SESSION_CACHE" ]]; then 
        sed -i "s/@SSL_SESSION_CACHE/shared:SSL:64m/g" "$TMP_THIRDPARTY_CONF"
    else 
        sed -i "s/@SSL_SESSION_CACHE/${SSL_SESSION_CACHE}/g" "$TMP_THIRDPARTY_CONF"
    fi

    ## buffer size ##
    if [[ -z "$SSL_BUFFER_SIZE" ]]; then 
        sed -i "s/@SSL_BUFFER_SIZE/16k/g" "$TMP_THIRDPARTY_CONF"
    else 
        sed -i "s/@SSL_BUFFER_SIZE/${SSL_BUFFER_SIZE}/g" "$TMP_THIRDPARTY_CONF"
    fi
    
    ## move file ##
    cp "$TMP_THIRDPARTY_CONF" "$PATH_THIRDPARTY_CONF"
    rm /etc/nginx/conf.d/letsencrypt.conf*
    rm /etc/nginx/conf.d/openssl.conf*
    echo -e "${PURPLE}Exiting ss-install-nginx-ssl: Third party SSL installation to the Nginx server appears to have been successful... ${NOCOLOR}"

fi

####################################################################################################
#### SS-Install-Nginx-SSL: XXXXXX ###########################################
####################################################################################################

## here we modify the live Nginx configuration files to activate Lets Encrypt certificates ##
## this snippet will only be executed if Lets Encrypt certs appear to be successful ##

## copy SSL sub-config file to /etc/nginx/conf.d/ and delete conflicting files ##
# if [[ "$SSL_TYPE" == "certbot" ]] && [[ -f "/var/www/certs/fullchain.pem" ]] && [[ -f "/var/www/certs/keys/privkey.pem" ]]; then
#    cp /tmp/letsencrypt.conf /etc/nginx/conf.d/letsencrypt.conf
#    rm /etc/nginx/conf.d/openssl.conf*
#    echo -e "${PURPLE}Lets Encrypt installation appears to have been successful. ${NOCOLOR}"
# elif [[ "$SSL_TYPE" == "certbot" ]] && [[ ! -f "/etc/letsencrypt/live/slickstack/fullchain.pem" || ! -f "/etc/letsencrypt/live/slickstack/privkey.pem" ]]; then
#    cp /tmp/openssl.conf /etc/nginx/conf.d/openssl.conf
#    rm /etc/nginx/conf.d/letsencrypt.conf*
    # sed -i "s#SSL_TYPE="certbot"#SSL_TYPE="openssl"#g" /var/www/ss-config
#    echo -e "${PURPLE}Lets Encrypt installation was not successful, reverting to OpenSSL instead. ${NOCOLOR}"
#else
#    cp /tmp/openssl.conf /etc/nginx/conf.d/openssl.conf
#    rm /etc/nginx/conf.d/letsencrypt.conf*
#    echo -e "${YELLOW}OpenSSL installation appears to have been successful. ${NOCOLOR}"
# fi

####################################################################################################
#### SS-Install-Nginx-SSL: Reset Permissions (Nginx SSL) ###########################################
####################################################################################################

## run ss-perms-nginx-ssl ##
source "$PATH_SS_PERMS_NGINX_SSL"

####################################################################################################
#### SS-Install-Nginx-SSL: Touch Timestamp File (End Script) #######################################
####################################################################################################

## this is a dummy timestamp file that will remember the last time this script was run ##
## it can be useful for developer reference and is sometimes used by SlickStack ##

## script timestamp ##
touch "$TIMESTAMP_SS_INSTALL_NGINX_SSL"

####################################################################################################
#### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ###############
####################################################################################################

## Ref: https://github.com/littlebizzy/slickstack/blob/master/ss-install-nginx-config.txt
## Ref: https://github.com/littlebizzy/slickstack/blob/master/ss-encrypt-openssl.txt
## Ref: https://github.com/littlebizzy/slickstack/blob/master/ss-encrypt-certbot.txt

## SS_EOF