diff options
Diffstat (limited to 'satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh')
-rwxr-xr-x | satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh new file mode 100755 index 0000000..0f88864 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +declare -rg PUBLIC_BOTH="/etc/lighttpd/server.pem" +declare -rg CHAIN="/etc/lighttpd/chain.pem" +declare -rg DHPARAM="/etc/lighttpd/dhparam.pem" +declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag" +declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem" +declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem" + +if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then + openssl dhparam -out "$DHPARAM" 2048 &>/dev/null & +fi + +/opt/openslx/slx-cert >&2 & + +wait + +[ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN= +readonly INTERNAL_CHAIN + +cat <<HEREDOC +\$SERVER["socket"] == ":443" { + protocol = "https://" + ssl.engine = "enable" + ssl.disable-client-renegotiation = "enable" + + # ECDH/ECDHE ciphers curve strength (see "openssl ecparam -list_curves") + ssl.ec-curve = "secp384r1" + # Compression is by default off at compile-time, but use if needed + # ssl.use-compression = "disable" + + # Environment flag for HTTPS enabled + setenv.add-environment = ( + "HTTPS" => "on" + ) + + # intermediate configuration, tweak to your needs + ssl.use-sslv2 = "disable" + ssl.use-sslv3 = "disable" + ssl.honor-cipher-order = "enable" + ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" + + # pemfile is cert+privkey, ca-file is the intermediate chain in one file +HEREDOC +if [ -s "$PUBLIC_BOTH" ]; then + echo " ssl.pemfile = \"${PUBLIC_BOTH}\"" + [ -s "$CHAIN" ] && echo " ssl.ca-file = \"${CHAIN}\"" +elif [ -s "$INTERNAL_BOTH" ]; then + echo " ssl.pemfile = \"${INTERNAL_BOTH}\"" + echo " ssl.ca-file = \"${INTERNAL_CHAIN}\"" +fi + +[ -s "$DHPARAM" ] && echo " ssl.dh-file = \"${DHPARAM}\"" + +# VHost for server.bwlehrpool +if [ -s "${INTERNAL_BOTH}" ]; then + cat <<HEREDOC + \$HTTP["host"] == "satellite.bwlehrpool" { + ssl.pemfile = "${INTERNAL_BOTH}" + ssl.ca-file = "${INTERNAL_CHAIN}" + } +HEREDOC + # +fi + +echo "}" # End main block + +[ -f "$REDIR_FLAG" ] && cat <<"HEREDOC" +$HTTP["scheme"] == "http" { + # capture vhost name with regex condition -> %0 in redirect pattern + # must be the most inner block to the redirect rule + $HTTP["host"] =~ ".*" { + url.redirect = ( "^/slx-admin/($|\?|index.php).*" => "https://%0$0" ) + url.redirect-code = 302 + } +} +HEREDOC + +exit 0 + |