#!/bin/bash

declare -rg PUBLIC_BOTH="/etc/lighttpd/server.pem"
declare -rg CHAIN="/etc/lighttpd/chain.pem"
declare -rg DHPARAM="/etc/lighttpd/dhparam.pem"
declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag"
declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem"
declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem"

if ! [ -s "$DHPARAM" ]; then
	curl -sS -m 10 "https://ssl-config.mozilla.org/ffdhe2048.txt" > "$DHPARAM"
fi
if ! openssl dhparam -noout -in "$DHPARAM" >&2; then
	rm -f -- "$DHPARAM"
fi
if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then
	openssl dhparam -out "$DHPARAM" 2048 &>/dev/null &
fi

/opt/openslx/slx-cert >&2 &

wait

if ! openssl dhparam -noout -in "$DHPARAM" >&2; then
	rm -f -- "$DHPARAM"
fi

[ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN=
readonly INTERNAL_CHAIN

if [ -f "/usr/lib/lighttpd/mod_openssl.so" ]; then
	echo 'server.modules += ( "mod_openssl" )'
fi

debian="$( lsb_release -sr )"
debian="${debian%%.*}"

cat <<HEREDOC
\$SERVER["socket"] == ":443" {
	protocol	 = "https://"
	ssl.engine   = "enable"
	ssl.disable-client-renegotiation = "enable"

HEREDOC

if (( debian == 9 )); then
	cat <<HEREDOC
	ssl.use-sslv2 = "disable"
	ssl.use-sslv3 = "disable"
	ssl.honor-cipher-order = "disable"
	ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"

HEREDOC
elif (( debian == 10 )); then
	cat <<HEREDOC
	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2", "Options" => "-SessionTicket")
	ssl.honor-cipher-order = "disable"
	ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"

HEREDOC
else # if (( debian >= 11 )); then
	cat <<HEREDOC
	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
	ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
	ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")

HEREDOC
fi

echo "	# pemfile is cert+privkey, ca-file is the intermediate chain in one file"

if [ -s "$PUBLIC_BOTH" ]; then
	echo "	ssl.pemfile			   = \"${PUBLIC_BOTH}\""
	[ -s "$CHAIN" ] && echo "	ssl.ca-file = \"${CHAIN}\""
elif [ -s "$INTERNAL_BOTH" ]; then
	echo "	ssl.pemfile			   = \"${INTERNAL_BOTH}\""
	echo "	ssl.ca-file = \"${INTERNAL_CHAIN}\""
fi

[ -s "$DHPARAM" ] && echo "	ssl.dh-file          = \"${DHPARAM}\""

# VHost for server.bwlehrpool
if [ -s "${INTERNAL_BOTH}" ]; then
	cat <<HEREDOC
	\$HTTP["host"] == "satellite.bwlehrpool" {
		ssl.pemfile = "${INTERNAL_BOTH}"
		ssl.ca-file = "${INTERNAL_CHAIN}"
	}
HEREDOC
	#
fi

echo "}" # End main block

[ -f "$REDIR_FLAG" ] && cat <<"HEREDOC"
$HTTP["scheme"] == "http" {
	# capture vhost name with regex condition -> %0 in redirect pattern
	# must be the most inner block to the redirect rule
	$HTTP["host"] =~ ".*" {
		url.redirect = ( "^/slx-admin/($|\?|index.php).*" => "https://%0$0" )
		url.redirect-code = 302
	}
}
HEREDOC

exit 0