-
-
Notifications
You must be signed in to change notification settings - Fork 662
/
activate-tls.sh
336 lines (285 loc) Β· 11.4 KB
/
activate-tls.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
#!/bin/bash
true
SCRIPT_NAME="Activate TLS"
# shellcheck source=lib.sh
source /var/scripts/fetch_lib.sh
# T&M Hansson IT AB Β© - 2024, https://www.hanssonit.se/
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
# Information
if [ -n "$DEDYNDOMAIN" ]
then
TLSDOMAIN="$DEDYNDOMAIN"
else
msg_box "Before we begin the installation of your TLS certificate you need to:
1. Have a domain like: cloud.example.com
If you want to get a domain at a fair price, please check this out: https://www.websupport.se/en/
2. Open port 80 and 443 against this servers IP address: $ADDRESS.
Here is a guide: https://www.techandme.se/open-port-80-443
It's also possible to automatically open ports with UPNP, if you have that enabled in your firewall/router.
PLEASE NOTE:
This script can be run again by executing: sudo bash $SCRIPTS/menu.sh, and choose 'Server Configuration' --> 'Activate TLS'"
if ! yesno_box_yes "Are you sure you want to continue?"
then
msg_box "OK, but if you want to run this script later, just execute this in your CLI: sudo \
bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'"
exit
fi
if ! yesno_box_yes "Have you opened port 80 and 443 in your router, or are you using UPNP?"
then
msg_box "OK, but if you want to run this script later, just execute this in your CLI: sudo \
bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'"
exit
fi
if ! yesno_box_yes "Do you have a domain that you will use?"
then
msg_box "OK, but if you want to run this script later, just execute this in your CLI: sudo \
bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'"
exit
fi
# Nextcloud Main Domain (activate-tls.sh)
TLSDOMAIN=$(input_box_flow "Please enter the domain name you will use for Nextcloud.
Make sure it looks like this:\nyourdomain.com, or cloud.yourdomain.com")
fi
if [ -z "$DEDYNDOMAIN" ]
then
msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $TLSDOMAIN, \
and opened port 80 and 443 directly to this servers IP. A full extensive guide can be found here:
https://www.techandme.se/open-port-80-443
This can be done automatically if you have UPNP enabled in your firewall/router. \
You will be offered to use UPNP in the next step."
if yesno_box_no "Do you want to use UPNP to open port 80 and 443?"
then
unset FAIL
open_port 80 TCP
open_port 443 TCP
cleanup_open_port
fi
fi
# Curl the lib another time to get the correct https_conf
# shellcheck source=lib.sh
source /var/scripts/fetch_lib.sh
# Check if $TLSDOMAIN exists and is reachable
echo
print_text_in_color "$ICyan" "Checking if $TLSDOMAIN exists and is reachable..."
domain_check_200 "$TLSDOMAIN"
# Set /etc/hosts domain
sed -i "s|127.0.1.1.*|127.0.1.1 $TLSDOMAIN nextcloud|g" /etc/hosts
network_ok
if [ -z "$DEDYNDOMAIN" ]
then
# Check if port is open with NMAP
check_open_port 80 "$TLSDOMAIN"
check_open_port 443 "$TLSDOMAIN"
fi
# Fetch latest version of test-new-config.sh
check_command download_script LETS_ENC test-new-config
# Install certbot (Let's Encrypt)
install_certbot
#Fix issue #28
tls_conf="$SITES_AVAILABLE/$TLSDOMAIN.conf"
# Check if "$tls.conf" exists, and if, then delete
if [ -f "$tls_conf" ]
then
rm -f "$tls_conf"
fi
# Check current PHP version --> PHPVER
# To get the correct version for the Apache conf file
check_php
# Only add TLS 1.3 on Ubuntu later than 22.04
if version 22.04 "$DISTRO" 24.04.10
then
TLS13="+TLSv1.3"
fi
# Fix zero file sizes
# See https://github.com/nextcloud/server/issues/3056
if version 24.04 "$DISTRO" 26.04.10
then
SETENVPROXY="SetEnv proxy-sendcl 1"
fi
# Generate nextcloud_tls_domain.conf
if [ ! -f "$tls_conf" ]
then
touch "$tls_conf"
print_text_in_color "$IGreen" "$tls_conf was successfully created."
sleep 2
cat << TLS_CREATE > "$tls_conf"
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
### YOUR SERVER ADDRESS ###
ServerAdmin admin@$TLSDOMAIN
ServerName $TLSDOMAIN
### SETTINGS ###
<FilesMatch "\.php$">
SetHandler "proxy:unix:/run/php/php$PHPVER-fpm.nextcloud.sock|fcgi://localhost"
</FilesMatch>
# Intermediate configuration
Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains"
SSLEngine on
SSLCompression off
SSLProtocol -all +TLSv1.2 $TLS13
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
ServerSignature off
# Logs
LogLevel warn
CustomLog \${APACHE_LOG_DIR}/access.log combined
ErrorLog \${APACHE_LOG_DIR}/error.log
# Document root folder
DocumentRoot $NCPATH
# The Nextcloud folder
<Directory $NCPATH>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
Satisfy Any
# This is to include all the Nextcloud rules due to that we use PHP-FPM and .htaccess aren't read
Include $NCPATH/.htaccess
</Directory>
# Deny access to your data directory
<Directory $NCDATA>
Require all denied
</Directory>
# Deny access to the Nextcloud config folder
<Directory $NCPATH/config/>
Require all denied
</Directory>
<IfModule mod_dav.c>
Dav off
</IfModule>
# The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients.
<Files ".ht*">
Require all denied
</Files>
SetEnv HOME $NCPATH
SetEnv HTTP_HOME $NCPATH
# Disable HTTP TRACE method.
TraceEnable off
# Disable HTTP TRACK method.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [R=405,L]
# Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
<IfModule mod_reqtimeout.c>
RequestReadTimeout body=0
</IfModule>
### LOCATION OF CERT FILES ###
# SSLCertificateChainFile $CERTFILES/$TLSDOMAIN/chain.pem
SSLCertificateFile $CERTFILES/$TLSDOMAIN/fullchain.pem
SSLCertificateKeyFile $CERTFILES/$TLSDOMAIN/privkey.pem
SSLOpenSSLConfCmd DHParameters $DHPARAMS_TLS
</VirtualHost>
### EXTRAS ###
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
$SETENVPROXY
TLS_CREATE
fi
# Check if PHP-FPM is installed and if not, then remove PHP-FPM related lines from config
if ! pgrep php-fpm
then
sed -i "s|<FilesMatch.*|# Removed due to that PHP-FPM $PHPVER is missing|g" "$tls_conf"
sed -i "s|SetHandler.*|#|g" "$tls_conf"
sed -i "s|</FilesMatch.*|#|g" "$tls_conf"
fi
# Generate certs and auto-configure if successful
if [ -n "$DEDYNDOMAIN" ]
then
print_text_in_color "$ICyan" "Generating new TLS cert with DNS and deSEC, please don't abort the hook, it may take a while..."
# Renew with DNS by default
if certbot certonly --manual --text --key-type ecdsa --renew-by-default --server https://acme-v02.api.letsencrypt.org/directory --no-eff-email --agree-tos --preferred-challenges dns --manual-auth-hook "$SCRIPTS"/deSEC/hook.sh --manual-cleanup-hook "$SCRIPTS"/deSEC/hook.sh -d "$DEDYNDOMAIN"
then
# Generate DHparams cipher
if [ ! -f "$DHPARAMS_TLS" ]
then
openssl dhparam -out "$DHPARAMS_TLS" 2048
fi
# Choose which port for public access
msg_box "You will now be able to choose which port you want to put your Nextcloud on for public access.\n
The default port is 443 for HTTPS and if you don't change port, that's the port we will use.\n
Please keep in mind NOT to use the following ports as they are likely in use already:
${NONO_PORTS[*]}"
if yesno_box_no "Do you want to change the default HTTPS port (443) to something else?"
then
# Ask for port
while :
do
DEDYNPORT=$(input_box_flow "Please choose which port you want between 1024 - 49151.\n\nPlease remember to open this port in your firewall.")
if (("$DEDYNPORT" >= 1024 && "$DEDYNPORT" <= 49151))
then
if check_nono_ports "$DEDYNPORT"
then
print_text_in_color "$ICyan" "Changing to port $DEDYNPORT for public access..."
# Main port
sed -i "s|VirtualHost \*:443|VirtualHost \*:$DEDYNPORT|g" "$tls_conf"
if ! grep -q "Listen $DEDYNPORT" /etc/apache2/ports.conf
then
echo "Listen $DEDYNPORT" >> /etc/apache2/ports.conf
fi
# HTTP redirect
if ! grep -q '{HTTP_HOST}':"$DEDYNPORT" "$tls_conf"
then
sed -i "s|{HTTP_HOST}|{HTTP_HOST}:$DEDYNPORT|g" "$tls_conf"
fi
# Test everything
check_command bash "$SCRIPTS/test-new-config.sh" "$TLSDOMAIN.conf"
if restart_webserver
then
msg_box "Congrats! You should now be able to access Nextcloud publicly on: https://$TLSDOMAIN:$DEDYNPORT, after you opened port $DEDYNPORT in your firewall."
break
fi
fi
else
msg_box "The port number needs to be between 1024 - 49151, please try again."
fi
done
else
if [ -f "$SCRIPTS/test-new-config.sh" ]
then
check_command bash "$SCRIPTS/test-new-config.sh" "$TLSDOMAIN.conf"
if restart_webserver
then
msg_box "Congrats! You should now be able to access Nextcloud publicly on: https://$TLSDOMAIN after you opened port 443 in your firewall."
fi
fi
fi
fi
else
if generate_cert "$TLSDOMAIN"
then
if [ -d "$CERTFILES" ]
then
# Generate DHparams cipher
if [ ! -f "$DHPARAMS_TLS" ]
then
openssl dhparam -out "$DHPARAMS_TLS" 2048
fi
# Activate new config
check_command bash "$SCRIPTS/test-new-config.sh" "$TLSDOMAIN.conf"
msg_box "Please remember to keep port 80 (and 443) open so that Let's Encrypt can do
the automatic renewal of your cert. If port 80 is closed the cert will expire in 3 months!
We follow best practice standards and redirect all traffic from port 80 to 443. We also configured the TLS settings itself to be very secure.
You can read more about what Let's Encrypt recommend here: https://letsencrypt.org/docs/allow-port-80/
It's A+ grade security, see for yourself: https://www.ssllabs.com/ssltest/"
msg_box "Let's Encrypt is 100% free. You can read more about it here:
https://letsencrypt.org/about/
Please consider showing them your gratitude:
https://letsencrypt.org/become-a-sponsor/
If you want to contribute to these scripts, have a look here:
https://github.com/nextcloud/vm/tree/main/lets-encrypt"
exit 0
fi
else
last_fail_tls "$SCRIPTS"/activate-tls.sh cleanup
fi
fi
exit