create scripts for haproxy and mail(nginx) 02.11.21:00.53

autocertbot.sh

@@ -1,33 +1,50 @@
 #!/bin/bash
 # script convert end make ssl sert for https
-# info - 
-#
+# info - script auto update cert for sites
+# version 1.10.1
+# author Koshuba V.O.- 2021
+# master@qbpro.ru
+# 
 path_certbot="/etc/letsencrypt/live";
 path_ssl="/etc/ssl/private";
 source certbot.conf;
-logfile="/var/log/syslog";
+log="/var/log/syslog";
 #
 cmd=$1;
 #
-
-function makesslkey() {
-:>/etc/ssl/crt-list.txt
+## if keys update certbot - recreate keys for sites
+function makekeys() {
+valtrue=0;
+rdate=$(date +%Y-%m-%d);
+rtime=$(date +%H:%M);
 for ((dmn=0; dmn != ${#domains[@]}; dmn++))
     do
-    cat $path_certbot/${domains[$dmn]}/cert.pem > $path_ssl/${domains[$dmn]}.pem;
-    cat $path_certbot/${domains[$dmn]}/chain.pem >> $path_ssl/${domains[$dmn]}.pem;
-    cat $path_certbot/${domains[$dmn]}/fullchain.pem >> $path_ssl/${domains[$dmn]}.pem;
-    cat $path_certbot/${domains[$dmn]}/privkey.pem >> $path_ssl/${domains[$dmn]}.pem;
-done
-for ((icrt=0; icrt != ${#domains[@]}; icrt++))
-    do
-    echo "$path_ssl/${domains[$icrt]}.pem">>/etc/ssl/crt-list.txt
+     keydate=$(ls -l --time-style=long-iso $path_certbot/${domains[$dmn]}/cert.pem |awk {'print$6'});
+     keytime=$(ls -l --time-style=long-iso $path_certbot/${domains[$dmn]}/cert.pem |awk {'print$7'});
+     if [ "$keydate" = "$rdate" ] && [ "$keytime" = "$rtime" ];
+        then
+         ((valtrue++));
+        cat $path_certbot/${domains[$dmn]}/cert.pem > $path_ssl/${domains[$dmn]}.pem;
+        cat $path_certbot/${domains[$dmn]}/chain.pem >> $path_ssl/${domains[$dmn]}.pem;
+        cat $path_certbot/${domains[$dmn]}/fullchain.pem >> $path_ssl/${domains[$dmn]}.pem;
+        cat $path_certbot/${domains[$dmn]}/privkey.pem >> $path_ssl/${domains[$dmn]}.pem;
+        echo "$rdate - $rtime - autocertbot: recreate cert for  ${domains[$dmn]}">> $log;
+      fi
 done
+if [ $valtrue != 0 ];
+   then
+     :>/etc/ssl/crt-list.txt
+        for ((icrt=0; icrt != ${#domains[@]}; icrt++))
+         do
+          echo "$path_ssl/${domains[$icrt]}.pem">>/etc/ssl/crt-list.txt
+        done
+fi
 }
 
 function renew() {
 /etc/init.d/haproxy stop;
     certbot renew;
+    makekeys;
 /etc/init.d/haproxy start;
 }
 
@@ -39,7 +56,6 @@ for ((dmn=0; dmn != ${#domains[@]}; dmn++))
     do
       certbot certonly --preferred-challenges http --standalone -d ${domains[$dmn]};
     done
-makesslkey;
 /etc/init.d/haproxy start;
 }
 
@@ -51,11 +67,6 @@ case "$cmd" in
 createCert;
 ;;
 
-## create cert keys
-"--keylist" | "--keylist" )
-makesslkey;
-;;
-
 ## update cert
 "--update" | "--update" )
 renew;
@@ -64,9 +75,8 @@ renew;
 ## start defaults
 
 * )
-echo "please input pameters: autocertbot.sh --create | --update | --keylist";
+echo "please input pameters: autocertbot.sh --create | --update";
 echo "autocertbot.sh --create; create new certificate"
 echo "autocertbot.sh --update; update certificates;"
-echo "autocertbot.sh --keylist; create ssl keylist;"
 ;;
-esac
+esac

certbot.conf

@@ -1,3 +1,4 @@
-adminmail="admin@mydomain.ru";
-domains=( "mydomain.ru"
+adminmail="admin@mydomen.com";
+domains=( "mydomen.com"
+          "webmail.mydomen.com"
            );

certbot4mail/certbot4mail.conf

@@ -0,0 +1,5 @@
+adminmail="admin@mydomen.com";
+webcrt="/home/wwwmails/letsencrypt";
+domains=( 
+ "mail.mydomen.com" 
+ );

certbot4mail/certbot4mail.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+#
+# необходимо для работы: nginx,certbot
+# create new cert
+path_ssl="/etc/ssl";
+path_cert="/etc/letsencrypt/live";
+source "/etc/scripts/certbot4mail/certbot4mail.conf";
+log="/var/log/syslog";
+#
+cmd=$1;
+#
+
+function createCert() {
+for ((dmn=0; dmn != ${#domains[@]}; dmn++))
+    do
+certbot certonly --webroot --agree-tos --email $adminmail -w $webcrt -d ${domains[$dmn]}
+done
+}
+
+function renew() {
+certbot renew;
+valtrue=0;
+rdate=$(date +%Y-%m-%d);
+rtime=$(date +%H:%M);
+for ((dmn=0; dmn != ${#domains[@]}; dmn++))
+    do
+     keydate=$(ls -l --time-style=long-iso $path_cert/${domains[$dmn]}/cert.pem |awk {'print$6'});
+     keytime=$(ls -l --time-style=long-iso $path_cert/${domains[$dmn]}/cert.pem |awk {'print$7'});
+     if [ "$keydate" = "$rdate" ] && [ "$keytime" = "$rtime" ];
+        then
+         ((valtrue++));
+        cat $path_cert/${domains[$dmn]}/cert.pem > $path_ssl/private/${domains[$dmn]}.pem;
+        cat $path_cert/${domains[$dmn]}/chain.pem >> $path_ssl/private/${domains[$dmn]}.pem;
+        cat $path_cert/${domains[$dmn]}/fullchain.pem >> $path_ssl/private/${domains[$dmn]}.pem;
+        cat $path_cert/${domains[$dmn]}/privkey.pem >> $path_ssl/private/${domains[$dmn]}.pem;
+#
+	cp -f $path_ssl/private/${domains[$pem_index]}.pem $path_ssl/certs/${domains[$pem_index]}.pem
+    	cd $path_ssl/certs
+    	chmod 600 ${domains[$pem_index]}.pem
+	ln -sf ${domains[$pem_index]}.pem `openssl x509 -noout -hash < ${domains[$pem_index]}.pem`.0
+        cd $path_ssl
+        echo "$(date) - certbot4mail.sh: update cert for  ${domains[$dmn]}">> $log;
+      fi
+done
+if [ $valtrue != 0 ];
+   then
+     :>/etc/ssl/crt-list.txt
+        for ((icrt=0; icrt != ${#domains[@]}; icrt++))
+         do
+          echo "$path_ssl/${domains[$icrt]}.pem">>/etc/ssl/crt-list.txt
+        done
+/etc/init.d/dbmail restart;
+/etc/init.d/stunnel4 restart;
+fi
+}
+
+
+case "$cmd" in
+
+## create cert
+"--create" | "--create" )
+createCert;
+;;
+
+## update cert
+"--update" | "--update" )
+renew;
+;;
+
+## start defaults
+
+* )
+echo "please input pameters: certbot4mail.sh --create | --update";
+echo "certbot4mail.sh --create; create new certificate"
+echo "certbot4mail.sh --update; update certificates;"
+;;
+esac

certbot4mail/examples/nginx.conf

@@ -0,0 +1,74 @@
+user  www-data;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  /var/log/nginx/access.log  main;
+    access_log off;
+
+    sendfile        on;
+    tcp_nopush     on;
+    server_tokens off;
+    keepalive_timeout  65;
+
+    gzip  on;
+###
+    gzip_disable "msie6";
+    gzip_comp_level 4;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+    
+### include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+####
+    tcp_nodelay on;
+    types_hash_max_size 2048;
+    
+### codepage
+    charset        utf8;
+    source_charset utf8;
+    
+#### Tuning system....
+    ## - Защита
+    # Максимальный размер буфера для хранения тела запроса клиента
+    ##client_body_buffer_size 1K;
+    # Максимальный размер буфера для хранения заголовков запроса клиента
+    ##client_header_buffer_size 1k;
+    # Максимальный размер тела запроса клиента, прописанный в поле Content-Length заголовка. Если сервер должен поддерживать загрузку файлов, это значение необходимо увеличить
+    ##client_max_body_size 1k;
+    # для Rouncube
+    client_max_body_size 40M;
+    # Количество и размер буферов для чтения большого заголовка запроса клиента
+    ##large_client_header_buffers 2 1k;
+    
+    
+    ## - Увеличиваем скорость
+    # Таймаут при чтении тела запроса клиента
+    client_body_timeout   10;
+    # Таймаут при чтении заголовка запроса клиента
+    client_header_timeout 10;
+    # Таймаут, по истечению которого keep-alive соединение с клиентом не будет закрыто со стороны сервера
+    ##keepalive_timeout     5 5;
+    # Таймаут при передаче ответа клиенту
+    send_timeout          10;
+    ## transparent ip
+    set_real_ip_from 127.0.0.1;
+    real_ip_header X-Real-IP;
+}

certbot4mail/examples/nginx/sites-avalable/http_mail-mydomen

@@ -0,0 +1,16 @@
+server {
+    listen      192.4.1.6:80;
+
+    server_name mail.mydomen.ru;
+    if ($http_host !~ "^mail.mydomen.ru$"){
+        rewrite ^(.*)$ http://mail.mydomen.ru$1 redirect;
+    }
+    root /home/wwwmails/mail-mydomen;
+
+    error_log /var/log/nginx/err-mail_mydomen_ru.log;
+    access_log /var/log/nginx/access-mail_mydomen_ru.log;
+
+    include /etc/nginx/templates/content.conf;
+    include /etc/nginx/templates/letsencrypt.conf;
+}
+

certbot4mail/examples/nginx/templates/content.conf

@@ -0,0 +1,11 @@
+  error_page 404 /404.html;
+   error_page 500 502 503 504 /50x.html;
+
+ location ~* \.(css|js|jpg|jpeg|gif|png|ico|txt|woff|otf|eot|svg|ttf|html|xml|css|js)$ {
+   expires 30d;
+   error_page 404 @notfound;
+ }
+
+ location = /50x.html {
+   root /usr/share/nginx/html;
+ }

certbot4mail/examples/nginx/templates/index_php.conf

@@ -0,0 +1,9 @@
+ location / {
+   if ($http_host ~* "^www\.(.+)$"){
+   rewrite ^(.*)$ http://%1/$1 redirect; 
+   } 
+   if (!-e $request_filename){ 
+   rewrite ^(.*)$ /index.php; 
+   }
+   index   index.htm index.html index.php;
+ }

certbot4mail/examples/nginx/templates/letsencrypt.conf

@@ -0,0 +1,9 @@
+location /.well-known {
+   allow all;
+   default_type "text/plain";
+   alias /home/wwwmails/letsencrypt/.well-known;
+ }
+
+ location = /.well-known {
+   return 404;
+ }

certbot4mail/examples/nginx/templates/php7.x-fpm.conf

@@ -0,0 +1,19 @@
+location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+   deny all;
+}
+
+location ~ ^/(bin|SQL)/ {
+   deny all;
+}
+
+location ~ \.php$ {
+   try_files $uri $uri/ /index.php =404;
+   fastcgi_pass  localhost:9000;
+   fastcgi_index index.php;
+   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+   include fastcgi_params;
+}
+
+location ~ /.ht {
+    deny all;
+}

certbot4mail/examples/nginx/templates/proxy.conf

@@ -0,0 +1,13 @@
+proxy_redirect              off;
+proxy_set_header            Host $host;
+proxy_set_header            X-Real-IP $remote_addr;
+proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+client_max_body_size        10m;
+client_body_buffer_size     128k;
+proxy_connect_timeout       90;
+proxy_send_timeout          90;
+proxy_read_timeout          90;
+proxy_buffer_size           4k;
+proxy_buffers               4 32k;
+proxy_busy_buffers_size     64k;
+proxy_temp_file_write_size  64k;