BitMaster/LEMPer
1
0
Fork 0
mirror of https://github.com/joglomedia/LEMPer.git synced 2026-04-11 23:48:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
master
LEMPer/lib/lemper-manage.sh
Edi Septriyanto 7f0afdd7b3
Some checks are pending
lemper-stack / ubuntu-focal (push) Waiting to run
Details
lemper-stack / ubuntu-latest (push) Waiting to run
Details
Improve cli command
2025-01-22 01:57:32 +07:00

964 lines
33 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# +-------------------------------------------------------------------------+
# | LEMPer CLI - Virtual Host (Site) Manager |
# +-------------------------------------------------------------------------+
# | Copyright (c) 2014-2024 MasEDI.Net (https://masedi.net/lemper) |
# +-------------------------------------------------------------------------+
# | This source file is subject to the GNU General Public License |
# | that is bundled with this package in the file LICENSE.md. |
# | |
# | If you did not receive a copy of the license and are unable to |
# | obtain it through the world-wide-web, please send an email |
# | to license@lemper.cloud so we can send you a copy immediately. |
# +-------------------------------------------------------------------------+
# | Authors: Edi Septriyanto <me@masedi.net> |
# +-------------------------------------------------------------------------+
# Version control.
CMD_PARENT="${PROG_NAME}"
CMD_NAME="manage"
# Make sure only root can access and not direct access.
if [[ "$(type -t requires_root)" != "function" ]]; then
echo "Direct access to this script is not permitted."
exit 1
fi
##
# Main Functions
##
##
# Show usage
# output to STDERR.
##
function show_usage() {
cat <<- EOL
${CMD_PARENT} ${CMD_NAME} ${PROG_VERSION}
LEMPer Stack virtual host (vhost) manager,
enable, disable, remove Nginx vhost on Debian/Ubuntu server.
Requirements:
* LEMP stack setup uses [LEMPer](https://github.com/joglomedia/LEMPer)
Usage:
${CMD_PARENT} ${CMD_NAME} [OPTION]...
Options:
-b, --enable-brotli <vhost domain name>
Enable Brotli compression.
-c, --enable-fastcgi-cache <vhost domain name>
Enable FastCGI cache.
--disable-fastcgi-cache <vhost domain name>
Disable FastCHI cache.
-d, --disable <vhost domain name>
Disable virtual host.
-e, --enable <vhost domain name>
Enable virtual host.
-f, --enable-fail2ban <vhost domain name>
Enable fail2ban jail.
--disable-fail2ban <vhost domain name>
Disable fail2ban jail.
-g, --enable-gzip <vhost domain name>
Enable Gzip compression.
--disable-compression <vhost domain name>
Disable Gzip/Brotli compression.
-r, --remove <vhost domain name>
Remove virtual host configuration.
-s, --enable-ssl <vhost domain name>
Enable HTTP over SSL with Let's Encrypt.
-w, --enforce-non-www <vhost domain name>
Redirect www to non www host.
--disable-ssl <vhost domain name>
Disable HTTP over SSL.
--remove-ssl <vhost domain name>
Remove SSL certificate.
--renew-ssl <vhost domain name>
Renew SSL certificate.
-h, --help
Print this message and exit.
-v, --version
Output version information and exit.
Example:
${CMD_PARENT} ${CMD_NAME} --remove example.com
For more informations visit https://masedi.net/lemper
Mail bug reports and suggestions to <me@masedi.net>
EOL
}
##
# Enable vhost.
##
function enable_vhost() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
echo "Enabling virtual host: ${DOMAIN}..."
# Enable Nginx's vhost config.
if [[ ! -f "/etc/nginx/sites-enabled/${DOMAIN}.conf" && -f "/etc/nginx/sites-available/${DOMAIN}.conf" ]]; then
run ln -s "/etc/nginx/sites-available/${DOMAIN}.conf" "/etc/nginx/sites-enabled/${DOMAIN}.conf"
success "Your virtual host ${DOMAIN} has been enabled..."
reload_nginx
else
fail "${DOMAIN} couldn't be enabled. Probably, it has been enabled or not created yet."
exit 1
fi
}
##
# Disable vhost.
##
function disable_vhost() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
echo "Disabling virtual host: ${DOMAIN}..."
# Disable Nginx's vhost config.
if [[ -f "/etc/nginx/sites-enabled/${DOMAIN}.conf" ]]; then
run unlink "/etc/nginx/sites-enabled/${DOMAIN}.conf"
success "Your virtual host ${DOMAIN} has been disabled..."
reload_nginx
else
fail "${DOMAIN} couldn't be disabled. Probably, it has been disabled or removed."
exit 1
fi
}
##
# Remove vhost.
##
function remove_vhost() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
echo "Removing virtual host is not reversible."
read -t 30 -rp "Press [Enter] to continue..." </dev/tty
# Get web root path from vhost config, first.
local WEBROOT && \
WEBROOT=$(grep -wE "set\ \\\$root_path" "/etc/nginx/sites-available/${DOMAIN}.conf" | awk '{print $3}' | cut -d'"' -f2)
# Remove Nginx's vhost config.
[[ -f "/etc/nginx/sites-enabled/${DOMAIN}.conf" ]] && \
run unlink "/etc/nginx/sites-enabled/${DOMAIN}.conf"
[[ -f "/etc/nginx/sites-available/${DOMAIN}.conf" ]] && \
run rm -f "/etc/nginx/sites-available/${DOMAIN}.conf"
[[ -f "/etc/nginx/sites-available/${DOMAIN}.nonssl-conf" ]] && \
run rm -f "/etc/nginx/sites-available/${DOMAIN}.nonssl-conf"
[[ -f "/etc/nginx/sites-available/${DOMAIN}.ssl-conf" ]] && \
run rm -f "/etc/nginx/sites-available/${DOMAIN}.ssl-conf"
[[ -f "/etc/lemper/vhost.d/${DOMAIN}.conf" ]] && \
run rm -f "/etc/lemper/vhost.d/${DOMAIN}.conf"
# If we have local domain setup in hosts file, remove it.
if grep -qwE "${DOMAIN}" "/etc/hosts"; then
info "Domain ${DOMAIN} found in your hosts file. Removing now...";
run sed -i".backup" "/${DOMAIN}/d" "/etc/hosts"
fi
success "Virtual host configuration file removed."
# Remove vhost root directory.
read -rp "Do you want to delete website root directory? [y/n]: " -e DELETE_DIR
# Fix web root path for framework apps that use 'public' directory.
WEBROOT=$(echo "${WEBROOT}" | sed '$ s|\/public$||')
if [[ "${DELETE_DIR}" == Y* || "${DELETE_DIR}" == y* ]]; then
if [[ ! -d "${WEBROOT}" ]]; then
read -rp "Enter real path to website root directory: " -i "${WEBROOT}" -e WEBROOT
fi
if [[ -d "${WEBROOT}" ]]; then
run rm -fr "${WEBROOT}"
success "Virtual host root directory removed."
else
info "Sorry, directory couldn't be found. Skipped..."
fi
fi
# Drop MySQL database.
read -rp "Do you want to Drop database associated with this domain? [y/n]: " -e DROP_DB
if [[ "${DROP_DB}" == Y* || "${DROP_DB}" == y* ]]; then
until [[ "${MYSQL_USER}" != "" ]]; do
read -rp "MySQL Username: " -e MYSQL_USER
done
until [[ "${MYSQL_PASS}" != "" ]]; do
echo -n "MySQL Password: "; stty -echo; read -r MYSQL_PASS; stty echo; echo
done
echo ""
echo "Please select your database below!"
echo "+-------------------------------+"
echo "| Database name "
echo "+-------------------------------+"
# Show user's databases
#run mysql -u "${MYSQL_USER}" -p"${MYSQL_PASS}" -e "SHOW DATABASES;" | grep -vE "Database|mysql|*_schema"
local DATABASES && \
DATABASES=$(mysql -u "${MYSQL_USER}" -p"${MYSQL_PASS}" -e "SHOW DATABASES;" | grep -vE "Database|mysql|*_schema")
if [[ -n "${DATABASES}" ]]; then
printf '%s\n' "${DATABASES}"
else
echo "No database found."
fi
echo "+-------------------------------+"
until [[ "${DBNAME}" != "" ]]; do
read -rp "MySQL Database: " -e DBNAME
done
if [[ -d "/var/lib/mysql/${DBNAME}" ]]; then
echo "Deleting database ${DBNAME}..."
run mysql -u "${MYSQL_USER}" -p"${MYSQL_PASS}" -e "DROP DATABASE ${DBNAME}"
success "Database '${DBNAME}' dropped."
else
info "Sorry, database ${DBNAME} not found. Skipped..."
fi
fi
echo "Virtual host ${DOMAIN} has been removed."
# Reload Nginx.
reload_nginx
}
##
# Enable fail2ban for virtual host.
##
function enable_fail2ban() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
echo "Enabling Fail2ban ${FRAMEWORK^} filter for ${DOMAIN}..."
# Get web root path from vhost config, first.
local WEBROOT && \
WEBROOT=$(grep -wE "set\ \\\$root_path" "/etc/nginx/sites-available/${DOMAIN}.conf" | awk '{print $3}' | cut -d'"' -f2)
if [[ ! -d ${WEBROOT} ]]; then
read -rp "Enter real path to website root directory containing your access_log file: " -i "${WEBROOT}" -e WEBROOT
fi
if [[ $(command -v fail2ban-client) && -f "/etc/fail2ban/filter.d/${FRAMEWORK}.conf" ]]; then
cat > "/etc/fail2ban/jail.d/${DOMAIN}.conf" <<EOL
[${1}]
enabled = true
port = http,https
filter = ${FRAMEWORK}
action = iptables-multiport[name=webapps, port="http,https", protocol=tcp]
logpath = ${WEBROOT}/logs/nginx/access_log
bantime = 7d
findtime = 5m
maxretry = 3
EOL
# Reload fail2ban
run service fail2ban reload
success "Fail2ban ${FRAMEWORK^} filter for ${DOMAIN} enabled."
else
info "Fail2ban or framework's filter is not installed. Please install it first!"
fi
}
##
# Disable fail2ban for virtual host.
##
function disable_fail2ban() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
echo "Disabling Fail2ban ${FRAMEWORK^} filter for ${DOMAIN}..."
if [[ $(command -v fail2ban-client) && -f "/etc/fail2ban/jail.d/${DOMAIN}.conf" ]]; then
run rm -f "/etc/fail2ban/jail.d/${DOMAIN}.conf"
run service fail2ban reload
success "Fail2ban ${FRAMEWORK^} filter for ${DOMAIN} disabled."
else
info "Fail2ban or framework's filter is not installed. Please install it first!"
fi
}
##
# Enable Nginx's fastcgi cache.
##
function enable_fastcgi_cache() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
echo "Enabling FastCGI cache for ${DOMAIN}..."
if [ -f /etc/nginx/includes/rules_fastcgi_cache.conf ]; then
# enable cached directives
run sed -i "s|#include\ /etc/nginx/includes/rules_fastcgi_cache.conf|include\ /etc/nginx/includes/rules_fastcgi_cache.conf|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
# enable fastcgi_cache conf
run sed -i "s|#include\ /etc/nginx/includes/fastcgi_cache.conf|include\ /etc/nginx/includes/fastcgi_cache.conf|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
# Reload Nginx.
reload_nginx
else
info "FastCGI cache is not enabled. There is no cached configuration."
exit 1
fi
}
##
# Disable Nginx's fastcgi cache.
##
function disable_fastcgi_cache() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
echo "Disabling FastCGI cache for ${DOMAIN}..."
if [ -f /etc/nginx/includes/rules_fastcgi_cache.conf ]; then
# enable cached directives
run sed -i "s|^\ include\ /etc/nginx/includes/rules_fastcgi_cache.conf|\ #include\ /etc/nginx/includes/rules_fastcgi_cache.conf|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
# enable fastcgi_cache conf
run sed -i "s|^\ include\ /etc/nginx/includes/fastcgi_cache.conf|\ #include\ /etc/nginx/includes/fastcgi_cache.conf|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
# Reload Nginx.
reload_nginx
else
info "FastCGI cache is not enabled. There is no cached configuration."
exit 1
fi
}
##
# Enable HTTPS (HTTP over SSL).
##
function enable_ssl() {
# Verify user input hostname (domain name).
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
if [[ ! -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]]; then
if [[ "${ENVIRONMENT}" == prod* ]]; then
echo "Certbot: Get Let's Encrypt certificate..."
# Get web root path from vhost config, first.
local WEBROOT && \
WEBROOT=$(grep -wE "set\ \\\$root_path" "/etc/nginx/sites-available/${DOMAIN}.conf" | awk '{print $3}' | cut -d'"' -f2)
# Certbot get Let's Encrypt SSL.
if [[ -n $(command -v certbot) ]]; then
# Is it wildcard vhost?
if grep -qwE "${DOMAIN}\ \*.${DOMAIN}" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
run certbot certonly --force-renewal --manual --noninteractive --manual-public-ip-logging-ok \
--preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --agree-tos \
--webroot-path="${WEBROOT}" -d "${DOMAIN}" -d "*.${DOMAIN}"
else
run certbot certonly --force-renewal --webroot --noninteractive --preferred-challenges http --agree-tos \
--webroot-path="${WEBROOT}" -d "${DOMAIN}"
fi
else
fail "Certbot executable binary not found. Install it first!"
fi
else
# Self-signed SSL.
echo "Self-signed SSL: Generate SSL certificate..."
generate_selfsigned_ssl "${DOMAIN}"
if [ ! -d "/etc/letsencrypt/live/${DOMAIN}" ]; then
run mkdir -p "/etc/letsencrypt/live/${DOMAIN}"
run chmod 0700 /etc/letsencrypt/live
fi
run ln -sf "/etc/lemper/ssl/${DOMAIN}/cert.pem" "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" && \
run ln -sf "/etc/lemper/ssl/${DOMAIN}/privkey.pem" "/etc/letsencrypt/live/${DOMAIN}/privkey.pem"
fi
# Generate Diffie-Hellman parameters.
if [ ! -f /etc/nginx/ssl/dhparam-2048.pem ]; then
echo "Generating Diffie-Hellman parameters for enhanced HTTPS/SSL security."
run openssl dhparam -out /etc/nginx/ssl/dhparam-2048.pem 2048
#run openssl dhparam -out /etc/nginx/ssl/dhparam-4096.pem 4096
fi
else
info "SSL certificates is already exists for ${DOMAIN}, trying to renew."
renew_ssl "${DOMAIN}"
fi
# Update vhost config.
if [[ "${DRYRUN}" != true ]]; then
# Ensure there is no HTTPS enabled server block.
if ! grep -qwE "^\ listen\ (\b[0-9]{1,3}\.){3}[0-9]{1,3}\b:443\ ssl" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
# Make backup first.
run cp -f "/etc/nginx/sites-available/${DOMAIN}.conf" "/etc/nginx/sites-available/${DOMAIN}.nonssl-conf"
# Change listening port to 443.
if grep -qwE "^\ listen\ (\b[0-9]{1,3}\.){3}[0-9]{1,3}\b:80" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
run sed -i "s/\:80/\:443\ ssl/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
fi
run sed -i "s/listen\ 80/listen\ 443\ ssl/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
run sed -i "s/listen\ \[::\]:80/listen\ \[::\]:443\ ssl/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
# Enable SSL configs.
run sed -i "s/http2\ off/http2\ on/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
run sed -i "s/#ssl_certificate/ssl_certificate/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
run sed -i "s/#ssl_certificate_key/ssl_certificate_key/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
run sed -i "s/#ssl_trusted_certificate/ssl_trusted_certificate/g" "/etc/nginx/sites-available/${DOMAIN}.conf"
run sed -i "s|#include\ /etc/nginx/includes/ssl.conf|include\ /etc/nginx/includes/ssl.conf|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
# Append HTTP <=> HTTPS redirection block.
cat >> "/etc/nginx/sites-available/${DOMAIN}.conf" <<EOL
## HTTP to HTTPS redirection.
server {
listen 80;
listen [::]:80;
## Make site accessible from world wide.
server_name ${1};
## Automatically redirect site to HTTPS protocol.
location / {
return 301 https://\$server_name\$request_uri;
}
}
EOL
reload_nginx
else
warning -e "\nOops, Nginx HTTPS server block already exists. Please inspect manually for further action!"
fi
else
info "Updating HTTPS config in dry run mode."
fi
}
##
# Disable HTTPS (HTTP over SSL).
##
function disable_ssl() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
# Update vhost config.
if [[ "${DRYRUN}" != true ]]; then
echo "Disabling HTTPS configuration..."
if [ -f "/etc/nginx/sites-available/${DOMAIN}.nonssl-conf" ]; then
# Disable vhost first.
run unlink "/etc/nginx/sites-enabled/${DOMAIN}.conf"
# Backup ssl config.
[[ -f "/etc/nginx/sites-available/${DOMAIN}.conf" ]] && \
run mv "/etc/nginx/sites-available/${DOMAIN}.conf" "/etc/nginx/sites-available/${DOMAIN}.ssl-conf"
# Restore non ssl config.
[[ -f "/etc/nginx/sites-available/${DOMAIN}.nonssl-conf" ]] && \
run mv "/etc/nginx/sites-available/${DOMAIN}.nonssl-conf" "/etc/nginx/sites-available/${DOMAIN}.conf"
run ln -sf "/etc/nginx/sites-available/${DOMAIN}.conf" "/etc/nginx/sites-enabled/${DOMAIN}.conf"
reload_nginx
else
error "It seems that SSL is not yet enabled."
fi
else
info "Disabling HTTPS config in dry run mode."
fi
}
##
# Disable HTTPS and remove Let's Encrypt SSL certificate.
##
function remove_ssl() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
# Update vhost config.
if [[ "${DRYRUN}" != true ]]; then
# Disable HTTPS first.
echo "Disabling HTTPS configuration..."
if [ -f "/etc/nginx/sites-available/${DOMAIN}.nonssl-conf" ]; then
# Disable vhost first.
run unlink "/etc/nginx/sites-enabled/${DOMAIN}.conf"
# Backup ssl config.
[[ -f "/etc/nginx/sites-available/${DOMAIN}.conf" ]] && \
run mv "/etc/nginx/sites-available/${DOMAIN}.conf" "/etc/nginx/sites-available/${DOMAIN}.ssl-conf"
# Restore non ssl config.
[[ -f "/etc/nginx/sites-available/${DOMAIN}.nonssl-conf" ]] && \
run mv "/etc/nginx/sites-available/${DOMAIN}.nonssl-conf" "/etc/nginx/sites-available/${DOMAIN}.conf"
run ln -sf "/etc/nginx/sites-available/${DOMAIN}.conf" "/etc/nginx/sites-enabled/${DOMAIN}.conf"
else
error "It seems that SSL is not yet enabled."
fi
# Remove SSL config.
if [ -f "/etc/nginx/sites-available/${DOMAIN}.ssl-conf" ]; then
run rm "/etc/nginx/sites-available/${DOMAIN}.ssl-conf"
fi
# Remove SSL cert.
echo "Removing SSL certificate..."
if [[ "${ENVIRONMENT}" == prod* ]]; then
if [[ -n $(command -v certbot) ]]; then
run certbot delete --cert-name "${DOMAIN}"
else
fail "Certbot executable binary not found. Install it first!"
fi
else
if [ -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]; then
run unlink "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem"
fi
if [ -f "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" ]; then
run unlink "/etc/letsencrypt/live/${DOMAIN}/privkey.pem"
fi
if [ -d "/etc/letsencrypt/live/${DOMAIN}/" ]; then
run rm -rf "/etc/letsencrypt/live/${DOMAIN}/"
fi
if [ -d "/etc/lemper/ssl/${DOMAIN}/" ]; then
run rm -rf "/etc/lemper/ssl/${DOMAIN}/"
fi
fi
reload_nginx
else
info "SSL certificate removed in dry run mode."
fi
}
##
# Renew Let's Encrypt SSL certificate.
##
function renew_ssl() {
# Verify user input hostname (domain name)
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
echo "Renew SSL certificate..."
# Renew Let's Encrypt SSL using Certbot.
if [[ -d "/etc/letsencrypt/live/${DOMAIN}" ]]; then
if [[ "${ENVIRONMENT}" == prod* ]]; then
echo "Certbot: Renew Let's Encrypt certificate..."
# Get web root path from vhost config, first.
local WEBROOT && \
WEBROOT=$(grep -wE "set\ \\\$root_path" "/etc/nginx/sites-available/${DOMAIN}.conf" | awk '{print $3}' | cut -d'"' -f2)
# Certbot get Let's Encrypt SSL.
if [[ -n $(command -v certbot) ]]; then
# Is it wildcard vhost?
if grep -qwE "${DOMAIN}\ \*.${DOMAIN}" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
run certbot certonly --manual --agree-tos --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok --webroot-path="${WEBROOT}" -d "${DOMAIN}" -d "*.${DOMAIN}"
else
run certbot renew --cert-name "${DOMAIN}"
fi
else
fail "Certbot executable binary not found. Install it first!"
fi
else
# Re-generate self-signed certs.
generate_selfsigned_ssl "${DOMAIN}"
if [[ ! -d "/etc/letsencrypt/live/${DOMAIN}" ]]; then
run mkdir -p "/etc/letsencrypt/live/${DOMAIN}"
run chmod 0700 /etc/letsencrypt/live
fi
run ln -sf "/etc/lemper/ssl/${DOMAIN}/cert.pem" "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem"
run ln -sf "/etc/lemper/ssl/${DOMAIN}/privkey.pem" "/etc/letsencrypt/live/${DOMAIN}/privkey.pem"
fi
else
info "Certificate file not found. May be your SSL is not activated yet."
fi
reload_nginx
}
##
# Enable Brotli compression module.
##
function enable_brotli() {
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
if [[ -f "/etc/nginx/sites-available/${DOMAIN}.conf" && -f /etc/nginx/modules-enabled/50-mod-http-brotli.conf ]]; then
echo "Enable Nginx Brotli compression..."
if grep -qwE "^\ include\ /etc/nginx/includes/compression_brotli.conf;" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
info "Brotli compression module already enabled."
exit 0
elif grep -qwE "^\ include\ /etc/nginx/includes/compression_gzip.conf;" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
echo "Found Gzip compression enabled, updating to Brotli..."
run sed -i "s|include\ /etc/nginx/includes/compression_[a-z]*\.conf;|include\ /etc/nginx/includes/compression_brotli.conf;|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
elif grep -qwE "^\ #include\ /etc/nginx/includes/compression_[a-z]*\.conf;" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
echo "Enabling Brotli compression module..."
run sed -i "s|#include\ /etc/nginx/includes/compression_[a-z]*\.conf;|include\ /etc/nginx/includes/compression_brotli.conf;|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
else
error "Sorry, we couldn't find any compression module section."
echo "We recommend you to enable Brotli module manually."
exit 1
fi
reload_nginx
else
error "Sorry, we can't find Nginx and Brotli module config file"
echo "it should be located under /etc/nginx/ directory."
exit 1
fi
}
##
# Enable Gzip compression module,
# enabled by default.
##
function enable_gzip() {
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
if [[ -f "/etc/nginx/sites-available/${DOMAIN}.conf" && -f /etc/nginx/includes/compression_gzip.conf ]]; then
echo "Enable Nginx Gzip compression..."
if grep -qwE "^\ include\ /etc/nginx/includes/compression_gzip.conf;" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
info "Gzip compression module already enabled."
exit 0
elif grep -qwE "^\ include\ /etc/nginx/includes/compression_brotli.conf;" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
echo "Found Brotli compression enabled, updating to Gzip..."
run sed -i "s|include\ /etc/nginx/includes/compression_[a-z]*\.conf;|include\ /etc/nginx/includes/compression_gzip.conf;|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
elif grep -qwE "^\ #include\ /etc/nginx/includes/compression_[a-z]*\.conf;" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
echo "Enabling Gzip compression module..."
run sed -i "s|#include\ /etc/nginx/includes/compression_[a-z]*\.conf;|include\ /etc/nginx/includes/compression_gzip.conf;|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
else
error "Sorry, we couldn't find any compression module section."
echo "We recommend you to enable Gzip module manually."
exit 1
fi
reload_nginx
else
error "Sorry, we can't find Nginx config file"
echo "it should be located under /etc/nginx/ directory."
exit 1
fi
}
##
# Disable Gzip/Brotli compression module
##
function disable_compression() {
local DOMAIN=${1}
verify_vhost "${DOMAIN}"
echo "Disabling compression module..."
if grep -qwE "^\ include\ /etc/nginx/includes/compression_[a-z]*\.conf" "/etc/nginx/sites-available/${DOMAIN}.conf"; then
run sed -i "s|include\ /etc/nginx/includes/compression_[a-z]*\.conf;|#include\ /etc/nginx/includes/compression_gzip.conf;|g" \
"/etc/nginx/sites-available/${DOMAIN}.conf"
else
error "Sorry, we couldn't find any enabled compression module."
exit 1
fi
reload_nginx
}
##
# Verify if virtual host exists.
##
function verify_vhost() {
if [[ -z "${1}" ]]; then
error "Virtual host (vhost) or domain name is required."
echo "See '${CMD_PARENT} ${CMD_NAME} --help' for more information."
exit 1
fi
if [[ "${1}" == "default" ]]; then
error "Modify/delete default virtual host is prohibitted."
exit 1
fi
if [[ ! -f "/etc/nginx/sites-available/${DOMAIN}.conf" ]]; then
error "Sorry, we couldn't find Nginx virtual host: ${1}..."
exit 1
fi
}
##
# Reload Nginx safely.
##
function reload_nginx() {
# Reload Nginx
echo "Reloading Nginx configuration..."
if [[ -e /var/run/nginx.pid ]]; then
if nginx -t > /dev/null 2>&1; then
service nginx reload -s > /dev/null 2>&1
else
error "Configuration couldn't be validated. Please correct the error below:";
nginx -t
exit 1
fi
# Nginx service dead? Try to start it.
else
if [[ -n $(command -v nginx) ]]; then
if nginx -t 2>/dev/null > /dev/null; then
service nginx restart > /dev/null 2>&1
else
error "Configuration couldn't be validated. Please correct the error below:";
nginx -t
exit 1
fi
else
info "Something went wrong with your LEMP stack installation."
exit 1
fi
fi
if [[ $(pgrep -c nginx) -gt 0 ]]; then
success "Your change has been successfully applied."
exit 0
else
fail "An error occurred when updating configuration.";
fi
}
##
# Generate sel-signed certificate.
##
function generate_selfsigned_ssl() {
# Verify user input hostname (domain name).
local DOMAIN=${1}
local SERVER_IP=${2:-$(get_ip_public)}
verify_vhost "${DOMAIN}"
if [ ! -d "/etc/lemper/ssl/${DOMAIN}" ]; then
run mkdir -p "/etc/lemper/ssl/${DOMAIN}"
fi
run sed -i "s|^CN\ =\ .*|CN\ =\ ${DOMAIN}|g" /etc/lemper/ssl/ca.conf && \
run sed -i "s|^CN\ =\ .*|CN\ =\ ${DOMAIN}|g" /etc/lemper/ssl/csr.conf && \
run sed -i "s|^DNS\.1\ =\ .*|DNS\.1\ =\ ${DOMAIN}|g" /etc/lemper/ssl/csr.conf && \
run sed -i "s|^DNS\.2\ =\ .*|DNS\.2\ =\ www\.${DOMAIN}|g" /etc/lemper/ssl/csr.conf && \
run sed -r -i "s|^IP.1\ =\ (\b[0-9]{1,3}\.){3}[0-9]{1,3}\b$|IP.1\ =\ ${SERVER_IP}|g" /etc/lemper/ssl/csr.conf && \
run sed -r -i "s|^IP.2\ =\ (\b[0-9]{1,3}\.){3}[0-9]{1,3}\b$|IP.2\ =\ ${SERVER_IP}|g" /etc/lemper/ssl/csr.conf && \
run sed -i "s|^DNS\.1\ =\ .*|DNS\.1\ =\ ${DOMAIN}|g" /etc/lemper/ssl/cert.conf
# Create Certificate Authority (CA).
run openssl req -x509 -sha256 -days 365000 -nodes -newkey rsa:2048 \
-keyout "/etc/lemper/ssl/${DOMAIN}/ca.key" -out "/etc/lemper/ssl/${DOMAIN}/ca.crt" \
-config /etc/lemper/ssl/ca.conf
CA_KEY_FILE="/etc/lemper/ssl/${DOMAIN}/ca.key"
CA_CRT_FILE="/etc/lemper/ssl/${DOMAIN}/ca.crt"
# Create Server Private Key.
run openssl genrsa -out "/etc/lemper/ssl/${DOMAIN}/privkey.pem" 2048 && \
# Generate Certificate Signing Request (CSR) using Server Private Key.
run openssl req -new -key "/etc/lemper/ssl/${DOMAIN}/privkey.pem" \
-out "/etc/lemper/ssl/${DOMAIN}/csr.csr" -config /etc/lemper/ssl/csr.conf
# Generate SSL certificate With self signed CA.
run openssl x509 -req -sha256 -days 365000 -CAcreateserial \
-CA "${CA_CRT_FILE}" -CAkey "${CA_KEY_FILE}" \
-in "/etc/lemper/ssl/${DOMAIN}/csr.csr" -out "/etc/lemper/ssl/${DOMAIN}/cert.pem" \
-extfile /etc/lemper/ssl/cert.conf
# Create chain file.
run cat "/etc/lemper/ssl/${DOMAIN}/cert.pem" "${CA_CRT_FILE}" >> \
"/etc/lemper/ssl/${DOMAIN}/fullchain.pem"
if [ -f "/etc/lemper/ssl/${DOMAIN}/cert.pem" ]; then
success "Self-signed SSL certificate has been successfully generated."
else
fail "An error occurred while generating self-signed SSL certificate."
fi
}
##
# Get server private IP Address.
##
function get_ip_private() {
local SERVER_IP_PRIVATE && \
SERVER_IP_PRIVATE=$(ip addr | grep 'inet' | grep -v inet6 | \
grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \
grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
echo "${SERVER_IP_PRIVATE}"
}
##
# Get server public IP Address.
##
function get_ip_public() {
local SERVER_IP_PRIVATE && SERVER_IP_PRIVATE=$(get_ip_private)
local SERVER_IP_PUBLIC && \
SERVER_IP_PUBLIC=$(curl -sk --connect-timeout 10 --retry 3 --retry-delay 0 http://ipecho.net/plain)
# Ugly hack to detect aws-lightsail public IP address.
if [[ "${SERVER_IP_PRIVATE}" == "${SERVER_IP_PUBLIC}" ]]; then
echo "${SERVER_IP_PRIVATE}"
else
echo "${SERVER_IP_PUBLIC}"
fi
}
##
# Main Manage CLI Wrapper
##
function init_lemper_manage() {
OPTS=$(getopt -o c:d:e:f:r:s:bghv \
-l enable:,disable:,remove:,enable-fail2ban:,disable-fail2ban:,enable-fastcgi-cache:,disable-fastcgi-cache: \
-l enable-ssl:,disable-ssl:,remove-ssl:,renew-ssl:,enable-brotli:,enable-gzip:,disable-compression:,help,version \
-n "${PROG_NAME}" -- "$@")
eval set -- "${OPTS}"
while true
do
case "${1}" in
-e | --enable)
enable_vhost "${2}"
shift 2
exit 0
;;
-d | --disable)
disable_vhost "${2}"
shift 2
exit 0
;;
-r | --remove)
remove_vhost "${2}"
shift 2
exit 0
;;
-c | --enable-fastcgi-cache)
enable_fastcgi_cache "${2}"
shift 2
exit 0
;;
--disable-fastcgi-cache)
disable_fastcgi_cache "${2}"
shift 2
exit 0
;;
-f | --enable-fail2ban)
enable_fail2ban "${2}"
shift 2
exit 0
;;
--disable-fail2ban)
disable_fail2ban "${2}"
shift 2
exit 0
;;
-s | --enable-ssl)
enable_ssl "${2}"
shift 2
exit 0
;;
--disable-ssl)
disable_ssl "${2}"
shift 2
exit 0
;;
--remove-ssl)
remove_ssl "${2}"
shift 2
exit 0
;;
--renew-ssl)
renew_ssl "${2}"
shift 2
exit 0
;;
-b | --enable-brotli)
enable_brotli "${2}"
shift 2
exit 0
;;
-g | --enable-gzip)
enable_gzip "${2}"
shift 2
exit 0
;;
--disable-compression)
disable_compression "${2}"
shift 2
exit 0
;;
-h | --help)
show_usage
shift 2
exit 0
;;
-v | --version)
echo "${PROG_NAME} version ${PROG_VERSION}"
shift 2
exit 0
;;
--)
# End of all options, shift to the next (non getopt) argument as $1.
shift
break
;;
*)
fail "Invalid argument: ${1}"
exit 1
;;
esac
done
echo "${CMD_PARENT} ${CMD_NAME}: missing required argument"
echo "See '${CMD_PARENT} ${CMD_NAME} --help' for more information."
}
# Start running things from a call at the end so if this script is executed
# after a partial download it doesn't do anything.
init_lemper_manage "$@"
Reference in New Issue View Git Blame Copy Permalink