Skip to content

Instantly share code, notes, and snippets.

@alvin2ye

alvin2ye/register_centos_https

Created June 21, 2019 03:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alvin2ye/5c35c335c4a2f8bd7490e02d43637fba to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alvin2ye/5c35c335c4a2f8bd7490e02d43637fba to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. alvin2ye created this gist Jun 21, 2019.
    91 changes: 91 additions & 0 deletions register_centos_https
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,91 @@
    #!/bin/bash

    set -e

    echo "=== init folder ==="

    mkdir -p /var/www/letsencrypt
    mkdir -p /root/ssl

    echo "=== <%= domain %>.conf ==="

    cat <<EOF >> /etc/nginx/conf.d/<%= domain %>.conf
    server {
    listen 80;
    server_name <%= domain %>;
    location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt;
    }
    location / {
    return 301 https://<%= domain %>\$request_uri;
    }
    }
    EOF

    echo "=== nginx ==="

    nginx -s reload
    sleep 2


    echo "=== renew ssl ==="

    /root/.acme.sh/acme.sh --issue -d <%= domain %> -w /var/www/letsencrypt --issue -d <%= domain %> -w /var/www/letsencrypt

    echo "=== copy ssl cert ==="

    /root/.acme.sh/acme.sh --issue -d <%= domain %> -w /var/www/letsencrypt --installcert -d <%= domain %> \
    --keypath /root/ssl/<%= domain %>.key \
    --fullchainpath /root/ssl/<%= domain %>.key.pem \
    --reloadcmd "nginx -s reload"

    echo "=== append https to nginx config ==="

    cat <<EOF >> /etc/nginx/sites-enabled/<%= domain %>.conf
    server {
    server_name <%= domain %>;
    listen 443 ssl;
    gzip on;
    gzip_proxied any;
    gzip_types text/css text/javascript text/xml text/plain application/javascript application/x-javascript application/json;
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;
    ssl_certificate /root/ssl/<%= domain %>.key.pem;
    ssl_certificate_key /root/ssl/<%= domain %>.key;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    # buffer larger messages
    client_max_body_size 0;
    location / {
    proxy_http_version 1.1;
    proxy_set_header Host \$http_host;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_pass http://localhost:<%= docker_http_port %>;
    }
    }
    EOF

    echo "=== nginx reload ==="

    nginx -s reload
    sleep 2

    echo "=== test ==="

    curl -I https://<%= domain %>
    echo ""