|
|
|
@ -101,6 +101,46 @@ function import_certbot { |
|
|
|
echo OK |
|
|
|
fi |
|
|
|
|
|
|
|
# add options-ssl-nginx.conf |
|
|
|
if [[ ! -f /etc/letsencrypt/options-ssl-nginx.conf ]]; then |
|
|
|
tee /etc/letsencrypt/options-ssl-nginx.conf <<EOF |
|
|
|
# This file contains important security parameters. If you modify this file |
|
|
|
# manually, Certbot will be unable to automatically provide future security |
|
|
|
# updates. Instead, Certbot will print and log an error message with a path to |
|
|
|
# the up-to-date file that you will need to refer to when manually updating |
|
|
|
# this file. Contents are based on https://ssl-config.mozilla.org |
|
|
|
|
|
|
|
ssl_session_cache shared:le_nginx_SSL:10m; |
|
|
|
ssl_session_timeout 1440m; |
|
|
|
ssl_session_tickets off; |
|
|
|
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3; |
|
|
|
ssl_prefer_server_ciphers off; |
|
|
|
|
|
|
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; |
|
|
|
EOF |
|
|
|
echo 'options-ssl-nginx.conf created!' |
|
|
|
else |
|
|
|
echo 'options-ssl-nginx.conf already there!' |
|
|
|
fi |
|
|
|
|
|
|
|
# add ssl-dhparams.pem |
|
|
|
if [[ ! -f /etc/letsencrypt/ssl-dhparams.pem ]]; then |
|
|
|
tee /etc/letsencrypt/ssl-dhparams.pem <<EOF |
|
|
|
-----BEGIN DH PARAMETERS----- |
|
|
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz |
|
|
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a |
|
|
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 |
|
|
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi |
|
|
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD |
|
|
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== |
|
|
|
-----END DH PARAMETERS----- |
|
|
|
EOF |
|
|
|
echo 'ssl-dhparams.pem created!' |
|
|
|
else |
|
|
|
echo 'ssl-dhparams.pem already there!' |
|
|
|
fi |
|
|
|
|
|
|
|
# change nginx |
|
|
|
if ! grep -Pq '^\s+listen 443' /etc/nginx/sites-enabled/sympa.conf; then |
|
|
|
tee /etc/nginx/sites-available/sympa.conf <<EOF |
|
|
|
@ -114,8 +154,10 @@ server { |
|
|
|
listen 443; |
|
|
|
server_name _; |
|
|
|
|
|
|
|
ssl_certificate /etc/letsencrypt/live/\$host/cert.pem; |
|
|
|
ssl_certificate /etc/letsencrypt/live/\$host/fullchain.pem; |
|
|
|
ssl_certificate_key /etc/letsencrypt/live/\$host/privkey.pem; |
|
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; |
|
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; |
|
|
|
|
|
|
|
rewrite ^/$ /wws permanent; |
|
|
|
|
|
|
|
@ -138,7 +180,8 @@ server { |
|
|
|
} |
|
|
|
} |
|
|
|
EOF |
|
|
|
nginx -t && systemctl reload nginx |
|
|
|
nginx -t |
|
|
|
systemctl reload nginx |
|
|
|
echo host for nginx installed successfully! |
|
|
|
else |
|
|
|
echo host SSL nginx already activated! |
|
|
|
|
