fossilfranv/nginx_docker-swag
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use certbot file hooks instead of command line hooks

Browse Source
This commit is contained in:
Feilner 2021-02-15 19:02:26 +01:00
parent 2988ac4a5f
commit 78bae9dd49
6 changed files with 41 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -207,6 +207,7 @@ In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as bel
* If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation. * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation.
* After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`). * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`).
* Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
* It's possible to extend default renewal-hooks `/etc/letsencrypt/renewal-hooks/*` they are executed in sorted order.
### Security and password protection ### Security and password protection
* The container detects changes to url and subdomains, revokes existing certs and generates new ones during start. * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
* The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time

20
root/app/le-renew.sh
View File

@ -7,21 +7,5 @@ echo
echo "<------------------------------------------------->" echo "<------------------------------------------------->"
echo "cronjob running on "$(date) echo "cronjob running on "$(date)
echo "Running certbot renew" echo "Running certbot renew"
if [ "$ORIGVALIDATION" = "dns" ] || [ "$ORIGVALIDATION" = "duckdns" ]; then certbot -n renew
certbot -n renew \
--post-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -h /var/run/s6/services/nginx; fi; \
cd /config/keys/letsencrypt && \
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
sleep 1 && \
cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem && \
chown -R abc:abc /config/etc/letsencrypt"
else
certbot -n renew \
--pre-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi" \
--post-hook "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; \
cd /config/keys/letsencrypt && \
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
sleep 1 && \
cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem && \
chown -R abc:abc /config/etc/letsencrypt"
fi

9
root/defaults/renewal-hooks/deploy/10-default Normal file
View File

@ -0,0 +1,9 @@
#!/usr/bin/with-contenv bash
. /config/.donoteditthisfile.conf
cd /config/keys/letsencrypt
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
sleep 1
cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem
chown -R abc:abc /config/etc/letsencrypt

13
root/defaults/renewal-hooks/post/10-nginx Normal file
View File

@ -0,0 +1,13 @@
#!/usr/bin/with-contenv bash
. /config/.donoteditthisfile.conf
if [ "$ORIGVALIDATION" = "dns" ] || [ "$ORIGVALIDATION" = "duckdns" ]; then
if ps aux | grep [n]ginx: > /dev/null; then
s6-svc -h /var/run/s6/services/nginx
fi
else
if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then
s6-svc -u /var/run/s6/services/nginx
fi
fi

9
root/defaults/renewal-hooks/pre/10-nginx Normal file
View File

@ -0,0 +1,9 @@
#!/usr/bin/with-contenv bash
. /config/.donoteditthisfile.conf
if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then
if ps aux | grep [n]ginx: > /dev/null; then
s6-svc -d /var/run/s6/services/nginx
fi
fi

11
root/etc/cont-init.d/50-config
View File

@ -35,7 +35,7 @@ done
# make our folders and links # make our folders and links
mkdir -p \ mkdir -p \
/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \ /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt/renewal-hooks,fail2ban,crontabs,dns-conf,geoip2db} \
/var/run/fail2ban /var/run/fail2ban
rm -rf /etc/letsencrypt rm -rf /etc/letsencrypt
ln -s /config/etc/letsencrypt /etc/letsencrypt ln -s /config/etc/letsencrypt /etc/letsencrypt
@ -81,6 +81,11 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
[[ ! -f /config/www/502.html ]] && [[ ! -f /config/www/502.html ]] &&
cp /defaults/502.html /config/www/502.html cp /defaults/502.html /config/www/502.html
# copy default renewal hooks
chmod -R +x /defaults/renewal-hooks
cp -nR /defaults/renewal-hooks/* /etc/letsencrypt/renewal-hooks/
chown -R abc:abc /config/renewal-hooks
# remove lua bits from nginx.conf if not done before # remove lua bits from nginx.conf if not done before
if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
echo "Removing lua specific info from nginx.conf" echo "Removing lua specific info from nginx.conf"
@ -314,9 +319,7 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
fi fi
sleep infinity sleep infinity
fi fi
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: run-parts /etc/letsencrypt/renewal-hooks/deploy/
sleep 1
cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
echo "New certificate generated; starting nginx" echo "New certificate generated; starting nginx"
else else
echo "Certificate exists; parameters unchanged; starting nginx" echo "Certificate exists; parameters unchanged; starting nginx"