diff --git a/dev_start.sh b/dev_start.sh index 1b86f87..3b39b38 100755 --- a/dev_start.sh +++ b/dev_start.sh @@ -52,7 +52,7 @@ do_sudo () { sudo ls &> /dev/null SUDO=1 fi - sudo bash -c "$1" + sudo bash -c "$@" } if ! commands_exist "${CMDS}"; then @@ -70,6 +70,10 @@ for PLUGIN in "${VAGRANT_PLUGINS_REQUIRED[@]}"; do fi done +if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then + do_sudo "echo '192.168.33.222 testsite.nl' >> /etc/hosts" +fi + log "Starting Boulder CA server instance.." if vagrant up boulder; then log "Starting LE HAProxy client vm.." diff --git a/provisioning_client.sh b/provisioning_client.sh index b3aa4d2..2971ab1 100644 --- a/provisioning_client.sh +++ b/provisioning_client.sh @@ -8,7 +8,8 @@ apt-get upgrade -y apt-get install -y \ sudo htop net-tools tcpdump ufw git haproxy tmux watch curl wget \ openssl ca-certificates build-essential libffi-dev \ - python python-setuptools python-dev libssl-dev + python python-setuptools python-dev libssl-dev apache2 + apt-get install -y -t jessie-backports certbot pip install --upgrade setuptools @@ -19,6 +20,7 @@ pip install virtualenv ufw allow ssh ufw allow http ufw allow https +ufw allow 8080 ufw default deny incoming ufw --force enable @@ -37,6 +39,7 @@ ${PROJECT_SERVER_IP} le1.wtf ${PROJECT_SERVER_IP} le2.wtf ${PROJECT_SERVER_IP} le3.wtf ${PROJECT_SERVER_IP} nginx.wtf +${PROJECT_SERVER_IP} testsite.nl EOF mkdir -p "/${PROJECT_NAME}/working/logs" @@ -74,6 +77,107 @@ alias la='ls -A' alias l='ls -CF' EOF +# Allow haproxy to read the dirs of the le plugin +# TODO: Does this even work with the `chroot` directive? +usermod -a -G vagrant haproxy + +cat < /etc/haproxy/haproxy.cfg +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # Cipher suites chosen by following logic: + # - Bits of security 128>256 (weighing performance vs added security) + # - Key exchange: EECDH>DHE (faster first) + # - Mode: GCM>CBC (streaming cipher over block cipher) + # - Ephemeral: All use ephemeral key exchanges + # - Explicitly disable weak ciphers and SSLv3 + ssl-default-bind-ciphers AES128+AESGCM+EECDH:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:!SHA:!MD5:!RC4:!DES:!DSS + ssl-default-bind-options no-sslv3 + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend http-in + bind *:80 + mode http + # LE HAProxy installer should combine certs and place them here.. + # Uncomment when ready.. Needs ACL to work per site. + # bind *:443 ssl crt /lehaproxy/working/certs/ + + acl is_letsencrypt path_beg -i /.well-known/acme-challenge + use_backend letsencrypt if is_letsencrypt + + # IF redirect is to be used, uncomment the next line + # redirect scheme https if !{ ssl_fc } and testsite.nl + default_backend nodes + +backend letsencrypt + log global + mode http + server letsencrypt 127.0.0.1:8000 + +backend nodes + log global + mode http + option tcplog + balance roundrobin + option forwardfor + option http-server-close + option httpclose + http-request set-header X-Forwarded-Port %[dst_port] + http-request add-header X-Forwarded-Proto https if { ssl_fc } + option httpchk HEAD / HTTP/1.1\r\nHost:localhost + server node1 127.0.0.1:8080 check + server node2 127.0.0.1:8080 check + server node3 127.0.0.1:8080 check + server node4 127.0.0.1:8080 check +EOF +cat < /etc/apache2/sites-enabled/000-default.conf + + ServerName testsite.nl + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + LogLevel error + + ErrorLog \${APACHE_LOG_DIR}/error.log + CustomLog \${APACHE_LOG_DIR}/access.log combined + +EOF + +cat < /etc/apache2/ports.conf +Listen 8080 +EOF + +systemctl restart apache2 +systemctl restart haproxy + #cat < /etc/systemd/system/letsencrypt.timer #[Unit] #Description=Run Let's Encrypt every 12 hours diff --git a/provisioning_server.sh b/provisioning_server.sh index db0d070..928c32a 100644 --- a/provisioning_server.sh +++ b/provisioning_server.sh @@ -30,6 +30,15 @@ fi if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts fi +if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then + echo '192.168.33.222 testsite.nl' >> /etc/hosts +fi + +cat <> /root/.bashrc +alias ll='ls -lah' +alias la='ls -A' +alias l='ls -CF' +EOF source ~/.variables