ab-nginx/build/entrypoint.sh

146 lines
5.7 KiB
Bash
Raw Permalink Normal View History

2019-10-16 23:44:47 -06:00
#!/bin/sh
#
### ab-nginx entrypoint script
#
convertCase () {
2019-11-18 05:00:39 -07:00
printf "%s" "$1" | tr "[:lower:]" "[:upper:]"
}
# convert environment variables to UPPERCASE for proper string comparison
ACCESS_LOG=$(convertCase "$ACCESS_LOG")
HSTS=$(convertCase "$HSTS")
TLS13_ONLY=$(convertCase "$TLS13_ONLY")
# export new environment variables
export ACCESS_LOG=$ACCESS_LOG
export HSTS=$HSTS
export TLS13_ONLY=$TLS13_ONLY
### update configuration files with environment variables
# update server name list
printf "\nUpdating server name list... "
sed -i -e "s%<SERVER_NAMES>%${SERVER_NAMES}%" /etc/nginx/server_names.conf
printf "done\n"
2019-10-18 01:53:20 -06:00
# update access log global preference
if [ "$ACCESS_LOG" = 'OFF' ]; then
2019-10-18 02:01:47 -06:00
printf "Turning access log OFF... "
2019-11-17 23:55:54 -07:00
sed -i -e "s%<ACCESS_LOG_SETTING>%off%" /etc/nginx/nginx.conf
2019-10-18 01:53:20 -06:00
printf "done\n"
elif [ "$ACCESS_LOG" = 'ON' ]; then
2019-10-18 02:01:47 -06:00
printf "Turning access log ON... "
2019-10-18 01:53:20 -06:00
sed -i -e "s%<ACCESS_LOG_SETTING>%/var/log/nginx/access.log combined%" /etc/nginx/nginx.conf
printf "done\n"
fi
2019-10-17 21:43:28 -06:00
# update HTTPS redirect port if SSL server test block exists
if [ -f "/etc/nginx/sites/note" ]; then
2019-10-18 02:01:47 -06:00
printf "Updating port redirects... "
sed -i -e "s%<HTTPS_PORT>%${HTTPS_PORT}%" /etc/nginx/sites/05-secured.*
2019-10-18 01:55:50 -06:00
printf "done\n"
2019-10-17 21:43:28 -06:00
fi
# activate HSTS
if [ "$HSTS" = 'TRUE' ]; then
printf "Activating HSTS configuration... "
sed -i -e "s/^#add_header/add_header/" \
/etc/nginx/ssl-config/moz*
printf "done\n"
fi
# check whether TLS should be activated
if [ -f "/certs/fullchain.pem" ]; then
# activate SSL configuration as appropriate and only if certs exist
if [ "$TLS13_ONLY" = 'FALSE' ]; then
if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ]; then
printf "Certificates found. Securing deployment using TLS 1.2\n"
# check for dhparam file and generate, if necessary
if ! [ -f "/certs/dhparam.pem" ]; then
printf "Diffie-Hellman Parameters not found... generating (using Digital Signature Algorithm instead of Diffie-Hellman)...\n"
if ! openssl dhparam -dsaparam -out /certs/dhparam.pem 4096; then
printf "\n\nUnable to generate 'dhparam.pem'. Is your '/certs' directory writable by this container?\n"
printf "TLS version 1.2 requires DHParams (or DSAParams) in order to function securely. Exiting.\n\n"
exit 101
fi
printf "\nDSA-Params generated successfully\n"
fi
# activate shared SSL configuration file
if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled" ]; then
mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \
/etc/nginx/ssl-config/mozIntermediate_ssl.conf
fi
if [ -f "/etc/nginx/ssl-config/mozModern_ssl.conf" ]; then
mv /etc/nginx/ssl-config/mozModern_ssl.conf \
/etc/nginx/ssl-config/mozModern_ssl.conf.disabled
fi
# if using default setup, activate secured server block
if [ -f "/etc/nginx/sites/note" ]; then
if [ -f "/etc/nginx/sites/05-secured.conf.disabled" ]; then
mv /etc/nginx/sites/05-secured.conf.disabled \
/etc/nginx/sites/05-secured.conf
fi
if [ -f "/etc/nginx/sites/05-nonsecured.conf" ]; then
mv /etc/nginx/sites/05-nonsecured.conf \
/etc/nginx/sites/05-nonsecured.conf.disabled
fi
fi
fi
elif [ "$TLS13_ONLY" = 'TRUE' ]; then
if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ]; then
printf "Certificates found. Securing deployment using TLS 1.3\n"
# activate shared SSL configuration file
if [ -f "/etc/nginx/ssl-config/mozModern_ssl.conf.disabled" ]; then
mv /etc/nginx/ssl-config/mozModern_ssl.conf.disabled \
/etc/nginx/ssl-config/mozModern_ssl.conf
fi
if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf" ]; then
mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf \
/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled
fi
# if using default setup, activate secure server block
if [ -f "/etc/nginx/sites/note" ]; then
if [ -f "/etc/nginx/sites/05-secured.conf.disabled" ]; then
mv /etc/nginx/sites/05-secured.conf.disabled \
/etc/nginx/sites/05-secured.conf
fi
if [ -f "/etc/nginx/sites/05-nonsecured.conf" ]; then
mv /etc/nginx/sites/05-nonsecured.conf \
/etc/nginx/sites/05-nonsecured.conf.disabled
fi
fi
fi
fi
else
# ensure SSL configurations are disabled
for f in /etc/nginx/ssl-config/*; do mv "$f" "${f%%.*}.conf.disabled"; done
# if using default setup, ensure secure server block disabled
if [ -f "/etc/nginx/sites/note" ]; then
if [ -f "/etc/nginx/sites/05-secured.conf" ]; then
mv /etc/nginx/sites/05-secured.conf /etc/nginx/sites/05-secured.conf.disabled
fi
if [ -f "/etc/nginx/sites/05-nonsecured.conf.disabled" ]; then
mv /etc/nginx/sites/05-nonsecured.conf.disabled /etc/nginx/sites/05-nonsecured.conf
fi
fi
fi
2019-10-16 23:44:47 -06:00
2019-10-16 23:44:47 -06:00
# execute commands passed to this container
2019-10-18 01:55:50 -06:00
printf "\nSetup complete...Container ready...\n"
2019-10-16 23:44:47 -06:00
exec "$@"
# exit return codes
# 10x certificate generation errors
# 101 unable to generate DSA-parameters
# 102 unable to generate private key
# 103 unable to generate self-signed certificate
#EOF