refactor(SCRIPT): rework ssl implementation

- restart: prevent unnecessary error messages from already renamed files
2021-01-06 02:31:18 -07:00 · 2021-01-06 02:31:18 -07:00 · 942a855ffa
commit 942a855ffa
parent 1a1df53175
1 changed files with 61 additions and 34 deletions
--- a/build/entrypoint.sh
+++ b/build/entrypoint.sh
@ -46,52 +46,79 @@ fi
 if [ "$HSTS" = 'TRUE' ]; then
    printf "Activating HSTS configuration... "
    sed -i -e "s/^#add_header/add_header/" \
-        /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled
-    sed -i -e "s/^#add_header/add_header/" \
-        /etc/nginx/ssl-config/mozModern_ssl.conf.disabled
+        /etc/nginx/ssl-config/moz*
    printf "done\n"
 fi

-# activate SSL configuration as appropriate and only if certs exist
-if [ "$TLS13_ONLY" = 'FALSE' ]; then
-    if [ -f "/certs/fullchain.pem" ] && \
-        [ -f "/certs/privkey.pem" ] && \
-        [ -f "/certs/chain.pem" ] && \
-        [ -f "/certs/dhparam.pem" ]; then
+# check whether TLS should be activated
+if [ -f "/certs/fullchain.pem" ]; then
+    # activate SSL configuration as appropriate and only if certs exist
+    if [ "$TLS13_ONLY" = 'FALSE' ]; then
+        if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ] && [ -f "/certs/dhparam.pem" ]; then
            printf "Certificates found. Securing deployment using TLS 1.2\n"
-
            # activate shared SSL configuration file
-            mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \
-                /etc/nginx/ssl-config/mozIntermediate_ssl.conf
-            
-            if [ -f "/etc/nginx/sites/note" ]; then
-                # activate SSL test server block & deactivate normal one
-                mv /etc/nginx/sites/05-test_secured.conf.disabled \
-                    /etc/nginx/sites/05-test_secured.conf
-                mv /etc/nginx/sites/05-test_nonsecured.conf \
-                    /etc/nginx/sites/05-test_nonsecured.conf.disabled
+            if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled" ]; then
+                mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \
+                  /etc/nginx/ssl-config/mozIntermediate_ssl.conf
            fi
-    fi
-elif [ "$TLS13_ONLY" = 'TRUE' ]; then
-    if [ -f "/certs/fullchain.pem" ] && \
-        [ -f "/certs/privkey.pem" ] && \
-        [ -f "/certs/chain.pem" ]; then
+            if [ -f "/etc/nginx/ssl-config/mozModern_ssl.conf" ]; then
+                mv /etc/nginx/ssl-config/mozModern_ssl.conf \
+                  /etc/nginx/ssl-config/mozModern_ssl.conf.disabled
+            fi
+
+            # if using default setup, activate secured server block
+            if [ -f "/etc/nginx/sites/note" ]; then
+                if [ -f "/etc/nginx/sites/05-test_secured.conf.disabled" ]; then
+                    mv /etc/nginx/sites/05-test_secured.conf.disabled \
+                      /etc/nginx/sites/05-test_secured.conf
+                fi
+                if [ -f "/etc/nginx/sites/05-test_nonsecured.conf" ]; then
+                    mv /etc/nginx/sites/05-test_nonsecured.conf \
+                      /etc/nginx/sites/05-test_nonsecured.conf.disabled
+                fi
+            fi
+        fi
+    elif [ "$TLS13_ONLY" = 'TRUE' ]; then
+        if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ]; then
            printf "Certificates found. Securing deployment using TLS 1.3\n"
-
            # activate shared SSL configuration file
-            mv /etc/nginx/ssl-config/mozModern_ssl.conf.disabled \
-                /etc/nginx/ssl-config/mozModern_ssl.conf
-            
-            if [ -f "/etc/nginx/sites/note" ]; then
-                # activate SSL test server block & deactivate normal one
-                mv /etc/nginx/sites/05-test_secured.conf.disabled \
-                    /etc/nginx/sites/05-test_secured.conf
-                mv /etc/nginx/sites/05-test_nonsecured.conf \
-                    /etc/nginx/sites/05-test_nonsecured.conf.disabled
+            if [ -f "/etc/nginx/ssl-config/mozModern_ssl.conf.disabled" ]; then
+                mv /etc/nginx/ssl-config/mozModern_ssl.conf.disabled \
+                  /etc/nginx/ssl-config/mozModern_ssl.conf
            fi
+            if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf" ]; then
+                mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf \
+                  /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled
+            fi
+
+            # if using default setup, activate secure server block
+            if [ -f "/etc/nginx/sites/note" ]; then
+                if [ -f "/etc/nginx/sites/05-test_secured.conf.disabled" ]; then
+                    mv /etc/nginx/sites/05-test_secured.conf.disabled \
+                      /etc/nginx/sites/05-test_secured.conf
+                fi
+                if [ -f "/etc/nginx/sites/05-test_nonsecured.conf" ]; then
+                    mv /etc/nginx/sites/05-test_nonsecured.conf \
+                      /etc/nginx/sites/05-test_nonsecured.conf.disabled
+                fi
+            fi
+        fi
+    fi
+else
+    # ensure SSL configurations are disabled
+    mv /etc/nginx/ssl-config/*.conf /etc/nginx/ssl-config/*.conf.disabled
+    # if using default setup, ensure secure server block disabled
+    if [ -f "/etc/nginx/sites/note" ]; then
+        if [ -f "/etc/nginx/sites/05-test_secured.conf" ]; then
+            mv /etc/nginx/sites/05-test_secured.conf /etc/nginx/sites/05-test_secured.conf.disabled
+        fi
+        if [ -f "/etc/nginx/sites/05-test_nonsecured.conf.disabled" ]; then
+            mv /etc/nginx/sites/05-test_nonsecured.conf.disabled /etc/nginx/sites/05-test_nonsecured.conf
+        fi
    fi
 fi

+
 # execute commands passed to this container
 printf "\nSetup complete...Container ready...\n"
 exec "$@"