refactor(SCRIPT): rework ssl implementation
- restart: prevent unnecessary error messages from already renamed files
This commit is contained in:
parent
1a1df53175
commit
942a855ffa
@ -46,52 +46,79 @@ fi
|
|||||||
if [ "$HSTS" = 'TRUE' ]; then
|
if [ "$HSTS" = 'TRUE' ]; then
|
||||||
printf "Activating HSTS configuration... "
|
printf "Activating HSTS configuration... "
|
||||||
sed -i -e "s/^#add_header/add_header/" \
|
sed -i -e "s/^#add_header/add_header/" \
|
||||||
/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled
|
/etc/nginx/ssl-config/moz*
|
||||||
sed -i -e "s/^#add_header/add_header/" \
|
|
||||||
/etc/nginx/ssl-config/mozModern_ssl.conf.disabled
|
|
||||||
printf "done\n"
|
printf "done\n"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# activate SSL configuration as appropriate and only if certs exist
|
# check whether TLS should be activated
|
||||||
if [ "$TLS13_ONLY" = 'FALSE' ]; then
|
if [ -f "/certs/fullchain.pem" ]; then
|
||||||
if [ -f "/certs/fullchain.pem" ] && \
|
# activate SSL configuration as appropriate and only if certs exist
|
||||||
[ -f "/certs/privkey.pem" ] && \
|
if [ "$TLS13_ONLY" = 'FALSE' ]; then
|
||||||
[ -f "/certs/chain.pem" ] && \
|
if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ] && [ -f "/certs/dhparam.pem" ]; then
|
||||||
[ -f "/certs/dhparam.pem" ]; then
|
|
||||||
printf "Certificates found. Securing deployment using TLS 1.2\n"
|
printf "Certificates found. Securing deployment using TLS 1.2\n"
|
||||||
|
|
||||||
# activate shared SSL configuration file
|
# activate shared SSL configuration file
|
||||||
|
if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled" ]; then
|
||||||
mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \
|
mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \
|
||||||
/etc/nginx/ssl-config/mozIntermediate_ssl.conf
|
/etc/nginx/ssl-config/mozIntermediate_ssl.conf
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/nginx/ssl-config/mozModern_ssl.conf" ]; then
|
||||||
|
mv /etc/nginx/ssl-config/mozModern_ssl.conf \
|
||||||
|
/etc/nginx/ssl-config/mozModern_ssl.conf.disabled
|
||||||
|
fi
|
||||||
|
|
||||||
|
# if using default setup, activate secured server block
|
||||||
if [ -f "/etc/nginx/sites/note" ]; then
|
if [ -f "/etc/nginx/sites/note" ]; then
|
||||||
# activate SSL test server block & deactivate normal one
|
if [ -f "/etc/nginx/sites/05-test_secured.conf.disabled" ]; then
|
||||||
mv /etc/nginx/sites/05-test_secured.conf.disabled \
|
mv /etc/nginx/sites/05-test_secured.conf.disabled \
|
||||||
/etc/nginx/sites/05-test_secured.conf
|
/etc/nginx/sites/05-test_secured.conf
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/nginx/sites/05-test_nonsecured.conf" ]; then
|
||||||
mv /etc/nginx/sites/05-test_nonsecured.conf \
|
mv /etc/nginx/sites/05-test_nonsecured.conf \
|
||||||
/etc/nginx/sites/05-test_nonsecured.conf.disabled
|
/etc/nginx/sites/05-test_nonsecured.conf.disabled
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
elif [ "$TLS13_ONLY" = 'TRUE' ]; then
|
fi
|
||||||
if [ -f "/certs/fullchain.pem" ] && \
|
elif [ "$TLS13_ONLY" = 'TRUE' ]; then
|
||||||
[ -f "/certs/privkey.pem" ] && \
|
if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ]; then
|
||||||
[ -f "/certs/chain.pem" ]; then
|
|
||||||
printf "Certificates found. Securing deployment using TLS 1.3\n"
|
printf "Certificates found. Securing deployment using TLS 1.3\n"
|
||||||
|
|
||||||
# activate shared SSL configuration file
|
# activate shared SSL configuration file
|
||||||
|
if [ -f "/etc/nginx/ssl-config/mozModern_ssl.conf.disabled" ]; then
|
||||||
mv /etc/nginx/ssl-config/mozModern_ssl.conf.disabled \
|
mv /etc/nginx/ssl-config/mozModern_ssl.conf.disabled \
|
||||||
/etc/nginx/ssl-config/mozModern_ssl.conf
|
/etc/nginx/ssl-config/mozModern_ssl.conf
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf" ]; then
|
||||||
|
mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf \
|
||||||
|
/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled
|
||||||
|
fi
|
||||||
|
|
||||||
|
# if using default setup, activate secure server block
|
||||||
if [ -f "/etc/nginx/sites/note" ]; then
|
if [ -f "/etc/nginx/sites/note" ]; then
|
||||||
# activate SSL test server block & deactivate normal one
|
if [ -f "/etc/nginx/sites/05-test_secured.conf.disabled" ]; then
|
||||||
mv /etc/nginx/sites/05-test_secured.conf.disabled \
|
mv /etc/nginx/sites/05-test_secured.conf.disabled \
|
||||||
/etc/nginx/sites/05-test_secured.conf
|
/etc/nginx/sites/05-test_secured.conf
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/nginx/sites/05-test_nonsecured.conf" ]; then
|
||||||
mv /etc/nginx/sites/05-test_nonsecured.conf \
|
mv /etc/nginx/sites/05-test_nonsecured.conf \
|
||||||
/etc/nginx/sites/05-test_nonsecured.conf.disabled
|
/etc/nginx/sites/05-test_nonsecured.conf.disabled
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# ensure SSL configurations are disabled
|
||||||
|
mv /etc/nginx/ssl-config/*.conf /etc/nginx/ssl-config/*.conf.disabled
|
||||||
|
# if using default setup, ensure secure server block disabled
|
||||||
|
if [ -f "/etc/nginx/sites/note" ]; then
|
||||||
|
if [ -f "/etc/nginx/sites/05-test_secured.conf" ]; then
|
||||||
|
mv /etc/nginx/sites/05-test_secured.conf /etc/nginx/sites/05-test_secured.conf.disabled
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/nginx/sites/05-test_nonsecured.conf.disabled" ]; then
|
||||||
|
mv /etc/nginx/sites/05-test_nonsecured.conf.disabled /etc/nginx/sites/05-test_nonsecured.conf
|
||||||
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# execute commands passed to this container
|
# execute commands passed to this container
|
||||||
printf "\nSetup complete...Container ready...\n"
|
printf "\nSetup complete...Container ready...\n"
|
||||||
exec "$@"
|
exec "$@"
|
||||||
|
Loading…
Reference in New Issue
Block a user