No ssl by default, will now added by certbot

etc/apache2/sites-available/dolibarr-ssl.conf → etc/apache2/sites-available/dolibarr.conf

-SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
 <VirtualHost *:80>
     ServerAdmin <+ServerAdmin+>
     ServerName <+ServerName+>
@@ -109,5 +108,4 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
 	    DirectoryIndex index.php index.html
 	</IfModule>
 
-	#Include /etc/apache2/ssl.conf
 </VirtualHost>

etc/apache2/sites-available/nextcloud-ssl.conf → etc/apache2/sites-available/nextcloud.conf

-SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
 <VirtualHost *:80>
     ServerAdmin <+NEXTCLOUD_CONFIG_ServerAdmin+>
     ServerName <+NEXTCLOUD_CONFIG_ServerName+>
@@ -74,5 +73,4 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
 	    DirectoryIndex index.php index.html
 	</IfModule>
 
-  #Include /etc/apache2/ssl.conf
 </VirtualHost>

etc/apache2/sites-available/ssl.conf

-SSLEngine on
-SSLCertificateFile    <+SSLCertificateFile+>
-SSLCertificateKeyFile    <+SSLCertificateKeyFile+>
-# OCSP Stapling, only in httpd 2.3.3 and later
-SSLUseStapling          on
-SSLStaplingResponderTimeout 5
-SSLStaplingReturnResponderErrors off
-# intermediate configuration, tweak to your needs
-SSLProtocol             all -SSLv2 -SSLv3
-SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-SSLHonorCipherOrder     on
-Header always set Strict-Transport-Security "max-age=15768000"

etc/apache2/sites-available/tetras-back-ssl.conf → etc/apache2/sites-available/tetras-back.conf

-SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
 <VirtualHost *:80>
     ServerAdmin <+TB_CONFIG_ServerAdmin+>
     ServerName <+TB_CONFIG_ServerName+>
@@ -51,5 +50,4 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
         DirectoryIndex index.php index.html
     </IfModule>
     
-    #Include /etc/apache2/ssl.conf
 </VirtualHost>

etc/nginx/sites-available/nextcloud-ssl.conf → etc/nginx/sites-available/nextcloud.conf

@@ -4,136 +4,20 @@ upstream php-handler {
     server unix:/var/run/php5-fpm.sock;
 }
 
-server {
-    listen 80;
-    server_name nextcloud.FQDN;
-    # enforce https
-    return 301 https://$server_name$request_uri;
-}
-
-server {
-    listen 443 ssl;
-    server_name nextcloud.FQDN;
-
-    ssl on;
-    ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem
-    ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem
-
-    # Add headers to serve security related headers
-    # Before enabling Strict-Transport-Security headers please read into this
-    # topic first.
-    # add_header Strict-Transport-Security "max-age=15768000;
-    # includeSubDomains; preload;";
-    add_header X-Content-Type-Options nosniff;
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-XSS-Protection "1; mode=block";
-    add_header X-Robots-Tag none;
-    add_header X-Download-Options noopen;
-    add_header X-Permitted-Cross-Domain-Policies none;
-
-    # Path to the root of your installation
-    root /var/www/nextcloud/;
-    access_log      /var/log/nginx/nextcloud.access.log;
-    error_log       /var/log/nginx/nextcloud.error.log;
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    # The following 2 rules are only needed for the user_webfinger app.
-    # Uncomment it if you're planning to use this app.
-    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
-    # last;
-
-    location = /.well-known/carddav {
-      return 301 $scheme://$host/remote.php/dav;
-    }
-    location = /.well-known/caldav {
-      return 301 $scheme://$host/remote.php/dav;
-    }
-
-    # set max upload size
-    client_max_body_size 512M;
-    fastcgi_buffers 64 4K;
-
-    # Disable gzip to avoid the removal of the ETag header
-    gzip off;
-
-    # Uncomment if your server is build with the ngx_pagespeed module
-    # This module is currently not supported.
-    #pagespeed off;
-
-    error_page 403 /core/templates/403.php;
-    error_page 404 /core/templates/404.php;
-
-    location / {
-        rewrite ^ /index.php$uri;
-    }
-
-    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
-        deny all;
-    }
-    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
-        deny all;
-    }
-
-    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
-        include fastcgi_params;
-        fastcgi_split_path_info ^(.+\.php)(/.*)$;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
-        fastcgi_param HTTPS on;
-        #Avoid sending the security headers twice
-        fastcgi_param modHeadersAvailable true;
-        fastcgi_param front_controller_active true;
-        fastcgi_pass php-handler;
-        fastcgi_intercept_errors on;
-        fastcgi_request_buffering off;
-    }
-
-    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
-        try_files $uri/ =404;
-        index index.php;
-    }
-
-    # Adding the cache control header for js and css files
-    # Make sure it is BELOW the PHP block
-    location ~* \.(?:css|js|woff|svg|gif)$ {
-        try_files $uri /index.php$uri$is_args$args;
-        add_header Cache-Control "public, max-age=7200";
-        # Add headers to serve security related headers (It is intended to
-        # have those duplicated to the ones above)
-        # Before enabling Strict-Transport-Security headers please read into
-        # this topic first.
-        # add_header Strict-Transport-Security "max-age=15768000;
-        #  includeSubDomains; preload;";
-        add_header X-Content-Type-Options nosniff;
-        add_header X-Frame-Options "SAMEORIGIN";
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
-        # Optional: Don't log access to assets
-        access_log off;
-    }
-
-    location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
-        try_files $uri /index.php$uri$is_args$args;
-        # Optional: Don't log access to other assets
-        access_log off;
-    }
-}
+# server {
+#     listen 80;
+#     server_name nextcloud.FQDN;
+#     return 301 https://$server_name$request_uri;
+# }
 
 server {
-    listen 1443 ssl;
-    server_name nextcloud.lesfeesrosses.org;
+    # listen 443 ssl;
+    listen 80;
+    server_name <+NEXTCLOUD_CONFIG_ServerName+>;
 
     ssl on;
-    ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem
-    ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem
+    # ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem
+    # ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem
 
     # Add headers to serve security related headers
     # Before enabling Strict-Transport-Security headers please read into this

etc/nginx/sites-available/tetras-back-ssl.conf → etc/nginx/sites-available/tetras-back.conf

@@ -3,20 +3,21 @@ upstream php-handler {
         server unix:/var/run/php5-fpm.sock;
 }
 
-server {
-    listen 80;
-    server_name tetras-back.FQDN;
-    # enforce https
-    return 301 https://$server_name$request_uri;
-}
+#server {
+#    listen 80;
+#    server_name tetras-back.FQDN;
+#    # enforce https
+#    return 301 https://$server_name$request_uri;
+#}
 
 server {
-    listen 443 ssl;
-    server_name tetras-back.FQDN;
+    #listen 443 ssl;
+    listen 80;
+    server_name <+TB_CONFIG_ServerName+>;
 
     ssl on;
-    ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem
-    ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem
+    # ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem
+    # ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem
 
     # Add headers to serve security related headers
     # Before enabling Strict-Transport-Security headers please read into this

installCertbot.sh

+#!/bin/bash - 
+#
+# Copyright (C) 2017  Tetras Libre <admin@tetras-libre.fr>
+# Author: Beniamine, David <david.beniamine@tetras-libre.fr>
+#
+# This program is free software: you can redistribute it and/or modify # it
+# under the terms of the GNU General Public License as published by # the Free
+# Software Foundation, either version 3 of the License, or # (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful, # but WITHOUT
+# ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the # GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License # along
+# with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+. `pwd`/main.env
+
+DOMAINS="dolibarr.${DOMAIN},nextcloud.${DOMAIN},tetras-back.${DOMAIN}"
+ARGS="--hsts --must-staple --agree-tos --email=${SERVER_ADMIN} --domains=${DOMAINS}"
+line="0 1 `date +%d` */2 * /usr/bin/certbot renew --force-renewal"
+if [ ${WEB_SERVER} == "apache2" ]
+then
+    OPTS="run --apache"
+    line+="${RENEW}"
+else
+    OPTS="certonly --standalone"
+    EXTRA_ARGS="--pre-hook \"systemctl stop nginx\" --post-hook \"systemctl start nginx\""
+fi
+/usr/bin/certbot ${OPTS} ${ARGS} ${EXTRA_ARGS}
+line+=" ${EXTRA_ARGS} > /dev/null"
+(crontab -l; echo "${line}") | crontab -

installDolibarr.sh

@@ -106,46 +106,28 @@ mount ${VERBOSE:+v} /usr/share/dolibarr/documents
 echo "Set dolibarr's configuration file for ${WEB_SERVER}"
 
 # Save last dolibarr-ssh.conf if exists
-if [ -f /etc/${WEB_SERVER}/sites-available/dolibarr-ssl.conf ]
+if [ -f /etc/${WEB_SERVER}/sites-available/dolibarr.conf ]
 then
     echo "Dolibarr's ${WEB_SERVER} configuration already exists"
     echo "Backup file is created at" \
-        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_dolibarr-ssl.conf"
+        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_dolibarr.conf"
 
-    echo "cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/dolibarr-ssl.conf" \
-        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_dolibarr-ssl.conf"
-    cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/dolibarr-ssl.conf \
-    /etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_dolibarr-ssl.conf
+    echo "cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/dolibarr.conf" \
+        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_dolibarr.conf"
+    cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/dolibarr.conf \
+    /etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_dolibarr.conf
 fi
 sed "s/<+ServerAdmin+>/${DOLIBARR_CONFIG_ServerAdmin}/;
     s/<+ServerName+>/${DOLIBARR_CONFIG_ServerName}/" \
-        ${SCRIPT_DIRECTORY%%/}/etc/${WEB_SERVER}/sites-available/dolibarr-ssl.conf > \
-    /etc/${WEB_SERVER}/sites-available/dolibarr-ssl.conf
-
-# Set ssl.conf
-if [ -f /etc/${WEB_SERVER}/sites-available/ssl.conf ]
-then
-    echo "${WEB_SERVER} ssl configuration already exists"
-    echo "Backup file is created at " \
-        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}-ssl.conf"
-
-    echo "cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/dolibarr-ssl.conf" \
-    "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}-ssl.conf"
-    cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/ssl.conf \
-    /etc/${WEB_SERVER}/${RUNNING_DATE_TIME}-ssl.conf
-fi
-sed \
-    "s@<+SSLCertificateFile+>@${NEXTCLOUD_CONFIG_certificateFile:-<+SSLCertificateFile+>}@
-    s@<+SSLCertificateKeyFile+>@${NEXTCLOUD_CONFIG_certificateKeyFile:-<+SSLCertificateKeyFile+>}@" \
-        ${SCRIPT_DIRECTORY%%/}/etc/${WEB_SERVER}/sites-available/ssl.conf > \
-        /etc/${WEB_SERVER}/ssl.conf
+        ${SCRIPT_DIRECTORY%%/}/etc/${WEB_SERVER}/sites-available/dolibarr.conf > \
+    /etc/${WEB_SERVER}/sites-available/dolibarr.conf
 
 if [ ${WEB_SERVER} == "apache2" ]
 then
-    a2ensite dolibarr-ssl.conf
+    a2ensite dolibarr.conf
     apachectl configtest && apachectl restart || echo "Failed restartin apache"
 else
-    ln -s /etc/nginx/sites-available/dolibarr-ssl.conf /etc/nginx/sites-enabled
+    ln -s /etc/nginx/sites-available/dolibarr.conf /etc/nginx/sites-enabled
     systemctl restart nginx
 fi
 

installNextcloud.sh

@@ -251,36 +251,24 @@ fi
 
 . `pwd`/nextcloudStrongDirectoryPermissions.sh
 
-if [ -f /etc/${WEB_SERVER}/nextcloud-ssl.conf ]
+if [ -f /etc/${WEB_SERVER}/nextcloud.conf ]
 then
-    cp /etc/${WEB_SERVER}/nextcloud-ssl.conf \
-        /etc/${WEB_SERVER}/${RUNNING_DATE_TIME}_nextcloud-ssl.conf
-fi
-
-if [ -f /etc/${WEB_SERVER}/sites-available/ssl.conf ]
-then
-    cp /etc/${WEB_SERVER}/sites-available/ssl.conf /etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_ssl.conf
+    cp /etc/${WEB_SERVER}/nextcloud.conf \
+        /etc/${WEB_SERVER}/${RUNNING_DATE_TIME}_nextcloud.conf
 fi
 
 # Configure Apache for nextcloud
-echo "Configure ${WEB_SERVER} nextcloud-ssl.conf"
+echo "Configure ${WEB_SERVER} nextcloud.conf"
 sed \
     "s/<+NEXTCLOUD_CONFIG_ServerAdmin+>/${NEXTCLOUD_CONFIG_ServerAdmin}/;
     s/<+NEXTCLOUD_CONFIG_ServerName+>/${NEXTCLOUD_CONFIG_ServerName}/" \
-`pwd`/etc/${WEB_SERVER}/sites-available/nextcloud-ssl.conf > \
-    /etc/${WEB_SERVER}/sites-available/nextcloud-ssl.conf
-
-sed \
-    "s@<+SSLCertificateFile+>@${NEXTCLOUD_CONFIG_certificateFile:-<+SSLCertificateFile+>}@
-    s@<+SSLCertificateKeyFile+>@${NEXTCLOUD_CONFIG_certificateKeyFile:-<+SSLCertificateKeyFile+>}@" \
-        `pwd`/etc/${WEB_SERVER}/ssl.conf > \
-        /etc/${WEB_SERVER}/ssl.conf
-
+`pwd`/etc/${WEB_SERVER}/sites-available/nextcloud.conf > \
+    /etc/${WEB_SERVER}/sites-available/nextcloud.conf
 
-#ln -s /etc/apache2/sites-available/nextcloud-ssl.conf \
-#    /etc/apache2/sites-enabled/nextcloud-ssl.conf
+#ln -s /etc/apache2/sites-available/nextcloud.conf \
+#    /etc/apache2/sites-enabled/nextcloud.conf
 #echo "WARNING : SSLEngine is disabled : to enable modify file /etc/apache2/ssl.conf"
-#echo "Configure Apache nextcloud-ssl.conf : terminated"
+#echo "Configure Apache nextcloud.conf : terminated"
 
 if [ ${WEB_SERVER} == "apache2" ]
 then
@@ -304,12 +292,12 @@ echo "a2enmod rewrite"
 
     # activation ssl
     a2enmod ssl
-    a2ensite nextcloud-ssl
+    a2ensite nextcloud
 
     echo "apachectl restart"
     apachectl configtest && apachectl restart || echo "Failed restartin apache"
 else
-    ln -s /etc/nginx/sites-available/nextcloud-ssl.conf /etc/nginx/sites-enabled/
+    ln -s /etc/nginx/sites-available/nextcloud.conf /etc/nginx/sites-enabled/
     systemctl restart nginx
 fi
 

installTetrasBack.sh

@@ -41,45 +41,27 @@ cd $SCRIPT_DIRECTORY
 echo "Set tetras-back's configuration file for ${WEB_SERVER}"
 
 # Save last tetras-back-ssh.conf if exists
-if [ -f /etc/${WEB_SERVER}/sites-available/tetras-back-ssl.conf ]
+if [ -f /etc/${WEB_SERVER}/sites-available/tetras-back.conf ]
 then
     echo "Dolibarr's apache configuration already exists"
     echo "Backup file is created at" \
-        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_tetras-back-ssl.conf"
+        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_tetras-back.conf"
 
-    echo "cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/tetras-back-ssl.conf" \
-        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_tetras-back-ssl.conf"
-    cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/tetras-back-ssl.conf \
-    /etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_tetras-back-ssl.conf
+    echo "cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/tetras-back.conf" \
+        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_tetras-back.conf"
+    cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/tetras-back.conf \
+    /etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}_tetras-back.conf
 fi
 sed "s@<+ServerAdmin+>@${DOLIBARR_CONFIG_ServerAdmin:-<+ServerAdmin+>}@;
     s@<+ServerName+>@${DOLIBARR_CONFIG_ServerName:-<+ServerName+>}@" \
-        `pwd`/etc/${WEB_SERVER}/sites-available/tetras-back-ssl.conf > \
-    /etc/${WEB_SERVER}/sites-available/tetras-back-ssl.conf
-
-# Set ssl.conf
-if [ -f /etc/${WEB_SERVER}/sites-available/ssl.conf ]
-then
-    echo "${WEB_SERVER} ssl configuration already exists"
-    echo "Backup file is created at " \
-        "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}-ssl.conf"
-
-    echo "cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/sites-available/tetras-back-ssl.conf" \
-    "/etc/${WEB_SERVER}/sites-available/${RUNNING_DATE_TIME}-ssl.conf"
-    cp ${VERBOSE:+-v} /etc/${WEB_SERVER}/ssl.conf \
-    /etc/${WEB_SERVER}/${RUNNING_DATE_TIME}-ssl.conf
-fi
-sed \
-    "s@<+SSLCertificateFile+>@${NEXTCLOUD_CONFIG_certificateFile:-<+SSLCertificateFile+>}@
-    s@<+SSLCertificateKeyFile+>@${NEXTCLOUD_CONFIG_certificateKeyFile:-<+SSLCertificateKeyFile+>}@" \
-        ${SCRIPT_DIRECTORY%%/}/etc/${WEB_SERVER}/sites-available/ssl.conf > \
-        /etc/${WEB_SERVER}/ssl.conf
+        `pwd`/etc/${WEB_SERVER}/sites-available/tetras-back.conf > \
+    /etc/${WEB_SERVER}/sites-available/tetras-back.conf
 
 if [ ${WEB_SERVER} == "apache2" ]
 then
-    a2ensite tetras-back-ssl.conf
+    a2ensite tetras-back.conf
     apachectl configtest && apachectl restart || echo "Failed restartin apache"
 else
-    ln -s /etc/nginx/sites-available/tetras-back-ssl.conf /etc/nginx/sites-enabled
+    ln -s /etc/nginx/sites-available/tetras-back.conf /etc/nginx/sites-enabled
     systemctl restart nginx
 fi