2020-04-28 15:53:56 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
|
|
[ -z "${PROXY_HTTP_PORT}" ] && export PROXY_HTTP_PORT=80
|
|
|
|
|
[ -z "${PROXY_HTTPS_PORT}" ] && export PROXY_HTTPS_PORT=443
|
2020-04-30 14:27:40 +02:00
|
|
|
[ -z "${ALLOWED_ACCESS_TO_DASHBOARD}" ] && export ALLOWED_ACCESS_TO_DASHBOARD=all
|
|
|
|
|
[ -z "${ALLOWED_ACCESS_TO_RESTAPI}" ] && export ALLOWED_ACCESS_TO_RESTAPI=all
|
2020-03-24 17:18:37 +01:00
|
|
|
|
2020-03-25 12:42:26 +01:00
|
|
|
# Start with default certbot conf
|
2020-04-28 15:53:56 +02:00
|
|
|
nginx -g "daemon on;"
|
2020-03-25 12:42:26 +01:00
|
|
|
|
|
|
|
|
# Show input enviroment variables
|
2020-04-28 15:53:56 +02:00
|
|
|
echo "Http Port: ${PROXY_HTTP_PORT}"
|
|
|
|
|
echo "Https Port: ${PROXY_HTTPS_PORT}"
|
2020-04-30 14:27:40 +02:00
|
|
|
echo "Allowed Dashboard: ${ALLOWED_ACCESS_TO_DASHBOARD}"
|
|
|
|
|
echo "Allowed API: ${ALLOWED_ACCESS_TO_RESTAPI}"
|
2020-03-25 12:42:26 +01:00
|
|
|
echo "Domain name: ${DOMAIN_OR_PUBLIC_IP}"
|
|
|
|
|
echo "Certificated: ${CERTIFICATE_TYPE}"
|
|
|
|
|
echo "Letsencrypt Email: ${LETSENCRYPT_EMAIL}"
|
2020-04-09 16:33:26 +02:00
|
|
|
echo "Proxy mode: ${PROXY_MODE:-CE}"
|
|
|
|
|
echo "Demos mode: ${WITH_DEMOS:-true}"
|
2020-03-27 12:53:04 +01:00
|
|
|
|
2020-03-25 12:42:26 +01:00
|
|
|
case ${CERTIFICATE_TYPE} in
|
|
|
|
|
|
|
|
|
|
"selfsigned")
|
2020-03-27 12:53:04 +01:00
|
|
|
echo "===Mode selfsigned==="
|
|
|
|
|
|
2020-04-09 16:33:26 +02:00
|
|
|
if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then
|
2020-03-27 12:53:04 +01:00
|
|
|
echo "Generating certificated..."
|
|
|
|
|
|
|
|
|
|
rm -rf /etc/letsencrypt/live/*
|
2020-04-28 15:53:56 +02:00
|
|
|
mkdir -p "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}"
|
2020-03-27 12:53:04 +01:00
|
|
|
|
|
|
|
|
openssl req -new -nodes -x509 \
|
2020-04-09 16:33:26 +02:00
|
|
|
-subj "/CN=${DOMAIN_OR_PUBLIC_IP}" -days 365 \
|
2020-04-28 15:53:56 +02:00
|
|
|
-keyout "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" \
|
|
|
|
|
-out "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" -extensions v3_ca
|
2020-03-27 12:53:04 +01:00
|
|
|
else
|
|
|
|
|
echo "The certificate already exists, using them..."
|
|
|
|
|
fi
|
2020-03-25 12:42:26 +01:00
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
"owncert")
|
2020-03-27 12:53:04 +01:00
|
|
|
echo "===Mode owncert==="
|
|
|
|
|
|
|
|
|
|
if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then
|
|
|
|
|
echo "Using owmcert..."
|
|
|
|
|
|
|
|
|
|
rm -rf /etc/letsencrypt/live/*
|
2020-04-28 15:53:56 +02:00
|
|
|
mkdir -p "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}"
|
|
|
|
|
cp /owncert/certificate.key "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem"
|
|
|
|
|
cp /owncert/certificate.cert "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem"
|
2020-03-25 12:42:26 +01:00
|
|
|
|
2020-03-27 12:53:04 +01:00
|
|
|
else
|
|
|
|
|
echo "The certificate already exists, using them..."
|
|
|
|
|
fi
|
2020-03-25 12:42:26 +01:00
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
"letsencrypt")
|
2020-03-27 12:53:04 +01:00
|
|
|
echo "===Mode letsencrypt==="
|
|
|
|
|
|
|
|
|
|
# Auto renew cert
|
2020-04-28 15:53:56 +02:00
|
|
|
echo "0 12 * * * certbot renew >> /var/log/nginx/cron-letsencrypt.log" | crontab -
|
2020-03-27 12:53:04 +01:00
|
|
|
|
|
|
|
|
if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then
|
|
|
|
|
echo "Requesting certificate..."
|
2020-03-24 17:18:37 +01:00
|
|
|
|
2020-04-28 15:53:56 +02:00
|
|
|
certbot certonly -n --webroot -w /var/www/certbot -m "${LETSENCRYPT_EMAIL}" --agree-tos -d "${DOMAIN_OR_PUBLIC_IP}"
|
2020-03-27 12:53:04 +01:00
|
|
|
else
|
|
|
|
|
echo "The certificate already exists, using them..."
|
|
|
|
|
fi
|
2020-03-25 12:42:26 +01:00
|
|
|
;;
|
|
|
|
|
esac
|
2020-03-24 17:18:37 +01:00
|
|
|
|
2020-03-27 12:53:04 +01:00
|
|
|
# All permission certificated folder
|
|
|
|
|
chmod -R 777 /etc/letsencrypt
|
|
|
|
|
|
2020-04-09 16:33:26 +02:00
|
|
|
# Use certificates in folder '/default_nginx_conf'
|
|
|
|
|
if [ "${PROXY_MODE}" == "CE" ]; then
|
|
|
|
|
if [ "${WITH_DEMOS}" == "true" ]; then
|
|
|
|
|
mv /default_nginx_conf/ce/default-app.conf /default_nginx_conf/default-app.conf
|
|
|
|
|
mv /default_nginx_conf/ce/default.conf /default_nginx_conf/default.conf
|
|
|
|
|
else
|
|
|
|
|
mv /default_nginx_conf/ce/default-app-without-demos.conf /default_nginx_conf/default-app.conf
|
|
|
|
|
mv /default_nginx_conf/ce/default.conf /default_nginx_conf/default.conf
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
rm -rf /default_nginx_conf/ce
|
|
|
|
|
rm -rf /default_nginx_conf/pro
|
2020-03-27 12:53:04 +01:00
|
|
|
fi
|
|
|
|
|
|
2020-04-09 16:33:26 +02:00
|
|
|
if [ "${PROXY_MODE}" == "PRO" ]; then
|
|
|
|
|
if [ "${WITH_DEMOS}" == "true" ]; then
|
|
|
|
|
mv /default_nginx_conf/pro/default.conf /default_nginx_conf/default.conf
|
|
|
|
|
else
|
|
|
|
|
mv /default_nginx_conf/pro/default-app-without-demos.conf /default_nginx_conf/default.conf
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
rm -rf /default_nginx_conf/ce
|
|
|
|
|
rm -rf /default_nginx_conf/pro
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Create index.html
|
|
|
|
|
mkdir -p /var/www/html
|
|
|
|
|
cat> /var/www/html/index.html<<EOF
|
|
|
|
|
Welcome to OpenVidu Server
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
# Load nginx conf files
|
|
|
|
|
rm /etc/nginx/conf.d/*
|
|
|
|
|
cp /default_nginx_conf/* /etc/nginx/conf.d
|
2020-04-28 15:53:56 +02:00
|
|
|
sed -i "s/{domain_name}/${DOMAIN_OR_PUBLIC_IP}/g" /etc/nginx/conf.d/*
|
|
|
|
|
sed -i "s/{http_port}/${PROXY_HTTP_PORT}/g" /etc/nginx/conf.d/*
|
|
|
|
|
sed -i "s/{https_port}/${PROXY_HTTPS_PORT}/g" /etc/nginx/conf.d/*
|
2020-03-24 17:18:37 +01:00
|
|
|
|
2020-04-30 14:27:40 +02:00
|
|
|
# NGINX access
|
|
|
|
|
LOCAL_NETWORKS=$(ip route list | grep -Eo '([0-9]*\.){3}[0-9]*/[0-9]*')
|
|
|
|
|
PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh)
|
|
|
|
|
|
|
|
|
|
valid_ip_v4()
|
|
|
|
|
{
|
|
|
|
|
if ipcalc "$1" \
|
|
|
|
|
| awk 'BEGIN{FS=":"; is_invalid=0} /^INVALID/ {is_invalid=1} END {exit is_invalid}'
|
|
|
|
|
then
|
|
|
|
|
return "$?"
|
|
|
|
|
else
|
|
|
|
|
return "$?"
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if [ "${ALLOWED_ACCESS_TO_DASHBOARD}" != "all" ]; then
|
|
|
|
|
IFS=','
|
|
|
|
|
for IP in $(echo "${ALLOWED_ACCESS_TO_DASHBOARD}" | tr -d '[:space:]')
|
|
|
|
|
do
|
|
|
|
|
if valid_ip_v4 "$IP"; then
|
|
|
|
|
if [ -z "${RULES_DASHBOARD}" ]; then
|
|
|
|
|
RULES_DASHBOARD="allow $IP;"
|
|
|
|
|
else
|
|
|
|
|
if ! echo "${RULES_DASHBOARD}" | grep -q "$IP"; then
|
|
|
|
|
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ -z "${RULES_RESTAPI}" ]; then
|
|
|
|
|
RULES_RESTAPI="allow $IP;"
|
|
|
|
|
else
|
|
|
|
|
if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then
|
|
|
|
|
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
echo "Ip or range $IP is not valid"
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
else
|
|
|
|
|
RULES_DASHBOARD="allow all;"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ "${ALLOWED_ACCESS_TO_RESTAPI}" != "all" ]; then
|
|
|
|
|
IFS=','
|
|
|
|
|
for IP in $(echo "${ALLOWED_ACCESS_TO_RESTAPI}" | tr -d '[:space:]')
|
|
|
|
|
do
|
|
|
|
|
if valid_ip_v4 "$IP"; then
|
|
|
|
|
if [ -z "${RULES_RESTAPI}" ]; then
|
|
|
|
|
RULES_RESTAPI="allow $IP;"
|
|
|
|
|
else
|
|
|
|
|
if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then
|
|
|
|
|
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
echo "Ip or range $IP is not valid"
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
else
|
|
|
|
|
RULES_RESTAPI="allow all;"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ "${RULES_DASHBOARD}" != "allow all;" ]; then
|
|
|
|
|
if ! echo "${RULES_DASHBOARD}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP"; then
|
|
|
|
|
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $PUBLIC_IP;"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ! echo "${RULES_DASHBOARD}" | grep -q "127.0.0.1"; then
|
|
|
|
|
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow 127.0.0.1;"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
IFS=$'\n'
|
|
|
|
|
for IP in ${LOCAL_NETWORKS}
|
|
|
|
|
do
|
|
|
|
|
if ! echo "${RULES_DASHBOARD}" | grep -q "$IP" && valid_ip_v4 "$IP"; then
|
|
|
|
|
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;"
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ "${RULES_RESTAPI}" != "allow all;" ]; then
|
|
|
|
|
if ! echo "${RULES_RESTAPI}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP"; then
|
|
|
|
|
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $PUBLIC_IP;"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ! echo "${RULES_DASHBOARD}" | grep -q "127.0.0.1"; then
|
|
|
|
|
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow 127.0.0.1;"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
IFS=$'\n'
|
|
|
|
|
for IP in ${LOCAL_NETWORKS}
|
|
|
|
|
do
|
|
|
|
|
if ! echo "${RULES_RESTAPI}" | grep -q "$IP" && valid_ip_v4 "$IP"; then
|
|
|
|
|
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;"
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
sed -i "s/{rules_access_dashboard}/$(echo "${RULES_DASHBOARD}" | sed 's#/#\\/#g')/g" /etc/nginx/conf.d/*
|
|
|
|
|
sed -i "s/{rules_acess_api}/$(echo "${RULES_RESTAPI}" | sed 's#/#\\/#g')/g" /etc/nginx/conf.d/*
|
|
|
|
|
sed -i "s/{new_line}/\n\t/g" /etc/nginx/conf.d/* # New line
|
|
|
|
|
|
|
|
|
|
printf "Rules DASHBOARD: \n \t%s\n" "$(echo "${RULES_DASHBOARD}" | sed 's/{new_line}/\n\t/g')"
|
|
|
|
|
printf "Rules RESTAPI: \n \t%s\n" "$(echo "${RULES_RESTAPI}" | sed 's/{new_line}/\n\t/g')"
|
|
|
|
|
|
2020-03-27 12:53:04 +01:00
|
|
|
# Restart nginx service
|
2020-04-28 15:53:56 +02:00
|
|
|
nginx -s reload
|
2020-03-27 12:53:04 +01:00
|
|
|
|
|
|
|
|
# Init cron
|
2020-04-28 15:53:56 +02:00
|
|
|
/usr/sbin/crond -f &
|
2020-03-27 12:53:04 +01:00
|
|
|
|
2020-04-28 15:53:56 +02:00
|
|
|
# nginx logs
|
2020-03-24 17:18:37 +01:00
|
|
|
tail -f /var/log/nginx/*.log
|
