diff --git a/bin/vhost-enable.sh b/bin/vhost-enable.sh
index 3efe1a1..d908f4d 100755
--- a/bin/vhost-enable.sh
+++ b/bin/vhost-enable.sh
@@ -31,6 +31,7 @@ help()
echo " vhost-enable.sh -m VHostSubdomainHTTPS -d staging.example.com"
echo " vhost-enable.sh -m VHostSubdomainHTTPSVarnish -d staging.example.com"
echo " vhost-enable.sh -m VMailHTTPS -d mail.example.com"
+ echo " vhost-enable.sh -m Mailman3HTTPS -d lists.example.com"
echo " vhost-enable.sh -m RedirectHTTP -d example.com -o https://www.example.org"
echo " vhost-enable.sh -m RedirectHTTPS -d example.com -o https://www.example.org"
echo " vhost-enable.sh -m VHostAliasHTTP -d example.com -o example.org"
@@ -54,6 +55,8 @@ fi
if [[ ! -n $macro ]]; then
if [[ "$domain" =~ ^mail.* ]]; then
macro=VMailHTTPS
+ elif [[ "$domain" =~ ^lists.* ]]; then
+ macro=Mailman3HTTPS
elif [[ -f "/etc/ssl/letsencrypt/$domain.pem" ]]; then
macro=VHostHTTPS
else
diff --git a/etc/apache2/mods-available/macro.conf b/etc/apache2/mods-available/macro.conf
index b775f08..1540b6e 100644
--- a/etc/apache2/mods-available/macro.conf
+++ b/etc/apache2/mods-available/macro.conf
@@ -7,6 +7,7 @@
# *only use one of the VHost options above at at time*
#
# VMailHTTPS for webmail at mail. subdomain assumes & requires https w/ valid cert
+# Mailman3HTTPS for mailman3 lists at lists. subdomain assumes & requires https w/ valid cert
#
# RedirectHTTP for http only
# RedirectHTTPS for http & https
@@ -203,7 +204,7 @@
-# Webmail - HTTP Port 80 Redirects to HTTPS Port 443
+# Webmail - HTTP Port 80 Redirects to HTTPS Port 443. Expects mail. subdomain
ServerName $vhost
@@ -221,6 +222,26 @@
+# Mailman3 - HTTP Port 80 Redirects to HTTPS Port 443. Expects lists. subdomain
+
+
+ ServerName $vhost
+
+
+ Redirect / https://$vhost
+
+
+
+
+ ServerName $vhost
+ DocumentRoot /srv/www/html
+ Include /etc/mailman3/apache.conf
+ RedirectMatch ^/$ /mailman3
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/letsencrypt/$vhost.pem
+
+
+
ServerName $vhost
diff --git a/etc/apache2/mods-available/ssl.conf b/etc/apache2/mods-available/ssl.conf
deleted file mode 100644
index 7e36463..0000000
--- a/etc/apache2/mods-available/ssl.conf
+++ /dev/null
@@ -1,85 +0,0 @@
-
-
- # Pseudo Random Number Generator (PRNG):
- # Configure one or more sources to seed the PRNG of the SSL library.
- # The seed data should be of good random quality.
- # WARNING! On some platforms /dev/random blocks if not enough entropy
- # is available. This means you then cannot use the /dev/random device
- # because it would lead to very long connection times (as long as
- # it requires to make more entropy available). But usually those
- # platforms additionally provide a /dev/urandom device which doesn't
- # block. So, if available, use this one instead. Read the mod_ssl User
- # Manual for more details.
- #
- SSLRandomSeed startup builtin
- SSLRandomSeed startup file:/dev/urandom 512
- SSLRandomSeed connect builtin
- SSLRandomSeed connect file:/dev/urandom 512
-
- ##
- ## SSL Global Context
- ##
- ## All SSL configuration in this context applies both to
- ## the main server and all SSL-enabled virtual hosts.
- ##
-
- #
- # Some MIME-types for downloading Certificates and CRLs
- #
- AddType application/x-x509-ca-cert .crt
- AddType application/x-pkcs7-crl .crl
-
- # Pass Phrase Dialog:
- # Configure the pass phrase gathering process.
- # The filtering dialog program (`builtin' is a internal
- # terminal dialog) has to provide the pass phrase on stdout.
- SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
-
- # Inter-Process Session Cache:
- # Configure the SSL Session Cache: First the mechanism
- # to use and second the expiring timeout (in seconds).
- # (The mechanism dbm has known memory leaks and should not be used).
- #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
- SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
- SSLSessionCacheTimeout 300
-
- # Semaphore:
- # Configure the path to the mutual exclusion semaphore the
- # SSL engine uses internally for inter-process synchronization.
- # (Disabled by default, the global Mutex directive consolidates by default
- # this)
- #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
-
-
- # SSL Cipher Suite:
- # List the ciphers that the client is permitted to negotiate. See the
- # ciphers(1) man page from the openssl package for list of all available
- # options.
- # Enable only secure ciphers:
- SSLCipherSuite HIGH:!aNULL
-
- # SSL server cipher order preference:
- # Use server priorities for cipher algorithm choice.
- # Clients may prefer lower grade encryption. You should enable this
- # option if you want to enforce stronger encryption, and can afford
- # the CPU cost, and did not override SSLCipherSuite in a way that puts
- # insecure ciphers first.
- # Default: Off
- #SSLHonorCipherOrder on
-
- # The protocols to enable.
- # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
- # SSL v2 is no longer supported
- SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-
- # Allow insecure renegotiation with clients which do not yet support the
- # secure renegotiation protocol. Default: Off
- #SSLInsecureRenegotiation on
-
- # Whether to forbid non-SNI clients to access name based virtual hosts.
- # Default: Off
- #SSLStrictSNIVHostCheck On
-
-
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/etc/apache2/sites-available/001-default-ssl.conf b/etc/apache2/sites-available/001-default-ssl.conf
index 8c3a5fe..21e57b3 100644
--- a/etc/apache2/sites-available/001-default-ssl.conf
+++ b/etc/apache2/sites-available/001-default-ssl.conf
@@ -13,5 +13,6 @@
SSLOptions +StdEnvVars
+ #Include /etc/mailman3/apache.conf
diff --git a/install.sh b/install.sh
index 39b7869..e58285f 100755
--- a/install.sh
+++ b/install.sh
@@ -5,13 +5,11 @@ if [ "${EUID}" -ne 0 ]; then
exit
fi
-# check for Ubuntu 20.04
-if ! grep -q "Ubuntu 22.04" /etc/issue; then
- echo "This installer is only tested on Ubuntu 22.04. If you are on a"
- echo "different version of Ubuntu or a Debian/Debian based distro"
- echo "and want to try running this installer open this script and"
- echo "comment out the exit command below this line and re-run."
- exit
+# check for Ubuntu 22.04 (jammy) or Debian 12 (bookworm)
+os_codename=`lsb_release -cs`
+if [ $os_codename != jammy ] && [ $os_codename != bookworm ]; then
+ echo "This installer only runs on Ubuntu 22.04 (jammy) or Debian 12 (Bookworm), bailing out."
+ exit 1
fi
# check if install is already in place
@@ -20,14 +18,12 @@ if [ -f "/usr/local/bin/vhost.sh" ]; then
exit
fi
-# check for existing web server software installs
+# check for existing Let's Encrypt install
if [ -d "/etc/apache2/" ] || [ -d "/etc/php/" ] || [ -d "/etc/varnish/" ]; then
echo
echo "WARNING: Apache, Varnish and/or PHP are already installed."
- echo "This installer will overwrite existing configurations."
- echo -e "You have five seconds to execute ctrl-c to cancel this install.\a"
- echo
- sleep 5
+ echo "You must purge any existing Apache, PHP & Varnish installs before running this."
+ exit 1
fi
# check for dpkg lock
@@ -98,6 +94,7 @@ a2enconf php$phpVersion-fpm phpMyAdmin
cp etc/apache2/mods-available/* /etc/apache2/mods-available/
chmod 644 /etc/apache2/mods-available/*.conf
chown root:root /etc/apache2/mods-available/*.conf
+sed -i "s|SSLProtocol.*|SSLProtocol TLSv1.2|g" /etc/apache2/mods-available/ssl.conf
# set vhost subodmain to domain name of server, users may want to consider changing this to a custom domain.
sed -i "s|example.com|$vhostdomain|g" /etc/apache2/mods-available/macro.conf
# a2enmod proxy_fcgi rewrite headers expires ssl http2 remoteip macro
@@ -280,5 +277,5 @@ fi
echo
echo "To enable the default https host install letsencrypt-tools and then run:"
echo "letsencrypt-certonly.sh -d $fqdn"
-echo "a2ensite 000-default-ssl.conf"
+echo "a2ensite 001-default-ssl.conf"
echo "systemctl reload apache2"