From f6a7b845f699aac301202989c58d738fffbfc303 Mon Sep 17 00:00:00 2001 From: Matthew Saunders Brown Date: Fri, 14 Jun 2024 10:16:40 -0700 Subject: [PATCH] add Debian 12 bookworm install support, add Mailman3 option for mod_macro --- bin/vhost-enable.sh | 3 + etc/apache2/mods-available/macro.conf | 23 ++++- etc/apache2/mods-available/ssl.conf | 85 ------------------- .../sites-available/001-default-ssl.conf | 1 + install.sh | 23 +++-- 5 files changed, 36 insertions(+), 99 deletions(-) delete mode 100644 etc/apache2/mods-available/ssl.conf diff --git a/bin/vhost-enable.sh b/bin/vhost-enable.sh index 3efe1a1..d908f4d 100755 --- a/bin/vhost-enable.sh +++ b/bin/vhost-enable.sh @@ -31,6 +31,7 @@ help() echo " vhost-enable.sh -m VHostSubdomainHTTPS -d staging.example.com" echo " vhost-enable.sh -m VHostSubdomainHTTPSVarnish -d staging.example.com" echo " vhost-enable.sh -m VMailHTTPS -d mail.example.com" + echo " vhost-enable.sh -m Mailman3HTTPS -d lists.example.com" echo " vhost-enable.sh -m RedirectHTTP -d example.com -o https://www.example.org" echo " vhost-enable.sh -m RedirectHTTPS -d example.com -o https://www.example.org" echo " vhost-enable.sh -m VHostAliasHTTP -d example.com -o example.org" @@ -54,6 +55,8 @@ fi if [[ ! -n $macro ]]; then if [[ "$domain" =~ ^mail.* ]]; then macro=VMailHTTPS + elif [[ "$domain" =~ ^lists.* ]]; then + macro=Mailman3HTTPS elif [[ -f "/etc/ssl/letsencrypt/$domain.pem" ]]; then macro=VHostHTTPS else diff --git a/etc/apache2/mods-available/macro.conf b/etc/apache2/mods-available/macro.conf index b775f08..1540b6e 100644 --- a/etc/apache2/mods-available/macro.conf +++ b/etc/apache2/mods-available/macro.conf @@ -7,6 +7,7 @@ # *only use one of the VHost options above at at time* # # VMailHTTPS for webmail at mail. subdomain assumes & requires https w/ valid cert +# Mailman3HTTPS for mailman3 lists at lists. subdomain assumes & requires https w/ valid cert # # RedirectHTTP for http only # RedirectHTTPS for http & https @@ -203,7 +204,7 @@ -# Webmail - HTTP Port 80 Redirects to HTTPS Port 443 +# Webmail - HTTP Port 80 Redirects to HTTPS Port 443. Expects mail. subdomain ServerName $vhost @@ -221,6 +222,26 @@ +# Mailman3 - HTTP Port 80 Redirects to HTTPS Port 443. Expects lists. subdomain + + + ServerName $vhost + + + Redirect / https://$vhost + + + + + ServerName $vhost + DocumentRoot /srv/www/html + Include /etc/mailman3/apache.conf + RedirectMatch ^/$ /mailman3 + SSLEngine on + SSLCertificateFile /etc/ssl/letsencrypt/$vhost.pem + + + ServerName $vhost diff --git a/etc/apache2/mods-available/ssl.conf b/etc/apache2/mods-available/ssl.conf deleted file mode 100644 index 7e36463..0000000 --- a/etc/apache2/mods-available/ssl.conf +++ /dev/null @@ -1,85 +0,0 @@ - - - # Pseudo Random Number Generator (PRNG): - # Configure one or more sources to seed the PRNG of the SSL library. - # The seed data should be of good random quality. - # WARNING! On some platforms /dev/random blocks if not enough entropy - # is available. This means you then cannot use the /dev/random device - # because it would lead to very long connection times (as long as - # it requires to make more entropy available). But usually those - # platforms additionally provide a /dev/urandom device which doesn't - # block. So, if available, use this one instead. Read the mod_ssl User - # Manual for more details. - # - SSLRandomSeed startup builtin - SSLRandomSeed startup file:/dev/urandom 512 - SSLRandomSeed connect builtin - SSLRandomSeed connect file:/dev/urandom 512 - - ## - ## SSL Global Context - ## - ## All SSL configuration in this context applies both to - ## the main server and all SSL-enabled virtual hosts. - ## - - # - # Some MIME-types for downloading Certificates and CRLs - # - AddType application/x-x509-ca-cert .crt - AddType application/x-pkcs7-crl .crl - - # Pass Phrase Dialog: - # Configure the pass phrase gathering process. - # The filtering dialog program (`builtin' is a internal - # terminal dialog) has to provide the pass phrase on stdout. - SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase - - # Inter-Process Session Cache: - # Configure the SSL Session Cache: First the mechanism - # to use and second the expiring timeout (in seconds). - # (The mechanism dbm has known memory leaks and should not be used). - #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache - SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) - SSLSessionCacheTimeout 300 - - # Semaphore: - # Configure the path to the mutual exclusion semaphore the - # SSL engine uses internally for inter-process synchronization. - # (Disabled by default, the global Mutex directive consolidates by default - # this) - #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache - - - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. See the - # ciphers(1) man page from the openssl package for list of all available - # options. - # Enable only secure ciphers: - SSLCipherSuite HIGH:!aNULL - - # SSL server cipher order preference: - # Use server priorities for cipher algorithm choice. - # Clients may prefer lower grade encryption. You should enable this - # option if you want to enforce stronger encryption, and can afford - # the CPU cost, and did not override SSLCipherSuite in a way that puts - # insecure ciphers first. - # Default: Off - #SSLHonorCipherOrder on - - # The protocols to enable. - # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 - # SSL v2 is no longer supported - SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - - # Allow insecure renegotiation with clients which do not yet support the - # secure renegotiation protocol. Default: Off - #SSLInsecureRenegotiation on - - # Whether to forbid non-SNI clients to access name based virtual hosts. - # Default: Off - #SSLStrictSNIVHostCheck On - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/etc/apache2/sites-available/001-default-ssl.conf b/etc/apache2/sites-available/001-default-ssl.conf index 8c3a5fe..21e57b3 100644 --- a/etc/apache2/sites-available/001-default-ssl.conf +++ b/etc/apache2/sites-available/001-default-ssl.conf @@ -13,5 +13,6 @@ SSLOptions +StdEnvVars + #Include /etc/mailman3/apache.conf diff --git a/install.sh b/install.sh index 39b7869..e58285f 100755 --- a/install.sh +++ b/install.sh @@ -5,13 +5,11 @@ if [ "${EUID}" -ne 0 ]; then exit fi -# check for Ubuntu 20.04 -if ! grep -q "Ubuntu 22.04" /etc/issue; then - echo "This installer is only tested on Ubuntu 22.04. If you are on a" - echo "different version of Ubuntu or a Debian/Debian based distro" - echo "and want to try running this installer open this script and" - echo "comment out the exit command below this line and re-run." - exit +# check for Ubuntu 22.04 (jammy) or Debian 12 (bookworm) +os_codename=`lsb_release -cs` +if [ $os_codename != jammy ] && [ $os_codename != bookworm ]; then + echo "This installer only runs on Ubuntu 22.04 (jammy) or Debian 12 (Bookworm), bailing out." + exit 1 fi # check if install is already in place @@ -20,14 +18,12 @@ if [ -f "/usr/local/bin/vhost.sh" ]; then exit fi -# check for existing web server software installs +# check for existing Let's Encrypt install if [ -d "/etc/apache2/" ] || [ -d "/etc/php/" ] || [ -d "/etc/varnish/" ]; then echo echo "WARNING: Apache, Varnish and/or PHP are already installed." - echo "This installer will overwrite existing configurations." - echo -e "You have five seconds to execute ctrl-c to cancel this install.\a" - echo - sleep 5 + echo "You must purge any existing Apache, PHP & Varnish installs before running this." + exit 1 fi # check for dpkg lock @@ -98,6 +94,7 @@ a2enconf php$phpVersion-fpm phpMyAdmin cp etc/apache2/mods-available/* /etc/apache2/mods-available/ chmod 644 /etc/apache2/mods-available/*.conf chown root:root /etc/apache2/mods-available/*.conf +sed -i "s|SSLProtocol.*|SSLProtocol TLSv1.2|g" /etc/apache2/mods-available/ssl.conf # set vhost subodmain to domain name of server, users may want to consider changing this to a custom domain. sed -i "s|example.com|$vhostdomain|g" /etc/apache2/mods-available/macro.conf # a2enmod proxy_fcgi rewrite headers expires ssl http2 remoteip macro @@ -280,5 +277,5 @@ fi echo echo "To enable the default https host install letsencrypt-tools and then run:" echo "letsencrypt-certonly.sh -d $fqdn" -echo "a2ensite 000-default-ssl.conf" +echo "a2ensite 001-default-ssl.conf" echo "systemctl reload apache2"