add Debian 12 bookworm install support, add Mailman3 option for mod_macro
This commit is contained in:
parent
a2a5e192db
commit
f6a7b845f6
|
@ -31,6 +31,7 @@ help()
|
|||
echo " vhost-enable.sh -m VHostSubdomainHTTPS -d staging.example.com"
|
||||
echo " vhost-enable.sh -m VHostSubdomainHTTPSVarnish -d staging.example.com"
|
||||
echo " vhost-enable.sh -m VMailHTTPS -d mail.example.com"
|
||||
echo " vhost-enable.sh -m Mailman3HTTPS -d lists.example.com"
|
||||
echo " vhost-enable.sh -m RedirectHTTP -d example.com -o https://www.example.org"
|
||||
echo " vhost-enable.sh -m RedirectHTTPS -d example.com -o https://www.example.org"
|
||||
echo " vhost-enable.sh -m VHostAliasHTTP -d example.com -o example.org"
|
||||
|
@ -54,6 +55,8 @@ fi
|
|||
if [[ ! -n $macro ]]; then
|
||||
if [[ "$domain" =~ ^mail.* ]]; then
|
||||
macro=VMailHTTPS
|
||||
elif [[ "$domain" =~ ^lists.* ]]; then
|
||||
macro=Mailman3HTTPS
|
||||
elif [[ -f "/etc/ssl/letsencrypt/$domain.pem" ]]; then
|
||||
macro=VHostHTTPS
|
||||
else
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
# *only use one of the VHost options above at at time*
|
||||
#
|
||||
# VMailHTTPS for webmail at mail. subdomain assumes & requires https w/ valid cert
|
||||
# Mailman3HTTPS for mailman3 lists at lists. subdomain assumes & requires https w/ valid cert
|
||||
#
|
||||
# RedirectHTTP for http only
|
||||
# RedirectHTTPS for http & https
|
||||
|
@ -203,7 +204,7 @@
|
|||
</VirtualHost>
|
||||
</Macro>
|
||||
|
||||
# Webmail - HTTP Port 80 Redirects to HTTPS Port 443
|
||||
# Webmail - HTTP Port 80 Redirects to HTTPS Port 443. Expects mail. subdomain
|
||||
<Macro VMailHTTPS $vhost>
|
||||
<VirtualHost *:80>
|
||||
ServerName $vhost
|
||||
|
@ -221,6 +222,26 @@
|
|||
</VirtualHost>
|
||||
</Macro>
|
||||
|
||||
# Mailman3 - HTTP Port 80 Redirects to HTTPS Port 443. Expects lists. subdomain
|
||||
<Macro Mailman3HTTPS $vhost>
|
||||
<VirtualHost *:80>
|
||||
ServerName $vhost
|
||||
<Location "/">
|
||||
<If "%{REQUEST_URI} !~ m#^/.well-known/acme-challenge/#">
|
||||
Redirect / https://$vhost
|
||||
</If>
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
<VirtualHost *:443>
|
||||
ServerName $vhost
|
||||
DocumentRoot /srv/www/html
|
||||
Include /etc/mailman3/apache.conf
|
||||
RedirectMatch ^/$ /mailman3
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/ssl/letsencrypt/$vhost.pem
|
||||
</VirtualHost>
|
||||
</Macro>
|
||||
|
||||
<Macro RedirectHTTP $vhost $redirect>
|
||||
<VirtualHost *:80>
|
||||
ServerName $vhost
|
||||
|
|
|
@ -1,85 +0,0 @@
|
|||
<IfModule mod_ssl.c>
|
||||
|
||||
# Pseudo Random Number Generator (PRNG):
|
||||
# Configure one or more sources to seed the PRNG of the SSL library.
|
||||
# The seed data should be of good random quality.
|
||||
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
||||
# is available. This means you then cannot use the /dev/random device
|
||||
# because it would lead to very long connection times (as long as
|
||||
# it requires to make more entropy available). But usually those
|
||||
# platforms additionally provide a /dev/urandom device which doesn't
|
||||
# block. So, if available, use this one instead. Read the mod_ssl User
|
||||
# Manual for more details.
|
||||
#
|
||||
SSLRandomSeed startup builtin
|
||||
SSLRandomSeed startup file:/dev/urandom 512
|
||||
SSLRandomSeed connect builtin
|
||||
SSLRandomSeed connect file:/dev/urandom 512
|
||||
|
||||
##
|
||||
## SSL Global Context
|
||||
##
|
||||
## All SSL configuration in this context applies both to
|
||||
## the main server and all SSL-enabled virtual hosts.
|
||||
##
|
||||
|
||||
#
|
||||
# Some MIME-types for downloading Certificates and CRLs
|
||||
#
|
||||
AddType application/x-x509-ca-cert .crt
|
||||
AddType application/x-pkcs7-crl .crl
|
||||
|
||||
# Pass Phrase Dialog:
|
||||
# Configure the pass phrase gathering process.
|
||||
# The filtering dialog program (`builtin' is a internal
|
||||
# terminal dialog) has to provide the pass phrase on stdout.
|
||||
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
|
||||
|
||||
# Inter-Process Session Cache:
|
||||
# Configure the SSL Session Cache: First the mechanism
|
||||
# to use and second the expiring timeout (in seconds).
|
||||
# (The mechanism dbm has known memory leaks and should not be used).
|
||||
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
|
||||
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
|
||||
SSLSessionCacheTimeout 300
|
||||
|
||||
# Semaphore:
|
||||
# Configure the path to the mutual exclusion semaphore the
|
||||
# SSL engine uses internally for inter-process synchronization.
|
||||
# (Disabled by default, the global Mutex directive consolidates by default
|
||||
# this)
|
||||
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
|
||||
|
||||
|
||||
# SSL Cipher Suite:
|
||||
# List the ciphers that the client is permitted to negotiate. See the
|
||||
# ciphers(1) man page from the openssl package for list of all available
|
||||
# options.
|
||||
# Enable only secure ciphers:
|
||||
SSLCipherSuite HIGH:!aNULL
|
||||
|
||||
# SSL server cipher order preference:
|
||||
# Use server priorities for cipher algorithm choice.
|
||||
# Clients may prefer lower grade encryption. You should enable this
|
||||
# option if you want to enforce stronger encryption, and can afford
|
||||
# the CPU cost, and did not override SSLCipherSuite in a way that puts
|
||||
# insecure ciphers first.
|
||||
# Default: Off
|
||||
#SSLHonorCipherOrder on
|
||||
|
||||
# The protocols to enable.
|
||||
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
|
||||
# SSL v2 is no longer supported
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||
|
||||
# Allow insecure renegotiation with clients which do not yet support the
|
||||
# secure renegotiation protocol. Default: Off
|
||||
#SSLInsecureRenegotiation on
|
||||
|
||||
# Whether to forbid non-SNI clients to access name based virtual hosts.
|
||||
# Default: Off
|
||||
#SSLStrictSNIVHostCheck On
|
||||
|
||||
</IfModule>
|
||||
|
||||
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
|
|
@ -13,5 +13,6 @@
|
|||
<Directory /usr/lib/cgi-bin>
|
||||
SSLOptions +StdEnvVars
|
||||
</Directory>
|
||||
#Include /etc/mailman3/apache.conf
|
||||
</VirtualHost>
|
||||
</IfModule>
|
||||
|
|
23
install.sh
23
install.sh
|
@ -5,13 +5,11 @@ if [ "${EUID}" -ne 0 ]; then
|
|||
exit
|
||||
fi
|
||||
|
||||
# check for Ubuntu 20.04
|
||||
if ! grep -q "Ubuntu 22.04" /etc/issue; then
|
||||
echo "This installer is only tested on Ubuntu 22.04. If you are on a"
|
||||
echo "different version of Ubuntu or a Debian/Debian based distro"
|
||||
echo "and want to try running this installer open this script and"
|
||||
echo "comment out the exit command below this line and re-run."
|
||||
exit
|
||||
# check for Ubuntu 22.04 (jammy) or Debian 12 (bookworm)
|
||||
os_codename=`lsb_release -cs`
|
||||
if [ $os_codename != jammy ] && [ $os_codename != bookworm ]; then
|
||||
echo "This installer only runs on Ubuntu 22.04 (jammy) or Debian 12 (Bookworm), bailing out."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# check if install is already in place
|
||||
|
@ -20,14 +18,12 @@ if [ -f "/usr/local/bin/vhost.sh" ]; then
|
|||
exit
|
||||
fi
|
||||
|
||||
# check for existing web server software installs
|
||||
# check for existing Let's Encrypt install
|
||||
if [ -d "/etc/apache2/" ] || [ -d "/etc/php/" ] || [ -d "/etc/varnish/" ]; then
|
||||
echo
|
||||
echo "WARNING: Apache, Varnish and/or PHP are already installed."
|
||||
echo "This installer will overwrite existing configurations."
|
||||
echo -e "You have five seconds to execute ctrl-c to cancel this install.\a"
|
||||
echo
|
||||
sleep 5
|
||||
echo "You must purge any existing Apache, PHP & Varnish installs before running this."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# check for dpkg lock
|
||||
|
@ -98,6 +94,7 @@ a2enconf php$phpVersion-fpm phpMyAdmin
|
|||
cp etc/apache2/mods-available/* /etc/apache2/mods-available/
|
||||
chmod 644 /etc/apache2/mods-available/*.conf
|
||||
chown root:root /etc/apache2/mods-available/*.conf
|
||||
sed -i "s|SSLProtocol.*|SSLProtocol TLSv1.2|g" /etc/apache2/mods-available/ssl.conf
|
||||
# set vhost subodmain to domain name of server, users may want to consider changing this to a custom domain.
|
||||
sed -i "s|example.com|$vhostdomain|g" /etc/apache2/mods-available/macro.conf
|
||||
# a2enmod proxy_fcgi rewrite headers expires ssl http2 remoteip macro
|
||||
|
@ -280,5 +277,5 @@ fi
|
|||
echo
|
||||
echo "To enable the default https host install letsencrypt-tools and then run:"
|
||||
echo "letsencrypt-certonly.sh -d $fqdn"
|
||||
echo "a2ensite 000-default-ssl.conf"
|
||||
echo "a2ensite 001-default-ssl.conf"
|
||||
echo "systemctl reload apache2"
|
||||
|
|
Loading…
Reference in New Issue
Block a user