Prepared loggin on ssl_peer_add
parent
33b9b97af1
commit
9fb72a3fce
|
@ -12,11 +12,22 @@
|
||||||
|
|
||||||
|
|
||||||
CONFIG_FILE='/etc/wgapi/config'
|
CONFIG_FILE='/etc/wgapi/config'
|
||||||
[ ${#} -eq 0 ] || exit 3
|
[ ${#} -eq 0 ] || (
|
||||||
(( EUID == 0 )) || exit 6
|
printf 'ERROR! Invalid number of arguments to %s: %s\n' "${0}" "${*}" >>"${LOGFILE}"
|
||||||
[ -f "${CONFIG_FILE}" ] || exit 4
|
exit 3
|
||||||
[ -x '/usr/bin/openssl' ] || exit 5
|
)
|
||||||
[ -f '/etc/ssl/openssl.cnf' ] || exit 5
|
[ -f "${CONFIG_FILE}" ] || (
|
||||||
|
printf 'ERROR! %s couldnt find %s\n' "${0}" "${*}" >>"${LOGFILE}"
|
||||||
|
exit 4
|
||||||
|
)
|
||||||
|
[ -x '/usr/bin/openssl' ] || (
|
||||||
|
printf 'ERROR! /usr/bin/openssl not found!\n' >>"${LOGFILE}"
|
||||||
|
exit 5
|
||||||
|
)
|
||||||
|
[ -f '/etc/ssl/openssl.cnf' ] || (
|
||||||
|
printf 'ERROR! /etc/ssl/openssl.cnf not found!\n' >>"${LOGFILE}"
|
||||||
|
exit 5
|
||||||
|
)
|
||||||
source "${CONFIG_FILE}"
|
source "${CONFIG_FILE}"
|
||||||
|
|
||||||
hostname="${1}"
|
hostname="${1}"
|
||||||
|
@ -26,7 +37,7 @@ ipstring="${3}"
|
||||||
printf 'Signing SSL certs for %s.%s.%s...\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
|
printf 'Signing SSL certs for %s.%s.%s...\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
|
||||||
|
|
||||||
# Generate key
|
# Generate key
|
||||||
/usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >/dev/null 2>&1 || (
|
sudo /usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >/dev/null 2>&1 || (
|
||||||
printf 'Failed to generate SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
printf 'Failed to generate SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||||
exit 7
|
exit 7
|
||||||
)
|
)
|
||||||
|
@ -34,7 +45,7 @@ printf 'Signing SSL certs for %s.%s.%s...\n' "${hostname}" "${username}" "${TLD}
|
||||||
printf 'SSL key %s/%s/server.key was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
printf 'SSL key %s/%s/server.key was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||||
exit 7
|
exit 7
|
||||||
)
|
)
|
||||||
chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" || (
|
sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" || (
|
||||||
printf 'Failed to chmod SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
printf 'Failed to chmod SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||||
exit 7
|
exit 7
|
||||||
)
|
)
|
||||||
|
@ -49,7 +60,7 @@ cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
|
||||||
)
|
)
|
||||||
|
|
||||||
# Generate CSR
|
# Generate CSR
|
||||||
/usr/bin/openssl req -new -sha256 -reqexts SAN \
|
sudo /usr/bin/openssl req -new -sha256 -reqexts SAN \
|
||||||
-key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \
|
-key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \
|
||||||
-out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
|
-out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
|
||||||
-config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
|
-config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
|
||||||
|
@ -60,7 +71,7 @@ cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
|
||||||
)
|
)
|
||||||
|
|
||||||
# Generate cert
|
# Generate cert
|
||||||
/usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
|
sudo /usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
|
||||||
-extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
|
-extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
|
||||||
-in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
|
-in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
|
||||||
-CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \
|
-CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \
|
||||||
|
@ -74,12 +85,12 @@ cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
|
||||||
printf 'SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
printf 'SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||||
exit 7
|
exit 7
|
||||||
)
|
)
|
||||||
chmod 644 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" || (
|
sudo chmod 644 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" || (
|
||||||
printf 'Failed to chmod SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
printf 'Failed to chmod SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||||
exit 7
|
exit 7
|
||||||
)
|
)
|
||||||
|
|
||||||
# Remove old files
|
# Remove old files
|
||||||
rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null
|
sudo rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null
|
||||||
|
|
||||||
printf 'SSL certs for %s.%s.%s are ready\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
|
printf 'SSL certs for %s.%s.%s are ready\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
|
|
@ -1,9 +1,15 @@
|
||||||
FROM debian:latest
|
FROM debian:latest
|
||||||
|
|
||||||
|
# Change these
|
||||||
ENV LISTEN_PORT=8080
|
ENV LISTEN_PORT=8080
|
||||||
ENV ADMIN_EMAIL='me@example.com'
|
ENV ADMIN_EMAIL='me@example.com'
|
||||||
|
|
||||||
|
# Install deps
|
||||||
RUN apt-get update && apt-get install --yes \
|
RUN apt-get update && apt-get install --yes \
|
||||||
sudo curl apache2 openssl wireguard-tools dnsutils ipv6calc jq \
|
sudo curl apache2 openssl wireguard-tools dnsutils ipv6calc jq \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
# Configure apache
|
||||||
RUN a2enmod cgi rewrite
|
RUN a2enmod cgi rewrite
|
||||||
RUN sed -i "s/^Listen 80$/Listen ${LISTEN_PORT}/" \
|
RUN sed -i "s/^Listen 80$/Listen ${LISTEN_PORT}/" \
|
||||||
/etc/apache2/ports.conf
|
/etc/apache2/ports.conf
|
||||||
|
@ -13,8 +19,15 @@ RUN sed -i "s/ServerAdmin .*$/ServerAdmin ${ADMIN_EMAIL}/" \
|
||||||
/etc/apache2/sites-available/000-default.conf
|
/etc/apache2/sites-available/000-default.conf
|
||||||
RUN sed -i "s|DocumentRoot .*$|DocumentRoot /var/www/cgi-bin\n\tScriptAlias / /var/www/cgi-bin/index.cgi|" \
|
RUN sed -i "s|DocumentRoot .*$|DocumentRoot /var/www/cgi-bin\n\tScriptAlias / /var/www/cgi-bin/index.cgi|" \
|
||||||
/etc/apache2/sites-available/000-default.conf
|
/etc/apache2/sites-available/000-default.conf
|
||||||
RUN echo "www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/wg, /usr/bin/openssl" | sudo EDITOR='tee -a' visudo
|
|
||||||
|
# Allow http to run these binaries as root with sudo
|
||||||
|
RUN echo "www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/wg, /usr/bin/openssl, /usr/bin/rm, /usr/bin/chmod" \
|
||||||
|
| sudo EDITOR='tee -a' visudo
|
||||||
|
|
||||||
|
# Prepare filesystem
|
||||||
RUN touch /var/local/wgapi_tokens
|
RUN touch /var/local/wgapi_tokens
|
||||||
RUN chown www-data:www-data /var/local/wgapi_tokens
|
RUN chown www-data:www-data /var/local/wgapi_tokens
|
||||||
|
|
||||||
|
# Run time!
|
||||||
EXPOSE ${LISTEN_PORT}
|
EXPOSE ${LISTEN_PORT}
|
||||||
CMD ["apachectl", "-D", "FOREGROUND"]
|
CMD ["apachectl", "-D", "FOREGROUND"]
|
Loading…
Reference in New Issue