Prepared loggin on ssl_peer_add
parent
33b9b97af1
commit
9fb72a3fce
|
@ -12,11 +12,22 @@
|
|||
|
||||
|
||||
CONFIG_FILE='/etc/wgapi/config'
|
||||
[ ${#} -eq 0 ] || exit 3
|
||||
(( EUID == 0 )) || exit 6
|
||||
[ -f "${CONFIG_FILE}" ] || exit 4
|
||||
[ -x '/usr/bin/openssl' ] || exit 5
|
||||
[ -f '/etc/ssl/openssl.cnf' ] || exit 5
|
||||
[ ${#} -eq 0 ] || (
|
||||
printf 'ERROR! Invalid number of arguments to %s: %s\n' "${0}" "${*}" >>"${LOGFILE}"
|
||||
exit 3
|
||||
)
|
||||
[ -f "${CONFIG_FILE}" ] || (
|
||||
printf 'ERROR! %s couldnt find %s\n' "${0}" "${*}" >>"${LOGFILE}"
|
||||
exit 4
|
||||
)
|
||||
[ -x '/usr/bin/openssl' ] || (
|
||||
printf 'ERROR! /usr/bin/openssl not found!\n' >>"${LOGFILE}"
|
||||
exit 5
|
||||
)
|
||||
[ -f '/etc/ssl/openssl.cnf' ] || (
|
||||
printf 'ERROR! /etc/ssl/openssl.cnf not found!\n' >>"${LOGFILE}"
|
||||
exit 5
|
||||
)
|
||||
source "${CONFIG_FILE}"
|
||||
|
||||
hostname="${1}"
|
||||
|
@ -26,7 +37,7 @@ ipstring="${3}"
|
|||
printf 'Signing SSL certs for %s.%s.%s...\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
|
||||
|
||||
# Generate key
|
||||
/usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >/dev/null 2>&1 || (
|
||||
sudo /usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >/dev/null 2>&1 || (
|
||||
printf 'Failed to generate SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||
exit 7
|
||||
)
|
||||
|
@ -34,7 +45,7 @@ printf 'Signing SSL certs for %s.%s.%s...\n' "${hostname}" "${username}" "${TLD}
|
|||
printf 'SSL key %s/%s/server.key was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||
exit 7
|
||||
)
|
||||
chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" || (
|
||||
sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" || (
|
||||
printf 'Failed to chmod SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||
exit 7
|
||||
)
|
||||
|
@ -49,7 +60,7 @@ cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
|
|||
)
|
||||
|
||||
# Generate CSR
|
||||
/usr/bin/openssl req -new -sha256 -reqexts SAN \
|
||||
sudo /usr/bin/openssl req -new -sha256 -reqexts SAN \
|
||||
-key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \
|
||||
-out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
|
||||
-config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
|
||||
|
@ -60,7 +71,7 @@ cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
|
|||
)
|
||||
|
||||
# Generate cert
|
||||
/usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
|
||||
sudo /usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
|
||||
-extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
|
||||
-in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
|
||||
-CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \
|
||||
|
@ -74,12 +85,12 @@ cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
|
|||
printf 'SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||
exit 7
|
||||
)
|
||||
chmod 644 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" || (
|
||||
sudo chmod 644 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" || (
|
||||
printf 'Failed to chmod SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >>"${LOGFILE}"
|
||||
exit 7
|
||||
)
|
||||
|
||||
# Remove old files
|
||||
rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null
|
||||
sudo rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null
|
||||
|
||||
printf 'SSL certs for %s.%s.%s are ready\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
|
|
@ -1,9 +1,15 @@
|
|||
FROM debian:latest
|
||||
|
||||
# Change these
|
||||
ENV LISTEN_PORT=8080
|
||||
ENV ADMIN_EMAIL='me@example.com'
|
||||
|
||||
# Install deps
|
||||
RUN apt-get update && apt-get install --yes \
|
||||
sudo curl apache2 openssl wireguard-tools dnsutils ipv6calc jq \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Configure apache
|
||||
RUN a2enmod cgi rewrite
|
||||
RUN sed -i "s/^Listen 80$/Listen ${LISTEN_PORT}/" \
|
||||
/etc/apache2/ports.conf
|
||||
|
@ -13,8 +19,15 @@ RUN sed -i "s/ServerAdmin .*$/ServerAdmin ${ADMIN_EMAIL}/" \
|
|||
/etc/apache2/sites-available/000-default.conf
|
||||
RUN sed -i "s|DocumentRoot .*$|DocumentRoot /var/www/cgi-bin\n\tScriptAlias / /var/www/cgi-bin/index.cgi|" \
|
||||
/etc/apache2/sites-available/000-default.conf
|
||||
RUN echo "www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/wg, /usr/bin/openssl" | sudo EDITOR='tee -a' visudo
|
||||
|
||||
# Allow http to run these binaries as root with sudo
|
||||
RUN echo "www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/wg, /usr/bin/openssl, /usr/bin/rm, /usr/bin/chmod" \
|
||||
| sudo EDITOR='tee -a' visudo
|
||||
|
||||
# Prepare filesystem
|
||||
RUN touch /var/local/wgapi_tokens
|
||||
RUN chown www-data:www-data /var/local/wgapi_tokens
|
||||
|
||||
# Run time!
|
||||
EXPOSE ${LISTEN_PORT}
|
||||
CMD ["apachectl", "-D", "FOREGROUND"]
|
Loading…
Reference in New Issue