1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
| SHELL_NAME="nginx-ssl.sh"
SHELL_DIR="/root"
SHELL_LOG="${SHELL_DIR}/${SHELL_NAME}.log"
LOCK_FILE="/tmp/${SHELL_NAME}.lock"
function myi18n(){
if [[ "$#" -ne 1 ]]
then
echo "demo"
fi
if [[ $LANG =~ [Uu][Tt][Ff] ]]
then
echo "$1"
else
echo "$1" iconv -f utf-8 -t gbk
fi
}
#Write Log
shell_log(){
LOG_INFO=$1
myi18n "$(date "+%Y-%m-%d") $(date "+%H-%M-%S") : ${SHELL_NAME} : ${LOG_INFO}" >> ${SHELL_LOG}
}
shell_lock(){
touch ${LOCK_FILE}
}
shell_unlock(){
rm -f ${LOCK_FILE}
}
end(){
shell_unlock
exit
}
shell_log "信息:脚本开始运行"
if [ -f "$LOCK_FILE" ];then
shell_log "${SHELL_NAME} 脚本正在运行中,若不是请使用 rm -rf /tmp/nginx-ssl.sh.lock 命令清理锁文件"
myi18n "${SHELL_NAME} 脚本正在运行中,若不是请使用 rm -rf /tmp/nginx-ssl.sh.lock 命令清理锁文件" && exit
fi
shell_lock
homeconfpath=/home/nginx-ssl/conf
if [ ! -d "$homeconfpath" ];then
myi18n "请输入nginx安装路径,比如:/usr/local/nginx"
myi18n "如果使用wdcp环境,请直接回车"
read -p ": " confpath
if [ -z "$confpath" ] ;then
confpath=/www/wdlinux/nginx
fi
confpath1=${confpath}/conf
while [ ! -d "$confpath1" ]
do
myi18n "您输入路径${confpath1}不存在,请重新输入"
shell_log "错误:您输入路径${confpath1}不存在,请重新输入"
read -p ": " confpath
if [ -z "$confpath" ] ;then
confpath=/www/wdlinux/nginx
fi
confpath1=${confpath}/conf
done
temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'`
while ([ -z $temp ] [ ! -f "$temp" ])
do
myi18n "nginx安装路径不对,请重新输入"
shell_log "错误:${confpath1} 路径下没有找到nginx.conf,请检查"
echo
read -p ": " confpath
if [ -z $confpath ] ;then
confpath=/www/wdlinux/nginx
wdcp=y
fi
confpath1=${confpath}/conf
temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'`
done
shell_log "信息:nginx配置文件路径 ${confpath1}"
myi18n "是否一键移动nginx配置文件到/home/nginx目录下并创建好软连接"
read -p "[y/n]: " conf_move
while [[ ! $conf_move =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " conf_move
done
if [ "$conf_move" == 'y' ] ;then
if [ ! -d "$homeconfpath" ];then
mkdir -p $homeconfpath
cp -rf ${confpath}/conf/* $homeconfpath
cd $confpath
mv conf/ conf-bak/
ln -sf $homeconfpath conf
if [ "$wdcp" == 'y' ] ;then
chown wdcpu.wdcpg $homeconfpath -R
fi
fi
else
homeconfpath=${confpath}/conf
fi
else
echo
myi18n "自动搜索到:nginx配置文件路径为 ${homeconfpath}"
shell_log "信息:自动搜索到:nginx配置文件路径为 ${homeconfpath}"
echo
fi
if [ -d "/www/wdlinux/nginx" ] ;then
wdcp=y
myi18n "使用wdcp环境,nginx版本为"
/www/wdlinux/nginx/sbin/nginx -v 2>&1awk -F '/' '{print $2}'
shell_log "信息:当前使用wdcp环境"
fi
shell_log "信息:nginx的vhost文件路径 ${homeconfpath}"
homesslpath=/home/ssl
[ ! -d "$homesslpath" ] && mkdir -p $homesslpath
shell_log "信息:ssl证书存放路径 ${homesslpath}"
pushd ${homeconfpath}/vhost/
myi18n "请输入需要安装证书站点绑定的域名,比如:www.test.com"
myi18n "如果二级域名有绑定到其他站点,请使用www.test.com,不要输入顶级域名"
read -p ": " domain
while [ -z $domain ]
do
myi18n "域名不能为空,请重新输入。"
echo
read -p ": " domain
done
files=`grep -l " ${domain}" *.confawk 'NR==1{print}'sed 's/\.conf//'`
if [ ! -n "$files" ] ;then
echo
echo ${domain}
myi18n "关联站点,没有找到!"
shell_log "警告:没有找到域名 ${domain} 对应配置文件"
echo
end 1
fi
files1=${homeconfpath}/vhost/${files}.conf
shell_log "信息:要部署域名 ${domain} 的配置文件是 ${files1}"
sslfile=${homeconfpath}/vhost/${files}_ssl.conf
if [ -f "$sslfile" ];then
crt=`grep -E 'ssl_certificate' ${sslfile}awk -F 'ssl_certificate ' '{print $2}'awk 'NR==1{print}'sed 's/\;//'`
key=`grep -E 'ssl_certificate_key' ${sslfile}awk -F 'ssl_certificate_key ' '{print $2}'sed 's/\;//'`
if [ -f "$crt" ] && [ -f "$key" ];then
echo
echo ${domain}
myi18n "关联站点证书已安装!"
shell_log "警告:域名 ${domain} 已成功部署"
echo
end 1
fi
echo
echo ${domain}
myi18n "关联站点ssl配置文件已存在,是否需要删除?"
read -p "[y/n]: " ssl_check
while [[ ! $ssl_check =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " ssl_check
done
if [ "$ssl_check" == 'y' ];then
rm -rf $sslfile
else
echo
echo ${domain}
myi18n "已存在ssl配置文件,请核实后重新运行程序。"
shell_log "警告:要部署域名 ${domain} 已存在部署后配置文件 ${sslfile}"
end 1
fi
fi
temp12=`grep -E 'https://' ${files1}`
if [ -n "$temp12" ] ;then
echo
echo ${domain}
myi18n "对应配置文件存在301转向(return 301),是否需要删除?"
read -p "[y/n]: " s_check
while [[ ! $s_check =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " s_check
done
if [ "$s_check" == 'y' ];then
sed -i '/^.*return.*301 https/d' $files1
else
echo
echo ${domain}
myi18n "域名 ${domain} 对应配置文件${files}存在301转向,请先删除对应行"
shell_log "警告:域名 ${domain} 对应配置文件${files}存在301转向,请先删除对应行"
end 1
fi
fi
crt1=${homesslpath}/${domain}.crt
key1=${homesslpath}/${domain}.key
if [ ! -f "$crt1" ];then
myi18n "我司申请在nginx上部署需要先合并,请输入y或者n?"
read -p "[y/n]: " crt_yn
while [[ ! $crt_yn =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " crt_yn
done
if [ "$crt_yn" == 'y' ] ;then
myi18n "请输入cer证书路径,比如 /root/test.com.cer"
myi18n "/root/test.com.cer"
read -p "Please reinput crtpath1 : " crtpath1
while ([ -z "$crtpath1" ] [ ! -f "$crtpath1" ])
do
myi18n "需要合并证书1不能为空或路径错误,请重新输入。"
shell_log "警告:需要合并证书1 ${crtpath1} 为空或路径错误"
echo
read -p ": " crtpath1
done
pathtemp=`echo $crtpath1awk -F '.cer' '{print $1}'`
crtpath2temp=${pathtemp}_ca.crt
keypathtemp=${pathtemp}.key
echo $crtpath2temp
echo $keypathtemp
if [ ! -f "$crtpath2temp" ];then
myi18n "/root/test.com_ca.crt"
read -p "Please reinput crtpath2 : " crtpath2
while ([ -z "$crtpath2" ] [ ! -f "$crtpath2" ])
do
myi18n "需要合并证书2不能为空或路径错误,请重新输入。"
shell_log "警告:需要合并证书2 ${crtpath2} 为空或路径错误"
echo
read -p ": " crtpath2
done
else
crtpath2=$crtpath2temp
echo
myi18n "自动搜索到:域名 ${domain} 证书cacrt文件路径为 ${crtpath2temp}"
myi18n "系统会自动补全合并为~/${domain}.crt"
shell_log "自动搜索到:域名 ${domain} 证书cacrt文件路径为 ${crtpath2temp}"
echo
fi
shell_log "信息:域名 ${domain} 需要合并证书1 ${crtpath1}"
shell_log "信息:域名 ${domain} 需要合并证书2 ${crtpath2}"
cat $crtpath1 $crtpath2 >> ~/$domain.crt
crtpath=~/${domain}.crt
else
myi18n "请输入需要安装证书路径:eg /root/test.com.crt"
read -p "Please reinput crtpath : " crtpath
while ([ -z "$crtpath" ] [ ! -f "$crtpath" ])
do
myi18n "crt证书路径不能为空或路径错误,请重新输入。"
shell_log "警告:crt证书路径 ${crtpath} 为空或路径错误"
echo
read -p ": " crtpath
done
fi
cp ${crtpath} ${homesslpath}/${domain}.crt
else
echo
myi18n "自动搜索到:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
shell_log "信息:自动搜索到:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
echo
fi
if [ ! -f "$key1" ] ;then
if [ ! -f "$keypathtemp" ] ;then
myi18n "请输入需要安装证书路径:eg /root/test.com.key"
read -p "Please reinput keypath : " keypath
while ([ -z "$keypath" ] [ ! -f "$keypath" ])
do
myi18n "key证书路径不能为空或路径错误,请重新输入。"
shell_log "警告:key证书路径 ${keypath} 为空或路径错误"
echo
read -p ": " keypath
done
else
keypath=$keypathtemp
echo
myi18n "自动搜索到:域名 ${domain} 证书key文件路径为 ${keypathtemp}"
shell_log "自动搜索到:域名 ${domain} 证书key文件路径为 ${keypathtemp}"
echo
fi
cp ${keypath} ${homesslpath}/${domain}.key
else
echo
myi18n "自动搜索到:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
shell_log "信息:自动搜索到:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
echo
fi
shell_log "信息:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
shell_log "信息:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
cp ${files}".conf" ${homeconfpath}/vhost/${files}"_ssl.conf"
shell_log "信息:域名 ${domain} 部署后 ssl配置文件为 ${homeconfpath}/${files}_ssl.conf"
if [ "$wdcp" == 'y' ] ;then
chown wdcpu.wdcpg * -R
shell_log "信息:核实为wdcp环境,设置${homeconfpath} 所有者及所属组为wdcpu.wdcpg"
fi
sed -i "s/80/443 ssl/g" ${sslfile}
sed -i "/root/a\ ssl_certificate $crt1;" ${sslfile}
sed -i "/ssl_certificate/a\ ssl_certificate_key $key1;" ${sslfile}
sed -i "/ssl_certificate_key/a\ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" ${sslfile}
sed -i "/ssl_protocols/a\ ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;" ${sslfile}
myi18n "是否需要一键设置301转向,请输入y或者n?"
read -p "[y/n]: " zx_yn
while [[ ! $zx_yn =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " zx_yn
done
if [ "$zx_yn" == 'y' ] ;then
myi18n "请输入跳转后地址比如:"
read -p "${domain}: " server_name1
if [ -z $server_name1 ] ;then
server_name1='$server_name'
fi
request_uri1='$request_uri'
sed -i "/server_name/a\ return 301 https://$server_name1$request_uri1;" ${files1}
shell_log "信息:域名 ${domain} 已设置301跳转到https://${server_name1}${request_uri1} ${files1}"
fi
service nginxd restart
iptables -L -n grep -w dpt:80 >/dev/null
if [ $? -eq 0 ] ;then
iptables -L -n grep -w dpt:443 >/dev/null
if [ $? -ne 0 ] ;then
echo
myi18n "正在放行443端口"
echo
sed -i "/dport 80 -j ACCEPT/a\-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT" /etc/sysconfig/iptables
service iptables restart
else
myi18n "核实已放行443端口"
fi
else
myi18n "iptables服务似乎没有运行"
fi
curl -I https://${domain}
echo
echo ${domain}
myi18n "关联站点证书已安装完成!"
myi18n "证书文件存放/home/ssl,以域名方式命名。"
echo
myi18n "域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
myi18n "域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
echo
cp -rf ${homeconfpath}/vhost /home/nginx-vhost-bak
myi18n "同时已备份当前nginx配置文件到/home/nginx-vhost-bak"
if [ "$wdcp" == 'y' ] ;then
myi18n "如果使用wdcp环境,请不要登录wdcp切换web引擎,否则配置文件将被覆盖!"
fi
shell_log "信息:${domain} 关联站点证书已安装完成"
pushd /root/
if [ "$wdcp" == 'y' ] && [ ! -d /www/wdlinux/nginx-1.10.2 ] ;then
myi18n "核实nginx和openssl版本较低,若要通过苹果ats认证,请升级"
function homemove(){
confpath=/www/wdlinux/nginx
if [ "${homeconfpath}" == "/www/wdlinux/nginx/conf" ] ;then
echo $homeconfpath;
myi18n "不需要移动配置文件"
else
cp -rf ${confpath}/conf/* $homeconfpath
cd $confpath
mv conf/ conf-bak/
ln -sf $homeconfpath conf
chown wdcpu.wdcpg $homeconfpath -R
fi
}
read -p "[y/n]: " update
while [[ ! $update =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " update
done
if [ "$update" == 'y' ];then
wget http://downinfo.myhostadmin.net/wdcp/nginx_up.sh
sh nginx_up.sh
homemove
shell_log "信息:核实为wdcp环境,已选择升级nginx和OpenSSL"
fi
fi
shell_log "信息:脚本正常退出"
shell_unlock
|