yunwei-toolsShell

Nginx反向代理IIS一键部署https

Nginx反向代理IIS 一键部署多个https站点

  • nginx反向代理IIS一键部署https
  • 支持预装环境及纯净版使用iis web环境
  • 部署后nginx配置文件推荐放到d:/nginx/conf/vhost/目录下
  • 证书路径d:/nginx/ssl 以域名命名ropon.top.crt ropon.top.key
  • 部署后nginx站点配置文件名为ropon.top.conf

具体代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
@echo off&setlocal enabledelayedexpansion
color 2f
set ver=1.9
set port=443
set suser=nginx
set sname=Nginxd
set sslpath=d:\ssl
set nginxpath=d:\nginx
title IIS+NGINX反向代理环境部署程序v%ver%
set vhostpath=d:\nginx\conf\vhost
set nginxconf=d:\nginx\conf\nginx.conf
set vhosttemppath=d:\nginx\conf\temp.conf
set winrarfile="C:\Program Files\WinRAR\winrar.exe"
set appcmdfile=c:\Windows\System32\inetsrv\appcmd.exe
set updateurl=http://downinfo.myhostadmin.net/vps
set baseurl=http://download.myhostadmin.net/win-ssl
set downdir=C:\Users\Administrator\Downloads
set wgetfile=C:\Users\Administrator\Downloads\wget.exe
set sedfile=C:\Users\Administrator\Downloads\sed.rar
set sedexe=C:\Users\Administrator\Downloads\sed\sed.exe

if not exist %wgetfile% (
    echo.
    echo 缺少wget.exe程序
    ::pause
    echo 正在下载wget.exe必要程序
    bitsadmin.exe /transfer wget /Download /Priority FOREGROUND %baseurl%/wget.exe %downdir%\wget.exe >nul 2>nul
)
if not exist %wgetfile% (
    echo.
    echo 自动下载失败请访问 %baseurl%/wget.exe 手动下载
    echo 并保存到默认下载目录[%downdir%]
    echo.
    pause
    exit
)

if not exist %winrarfile% (
    echo.
    echo 缺少WinRAR解压程序
    echo 请检查安装解压程序后重新运行脚本
    echo.
    pause
    exit
)

:update
cls
%wgetfile% %baseurl%/version.txt -O version.txt >nul 2>nul
title IIS+NGINX反向代理环境部署程序v%ver%
set /p newver=<version.txt
if %newver% gtr %ver% (
    %wgetfile% %baseurl%/updatelog.txt -O updatelog.txt >nul 2>nul
    title IIS+NGINX反向代理环境部署程序v%ver%
    echo.
    echo 当前版本v%ver%,最新版本v%newver%
    echo.
    echo -- 更新日志 --
    for /f "delims=" %%i in (updatelog.txt) do set "updatelog=%%i"&call :logecho !updatelog!
    echo.
    echo 请按任意键更新...
    pause >nul
    %wgetfile% %updateurl%/win-ssl.bat -O win-ssl_v%newver%.bat
    title IIS+NGINX反向代理环境部署程序v%ver%
    cls
    del /f /q "version.txt"
    attrib -h -s -r -a "v%newver%log.txt"
    del /f /q "updatelog.txt"
    attrib -h -s -r -a "%0"
    start win-ssl_v%newver%.bat
    del /f /q "%0"
) 
if %newver% equ %ver% (
    cls
    del /f /q "version.txt"
    echo 已是最新版本v%newver%
)

set tmp=0123456789abcdefghijklmnopqrstuvwxyz
for /l %%a in (1,1,8) do (
    set /a "n=!random!%%36"
    for %%z in (!n!) do set webpasswd=!passwd!!tmp:~%%z,1!
)

echo.
echo -- 温馨提示 --
echo.
echo 1、部署前请退出服务器内安装的杀毒软件
echo    安全狗、云锁、360、金山、等安全软件有可能导致SSL证书部署出错
echo 2、主要针对我司申请的SSL证书,如还没有SSL证书,请先申请
echo    其它公司申请的证书可能有所出入,
echo    若部署失败需要自行排查,或提交正确工单我司收费排查。
echo 3、部署之前请做好相关备份,若自行部署失败不承担相关风险和责任。
echo 4、部署前请检查IIS上是否有泛域名绑定,若有请临时取消。
echo 5、推荐将证书文件解压后上传到对应站点目录下,运行脚本自动搜索部署。
echo.
echo 请阅读以上温馨提示,5秒后按任意键继续。
choice /t 5 /d y /n >nul
pause

call :menu

:menu
findstr "listen \[::\]:443 ssl http2;" %vhosttemppath% >nul 2>nul && set ipv6title=关闭IPV6  set ipv6title=开启IPV6
echo   __________________________________________________________
echo  ^                                                          ^
echo  ^        IIS+NGINX反向代理环境部署程序 v%ver%                ^
echo  ^                                                          ^
echo  ^     1 - 安装                   2 - 卸载                  ^
echo  ^     3 - 部署ssl                4 - 更新ssl               ^
echo  ^     5 - %ipv6title%              6 - 退出                  ^
echo  ^                                                          ^
echo  ^__________________________________________________________^
set /p choice=-^> 请选择:
if %choice% ==1 call :install
if %choice% ==2 call :uninstall
if %choice% ==3 call :newsetssl
if %choice% ==4 call :updatessl
if %choice% ==5 call :enableipv6
if %choice% ==6 call :exit
echo.
echo 不能输入除了1、2、3、4、5、6之外的其他字符!& choice /t 1 /d y /n >nul & cls & goto menu

:install
cls
if exist %nginxpath%\%sname%.exe (
    echo.
    echo 核实已安装Nginx环境,请检查服务是否启动,2s后返回主菜单。
    choice /t 2 /d y /n >nul & cls & goto menu
)
if not exist %nginxpath% (
    mkdir %nginxpath%
    echo 创建目录:%nginxpath%成功
)
if not exist %sslpath% (
    mkdir %sslpath%
    echo 创建目录:%sslpath%成功
)
if not exist %vhostpath% (
    mkdir %vhostpath%
    echo 创建目录:%vhostpath%成功
)
if not exist %nginxpath%\%suser%.rar (
    %wgetfile% %baseurl%/%suser%.rar -O %nginxpath%\%suser%.rar >nul 2>nul
    title IIS+NGINX反向代理环境部署程序v%ver%
    echo 下载文件:%nginxpath%\%suser%.rar成功
)
%winrarfile% x -inul -o+  %nginxpath%\%suser%.rar  %nginxpath%  -y >nul 2>nul
net user %suser% %webpasswd% /add /active:yes >nul 2>nul
sc create %sname% binPath= %nginxpath%\%sname%.exe >nul 2>nul
sc config %sname% start= auto type= share obj= .\%suser% password= %webpasswd% >nul 2>nul
%nginxpath%\ntrights.exe -u %suser% +r SeServiceLogonRight >nul 2>nul

cacls d:\ /G %suser%:R /E >nul 2>nul
cacls C:\Windows\System32\cmd.exe /G %suser%:R /E >nul 2>nul
echo ycacls %sslpath% /P administrators:F %suser%:F /T >nul 2>nul
echo ycacls %nginxpath% /P administrators:F %suser%:F /T >nul 2>nul
echo 创建用户:%suser%,创建服务:成功
iisreset /stop >nul 2>nul
netsh http add iplisten ipaddress=127.0.0.1 >nul 2>nul

netsh advfirewall firewall show rule name="allow443" verbose>tempfw.txt
for /f "delims=" %%a in (tempfw.txt) do ( 
    for /f "tokens=1* delims=:" %%i in ('call echo %%a^find /i "本地端口:"') do (
    echo %%a>"tempfwch.txt"
    )  
) 
del /s /q tempfw.txt >nul 2>nul
if exist tempfwch.txt ( del /s /q tempfwch.txt >nul 2>nul ) else ( 
netsh advfirewall firewall add rule name="allow%port%" protocol=TCP dir=in localport=%port% action=allow >nul 2>nul
)
regedit /s %nginxpath%\good.reg >nul 2>nul
echo 调整IIS监听,放行443端口,导入优化方案成功
net start %sname%
iisreset /start >nul 2>nul
echo 服务:%sname%启动成功,IIS服务启动成功
echo 安装完成
goto menu
goto:eof

:uninstall
if not exist %nginxpath%\%sname%.exe (
    echo.
    echo 没有安装Nginx环境,不需要卸载,2s后返回主菜单。
    choice /t 2 /d y /n >nul & cls & goto menu
)
cls
net stop %sname%
sc delete %sname%
echo 停止删除:%sname%服务成功
cacls d:\ /e /c /r %suser% >nul 2>nul
cacls %nginxpath% /t /e /c /r %suser% >nul 2>nul
cacls %sslpath% /t /e /c /r %suser% >nul 2>nul
net user %suser% /delete
::sc config IISADMIN start= auto
echo 还原:%nginxpath%,%sslpath%权限成功
iisreset /stop
netsh http delete iplisten ipaddress=127.0.0.1
iisreset /start
echo 还原IIS监听成功
rd /s /q %nginxpath% >nul 2>nul
rd /s /q %sslpath% >nul 2>nul
echo 清理:%nginxpath%,%sslpath%目录成功
echo 卸载完成
goto menu
goto:eof

:newsetssl
set domain=
set crt1path=
set crt2path=
set keypath=
set /p domain=-^> 请输入域名:
::检查输入是否为空
call :isnul domain, newsetssl
if exist %vhostpath%\%domain%.conf (
    echo 核实已存在对应配置文件,请检查%domain%是否已部署SSL。
    pause >nul
    exit
)
echo 正在部署SSL证书的域名是%domain%...
call :forbiddenip %domain%
goto:eof

::检查是否禁止phpmyadmin被反向代理函数
:forbiddenip
if not exist %nginxpath%\%sname%.exe (
    echo.
    echo 没有安装Nginx环境,2s后返回主菜单,请选1安装。
    choice /t 2 /d y /n >nul & cls & goto menu
)
if not exist %sedexe% (
    %wgetfile% %baseurl%/sed.rar -O %sedfile% >nul 2>nul
    %winrarfile% x -inul -o+  %sedfile%  %downdir%  -y >nul 2>nul
    title IIS+NGINX反向代理环境部署程序v%ver%
    echo 下载解压文件:%sedfile%成功
)
::%1就是表示批处理的第一个参数
::%~1表示删除参数外面的引号
for /f "delims=" %%a in (%nginxconf%) do set "a=%%a"&if not "!a!"=="!a:if=!" if not "!a!"=="!a:($host ~* "\d+\.\d+\.\d+\.\d+")=!" call :setssl %~1
echo.
echo 程序检测未禁止IP访问,为加固安全将自动添加以下规则禁止。
echo.
echo if ($host ~* "\d+\.\d+\.\d+\.\d+") {
echo    return 403;
echo }
echo.
%sedexe% -i "/listen/a\        if ($host ~* \"\\d+\\.\\d+\\.\\d+\\.\\d+\") {" %nginxconf%
%sedexe% -i "/if/a\            return 403;" %nginxconf%
%sedexe% -i "/return 403;/a\       }" %nginxconf%
::C:\Windows\system32\net stop %sname%
::C:\Windows\system32\net start %sname%
::安装后一起重载nginx服务
for /f "delims=" %%j in ('dir /b /a-d "sed*"') do del %%j
call :setssl %~1
goto:eof

::一键更新SSL证书函数
:updatessl
set domain=
set crt1path=
set crt2path=
set keypath=
set /p domain=-^> 请输入域名:
call :isnul domain, updatessl
if not exist %vhostpath%\%domain%.conf (
    echo 核实不存在%domain%配置文件,请检查是否已部署SSL。
    pause >nul
    exit
)
echo 正在更新SSL证书的域名是%domain%...
call :setssl %domain%

::新安装ssl证书函数
:setssl
set domain=%~1
echo %domain%
for /f "tokens=2 delims= " %%a in ('%appcmdfile% list site http://%domain%') do (set "ftpnametemp=%%a") 
set ftpname=%ftpnametemp:~1,-1%
for /f %%i in ('%appcmdfile% list vdirs /app.name:%ftpname%/ /text:physicalPath') do @set webpath=%%i

:crtflg
if not exist %webpath%\%domain%.crt (
    echo 请输入证书文件[%domain%.crt]的绝对路径
    set /p crtpath=-^>
    call :isnul crtpath,crtflg
    call :crtpath 
) else ( 
    echo.
    echo 在%domain%网站根目录找到证书文件
    echo [%webpath%\%domain%.crt]
    set crtpath=%webpath%\%domain%.crt
)
set crtpathtemp=%crtpath:~0,-4%
set keypathtemp=%crtpathtemp%.key

:keyflg
if not exist %keypathtemp% (
    echo 请输入秘钥文件[%domain%.key]的绝对路径
    set /p keypath=-^>
    call :isnul keypath,keyflg
    call :keypath 
) else ( 
    echo.
    echo 在证书文件1的目录找到秘钥文件
    echo [%keypathtemp%]
    set keypath=%keypathtemp%
    echo.
)
C:\Windows\system32\more "%crtpath%" > "%sslpath%\%domain%.crt"
copy "%keypath%" "%sslpath%\%domain%.key" >nul 2>nul
if not exist %vhosttemppath% (
    echo 找不到nginx模板配置文件%vhosttemppath%,程序将自动退出。
    pause >nul
    exit
)
copy "%vhosttemppath%" "%vhostpath%\%domain%.conf" >nul 2>nul
set sslvhostpath=%vhostpath%\%domain%.conf
set sslpathtemp=d:/ssl
set crt=%sslpathtemp%/%domain%.crt
set key=%sslpathtemp%/%domain%.key

%sedexe% -i "/listen/a\    server_name %domain%;" %sslvhostpath%
%sedexe% -i "/server_name/a\   ssl_certificate %crt%;" %sslvhostpath%
%sedexe% -i "/ssl_certificate/a\   ssl_certificate_key %key%;" %sslvhostpath%
C:\Windows\system32\net stop %sname%
C:\Windows\system32\net start %sname%
for /f "delims=" %%j in ('dir /b /a-d "sed*"') do del %%j  
echo 安装完成,请关闭窗口
echo 站点配置文件:%sslvhostpath%
echo 证书文件路径:%sslpath%\%domain%.crt
echo               %sslpath%\%domain%.key
goto menu
::goto:eof cmd返回并将等待下一命令
goto:eof

:crtpath
if not exist %crtpath% ( 
    echo %crtpath% 不是有效证书文件
    set /p crtpath=-^>
    call :crtpath
)
goto:eof

:keypath
if not exist %keypath% ( 
    echo %keypath% 不是有效秘钥文件
    set /p keypath=-^>
    call :keypath
)
goto:eof

:logecho
echo %1
goto:eof

:isnul
if not defined %~1 ( 
    echo 输入为空,请重新输入。
    goto %~2
)
goto:eof

:enableipv6
%sedexe% -i "/listen/a\        listen [::]:80;" %nginxconf%
%sedexe% -i "/listen/a\    listen [::]:443 ssl http2;" %vhosttemppath%
echo 开启IPV6成功
goto menu
goto:eof

:exit
exit