基于Nginx一键部署https

作者: ropon 分类: Shell 发布时间: 2017-04-13 23:28

基于Nginx一键部署https

  • 1、基于nginx自动部署https,自动设置301
  • 2、自动判断是否升级nginx和openssl
  • 3、支持wdcph环境或其他已安装好nginx环境
  • 4、部署后nginx配置文件推荐放到/home/nginx-vhost/目录下(可选)
  • 5、证书路径/home/ssl 以域名命名www.test.com.crt www.test.com.key
  • 6、部署后nginx站点配置文件名为test.com_ssl.conf

具体代码

SHELL_NAME="nginx-ssl.sh"
SHELL_DIR="/root"
SHELL_LOG="${SHELL_DIR}/${SHELL_NAME}.log"
LOCK_FILE="/tmp/${SHELL_NAME}.lock"
function myi18n(){
    if [[ "$#" -ne 1 ]]
    then
        echo "demo"
    fi
    if [[ $LANG =~ [Uu][Tt][Ff] ]]
    then
        echo "$1" 
    else
        echo "$1" | iconv -f utf-8 -t gbk
    fi
}
#Write Log 
shell_log(){
    LOG_INFO=$1
    myi18n "$(date "+%Y-%m-%d") $(date "+%H-%M-%S") : ${SHELL_NAME} : ${LOG_INFO}" >> ${SHELL_LOG}
}
shell_lock(){
    touch ${LOCK_FILE}
}
shell_unlock(){
    rm -f ${LOCK_FILE}
}
end(){
    shell_unlock
    exit
}
shell_log "信息:脚本开始运行"
if [ -f "$LOCK_FILE" ];then
    shell_log "${SHELL_NAME} 脚本正在运行中,若不是请使用 rm -rf /tmp/nginx-ssl.sh.lock 命令清理锁文件"
    myi18n "${SHELL_NAME} 脚本正在运行中,若不是请使用 rm -rf /tmp/nginx-ssl.sh.lock 命令清理锁文件" && exit
fi
shell_lock
homeconfpath=/home/nginx-ssl/conf
if [ ! -d "$homeconfpath" ];then
    myi18n "请输入nginx安装路径,比如:/usr/local/nginx"
    myi18n "如果使用wdcp环境,请直接回车"
    read -p ": " confpath
    if [ -z "$confpath" ] ;then
        confpath=/www/wdlinux/nginx
    fi
    confpath1=${confpath}/conf
    while [ ! -d "$confpath1" ] 
    do
        myi18n "您输入路径${confpath1}不存在,请重新输入"
        shell_log "错误:您输入路径${confpath1}不存在,请重新输入"
        read -p ": " confpath
        if [ -z "$confpath" ] ;then
            confpath=/www/wdlinux/nginx
        fi
        confpath1=${confpath}/conf
    done
    temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'`
    while ([ -z $temp ] || [ ! -f "$temp" ]) 
    do
        myi18n "nginx安装路径不对,请重新输入"
        shell_log "错误:${confpath1} 路径下没有找到nginx.conf,请检查"
        echo
        read -p ": " confpath
        if [ -z $confpath ] ;then
            confpath=/www/wdlinux/nginx
            wdcp=y
        fi
        confpath1=${confpath}/conf
        temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'`
    done
    shell_log "信息:nginx配置文件路径 ${confpath1}"
    myi18n "是否一键移动nginx配置文件到/home/nginx目录下并创建好软连接"
    read -p "[y/n]: " conf_move
    while [[ ! $conf_move =~ ^[y,n]$ ]] 
    do
        echo "input error! Please only input 'y' or 'n'"
        echo
        read -p "[y/n]: " conf_move
    done
    if [ "$conf_move" == 'y' ] ;then
        if [ ! -d "$homeconfpath" ];then
            mkdir -p $homeconfpath
            cp -rf ${confpath}/conf/* $homeconfpath
            cd $confpath
            mv conf/ conf-bak/
            ln -sf $homeconfpath conf
            if [ "$wdcp" == 'y' ] ;then
                chown wdcpu.wdcpg $homeconfpath -R
            fi
        fi
    else
        homeconfpath=${confpath}/conf
    fi
else    
    echo
    myi18n "自动搜索到:nginx配置文件路径为 ${homeconfpath}"
    shell_log "信息:自动搜索到:nginx配置文件路径为 ${homeconfpath}"
    echo    
fi
if [ -d "/www/wdlinux/nginx" ] ;then
    wdcp=y
    myi18n "使用wdcp环境,nginx版本为"
    /www/wdlinux/nginx/sbin/nginx -v 2>&1|awk -F '/' '{print $2}'
    shell_log "信息:当前使用wdcp环境"
fi
shell_log "信息:nginx的vhost文件路径 ${homeconfpath}"
homesslpath=/home/ssl
[ ! -d "$homesslpath" ] && mkdir -p $homesslpath
shell_log "信息:ssl证书存放路径 ${homesslpath}"
pushd ${homeconfpath}/vhost/

myi18n "请输入需要安装证书站点绑定的域名,比如:www.test.com"
myi18n "如果二级域名有绑定到其他站点,请使用www.test.com,不要输入顶级域名"
read -p ": " domain
while [ -z $domain ] 
do
    myi18n "域名不能为空,请重新输入。"
    echo
    read -p ": " domain
done
files=`grep -l " ${domain}" *.conf|awk 'NR==1{print}'|sed 's/\.conf//'`
if  [ ! -n "$files" ] ;then
    echo
    echo ${domain}
    myi18n "关联站点,没有找到!"
    shell_log "警告:没有找到域名 ${domain} 对应配置文件"
    echo
    end 1
fi
files1=${homeconfpath}/vhost/${files}.conf
shell_log "信息:要部署域名 ${domain} 的配置文件是  ${files1}"
sslfile=${homeconfpath}/vhost/${files}_ssl.conf
if [ -f "$sslfile" ];then
    crt=`grep -E 'ssl_certificate' ${sslfile}|awk -F 'ssl_certificate ' '{print $2}'|awk 'NR==1{print}'|sed 's/\;//'`
    key=`grep -E 'ssl_certificate_key' ${sslfile}|awk -F 'ssl_certificate_key ' '{print $2}'|sed 's/\;//'`
    if [ -f "$crt" ] && [ -f "$key" ];then
        echo
        echo ${domain}
        myi18n "关联站点证书已安装!"
        shell_log "警告:域名 ${domain} 已成功部署"
        echo
        end 1
    fi
    echo
    echo ${domain}
    myi18n "关联站点ssl配置文件已存在,是否需要删除?"
    read -p "[y/n]: " ssl_check
    while [[ ! $ssl_check =~ ^[y,n]$ ]] 
    do
        echo "input error! Please only input 'y' or 'n'"
        echo
        read -p "[y/n]: " ssl_check
    done
    if [ "$ssl_check" == 'y' ];then
        rm -rf $sslfile
    else
        echo
        echo ${domain}
        myi18n "已存在ssl配置文件,请核实后重新运行程序。"
        shell_log "警告:要部署域名 ${domain} 已存在部署后配置文件 ${sslfile}"
        end 1
    fi
fi
temp12=`grep -E 'https://' ${files1}`
if  [ -n "$temp12" ] ;then
    echo
    echo ${domain}
    myi18n "对应配置文件存在301转向(return 301),是否需要删除?"
    read -p "[y/n]: " s_check
    while [[ ! $s_check =~ ^[y,n]$ ]] 
    do
        echo "input error! Please only input 'y' or 'n'"
        echo
        read -p "[y/n]: " s_check
    done
    if [ "$s_check" == 'y' ];then
        sed -i '/^.*return.*301 https/d' $files1
    else
        echo
        echo ${domain}
        myi18n "域名 ${domain} 对应配置文件${files}存在301转向,请先删除对应行"
        shell_log "警告:域名 ${domain} 对应配置文件${files}存在301转向,请先删除对应行"
        end 1
    fi
fi
crt1=${homesslpath}/${domain}.crt
key1=${homesslpath}/${domain}.key
if [ ! -f "$crt1" ];then
    myi18n "我司申请在nginx上部署需要先合并,请输入y或者n?"
    read -p "[y/n]: " crt_yn
    while [[ ! $crt_yn =~ ^[y,n]$ ]] 
    do
        echo "input error! Please only input 'y' or 'n'"
        echo
        read -p "[y/n]: " crt_yn
    done
    if [ "$crt_yn" == 'y' ] ;then
        myi18n "请输入cer证书路径,比如 /root/test.com.cer"
        myi18n "/root/test.com.cer"
        read -p "Please reinput crtpath1 : " crtpath1
        while ([ -z "$crtpath1" ] || [ ! -f "$crtpath1" ]) 
        do
            myi18n "需要合并证书1不能为空或路径错误,请重新输入。"
            shell_log "警告:需要合并证书1 ${crtpath1} 为空或路径错误"
            echo
            read -p ": " crtpath1
        done
        pathtemp=`echo $crtpath1|awk -F '.cer' '{print $1}'`
        crtpath2temp=${pathtemp}_ca.crt
        keypathtemp=${pathtemp}.key
        echo $crtpath2temp
        echo $keypathtemp
        if [ ! -f "$crtpath2temp" ];then
            myi18n "/root/test.com_ca.crt"
            read -p "Please reinput crtpath2 : " crtpath2
            while ([ -z "$crtpath2" ] || [ ! -f "$crtpath2" ]) 
            do
                myi18n "需要合并证书2不能为空或路径错误,请重新输入。"
                shell_log "警告:需要合并证书2 ${crtpath2} 为空或路径错误"
                echo
                read -p ": " crtpath2
            done
        else
            crtpath2=$crtpath2temp
            echo
            myi18n "自动搜索到:域名 ${domain} 证书cacrt文件路径为 ${crtpath2temp}"
            myi18n "系统会自动补全合并为~/${domain}.crt"
            shell_log "自动搜索到:域名 ${domain} 证书cacrt文件路径为 ${crtpath2temp}"
            echo
        fi
        shell_log "信息:域名 ${domain} 需要合并证书1 ${crtpath1}"
        shell_log "信息:域名 ${domain} 需要合并证书2 ${crtpath2}"
        cat $crtpath1 $crtpath2 >> ~/$domain.crt
        crtpath=~/${domain}.crt
    else
        myi18n "请输入需要安装证书路径:eg /root/test.com.crt"
        read -p "Please reinput crtpath : " crtpath
        while ([ -z "$crtpath" ] || [ ! -f "$crtpath" ])
        do
            myi18n "crt证书路径不能为空或路径错误,请重新输入。"
            shell_log "警告:crt证书路径 ${crtpath} 为空或路径错误"
            echo
            read -p ": " crtpath
        done
    fi
    cp ${crtpath} ${homesslpath}/${domain}.crt
else
    echo
    myi18n "自动搜索到:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
    shell_log "信息:自动搜索到:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
    echo
fi
if [ ! -f "$key1" ] ;then
    if [ ! -f "$keypathtemp" ] ;then
        myi18n "请输入需要安装证书路径:eg /root/test.com.key"
        read -p "Please reinput keypath : " keypath
        while ([ -z "$keypath" ] || [ ! -f "$keypath" ])
        do
            myi18n "key证书路径不能为空或路径错误,请重新输入。"
            shell_log "警告:key证书路径 ${keypath} 为空或路径错误"
            echo
            read -p ": " keypath
        done
    else
        keypath=$keypathtemp
        echo
        myi18n "自动搜索到:域名 ${domain} 证书key文件路径为 ${keypathtemp}"
        shell_log "自动搜索到:域名 ${domain} 证书key文件路径为 ${keypathtemp}"
        echo
    fi
    cp ${keypath} ${homesslpath}/${domain}.key
else
    echo
    myi18n "自动搜索到:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
    shell_log "信息:自动搜索到:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
    echo
fi
shell_log "信息:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
shell_log "信息:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
cp ${files}".conf" ${homeconfpath}/vhost/${files}"_ssl.conf"
shell_log "信息:域名 ${domain} 部署后 ssl配置文件为 ${homeconfpath}/${files}_ssl.conf"
if [ "$wdcp" == 'y' ] ;then
    chown wdcpu.wdcpg * -R
    shell_log "信息:核实为wdcp环境,设置${homeconfpath} 所有者及所属组为wdcpu.wdcpg"
fi

sed -i "s/80/443 ssl/g" ${sslfile}
sed -i "/root/a\   ssl_certificate $crt1;" ${sslfile}
sed -i "/ssl_certificate/a\    ssl_certificate_key $key1;" ${sslfile}
sed -i "/ssl_certificate_key/a\    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" ${sslfile}
sed -i "/ssl_protocols/a\  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;" ${sslfile}          
myi18n "是否需要一键设置301转向,请输入y或者n?"
read -p "[y/n]: " zx_yn
while [[ ! $zx_yn =~ ^[y,n]$ ]] 
do
    echo "input error! Please only input 'y' or 'n'"
    echo
    read -p "[y/n]: " zx_yn
done
if [ "$zx_yn" == 'y' ] ;then
    myi18n "请输入跳转后地址比如:"
    read -p "${domain}: " server_name1
    if [ -z $server_name1 ] ;then
        server_name1='$server_name'
    fi
    request_uri1='$request_uri'
    sed -i "/server_name/a\    return  301 https://$server_name1$request_uri1;" ${files1}
    shell_log "信息:域名 ${domain} 已设置301跳转到https://${server_name1}${request_uri1}  ${files1}"
fi
service nginxd restart
iptables -L -n |grep -w dpt:80 >/dev/null
if  [ $? -eq 0 ] ;then
    iptables -L -n |grep -w dpt:443 >/dev/null
    if  [ $? -ne 0 ] ;then
        echo
        myi18n "正在放行443端口"
        echo
        sed -i "/dport 80 -j ACCEPT/a\-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT" /etc/sysconfig/iptables
        service iptables restart
    else
        myi18n "核实已放行443端口"
    fi
else
    myi18n "iptables服务似乎没有运行"
fi
curl -I https://${domain}
echo
echo ${domain} 
myi18n "关联站点证书已安装完成!"
myi18n "证书文件存放/home/ssl,以域名方式命名。"
echo
myi18n "域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
myi18n "域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
echo 
cp -rf ${homeconfpath}/vhost /home/nginx-vhost-bak
myi18n "同时已备份当前nginx配置文件到/home/nginx-vhost-bak"
if [ "$wdcp" == 'y' ] ;then
    myi18n "如果使用wdcp环境,请不要登录wdcp切换web引擎,否则配置文件将被覆盖!"
fi
shell_log "信息:${domain} 关联站点证书已安装完成"
pushd /root/
if [ "$wdcp" == 'y' ] && [ ! -d /www/wdlinux/nginx-1.10.2 ] ;then
    myi18n "核实nginx和openssl版本较低,若要通过苹果ats认证,请升级"
    function homemove(){
        confpath=/www/wdlinux/nginx
        if [ "${homeconfpath}" == "/www/wdlinux/nginx/conf" ] ;then
            echo $homeconfpath;
            myi18n "不需要移动配置文件"
        else
            cp -rf ${confpath}/conf/* $homeconfpath
            cd $confpath
            mv conf/ conf-bak/
            ln -sf $homeconfpath conf
            chown wdcpu.wdcpg $homeconfpath -R
        fi
    }
    read -p "[y/n]: " update
    while [[ ! $update =~ ^[y,n]$ ]] 
    do
        echo "input error! Please only input 'y' or 'n'"
        echo
        read -p "[y/n]: " update
    done
    if [ "$update" == 'y' ];then
        wget http://downinfo.myhostadmin.net/wdcp/nginx_up.sh
        sh nginx_up.sh
        homemove
        shell_log "信息:核实为wdcp环境,已选择升级nginx和OpenSSL"
    fi
fi
shell_log "信息:脚本正常退出"
shell_unlock

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论

电子邮件地址不会被公开。 必填项已用*标注