Nginx反向代理IIS一键部署https

作者: ropon 分类: Shell 发布时间: 2017-04-14 14:50

Nginx反向代理IIS 一键部署多个https站点

  • nginx反向代理IIS一键部署https
  • 支持预装环境及纯净版使用iis web环境
  • 部署后nginx配置文件推荐放到d:/nginx/conf/vhost/目录下
  • 证书路径d:/nginx/ssl 以域名命名ropon.top.crt ropon.top.key
  • 部署后nginx站点配置文件名为ropon.top.conf

具体代码

@echo off&setlocal enabledelayedexpansion
color 2f
set ver=1.9
set port=443
set suser=nginx
set sname=Nginxd
set sslpath=d:\ssl
set nginxpath=d:\nginx
title IIS+NGINX反向代理环境部署程序v%ver%
set vhostpath=d:\nginx\conf\vhost
set nginxconf=d:\nginx\conf\nginx.conf
set vhosttemppath=d:\nginx\conf\temp.conf
set winrarfile="C:\Program Files\WinRAR\winrar.exe"
set appcmdfile=c:\Windows\System32\inetsrv\appcmd.exe
set updateurl=http://downinfo.myhostadmin.net/vps
set baseurl=http://download.myhostadmin.net/win-ssl
set downdir=C:\Users\Administrator\Downloads
set wgetfile=C:\Users\Administrator\Downloads\wget.exe
set sedfile=C:\Users\Administrator\Downloads\sed.rar
set sedexe=C:\Users\Administrator\Downloads\sed\sed.exe

if not exist %wgetfile% (
    echo.
    echo 缺少wget.exe程序
    ::pause
    echo 正在下载wget.exe必要程序
    bitsadmin.exe /transfer wget /Download /Priority FOREGROUND %baseurl%/wget.exe %downdir%\wget.exe >nul 2>nul
)
if not exist %wgetfile% (
    echo.
    echo 自动下载失败请访问 %baseurl%/wget.exe 手动下载
    echo 并保存到默认下载目录[%downdir%]
    echo.
    pause
    exit
)

if not exist %winrarfile% (
    echo.
    echo 缺少WinRAR解压程序
    echo 请检查安装解压程序后重新运行脚本
    echo.
    pause
    exit
)

:update
cls
%wgetfile% %baseurl%/version.txt -O version.txt >nul 2>nul
title IIS+NGINX反向代理环境部署程序v%ver%
set /p newver=<version.txt
if %newver% gtr %ver% (
    %wgetfile% %baseurl%/updatelog.txt -O updatelog.txt >nul 2>nul
    title IIS+NGINX反向代理环境部署程序v%ver%
    echo.
    echo 当前版本v%ver%,最新版本v%newver%
    echo.
    echo -- 更新日志 --
    for /f "delims=" %%i in (updatelog.txt) do set "updatelog=%%i"&call :logecho !updatelog!
    echo.
    echo 请按任意键更新...
    pause >nul
    %wgetfile% %updateurl%/win-ssl.bat -O win-ssl_v%newver%.bat
    title IIS+NGINX反向代理环境部署程序v%ver%
    cls
    del /f /q "version.txt"
    attrib -h -s -r -a "v%newver%log.txt"
    del /f /q "updatelog.txt"
    attrib -h -s -r -a "%0"
    start win-ssl_v%newver%.bat
    del /f /q "%0"
) 
if %newver% equ %ver% (
    cls
    del /f /q "version.txt"
    echo 已是最新版本v%newver%
)

set tmp=0123456789abcdefghijklmnopqrstuvwxyz
for /l %%a in (1,1,8) do (
    set /a "n=!random!%%36"
    for %%z in (!n!) do set webpasswd=!passwd!!tmp:~%%z,1!
)

echo.
echo -- 温馨提示 --
echo.
echo 1、部署前请退出服务器内安装的杀毒软件
echo    安全狗、云锁、360、金山、等安全软件有可能导致SSL证书部署出错
echo 2、主要针对我司申请的SSL证书,如还没有SSL证书,请先申请
echo    其它公司申请的证书可能有所出入,
echo    若部署失败需要自行排查,或提交正确工单我司收费排查。
echo 3、部署之前请做好相关备份,若自行部署失败不承担相关风险和责任。
echo 4、部署前请检查IIS上是否有泛域名绑定,若有请临时取消。
echo 5、推荐将证书文件解压后上传到对应站点目录下,运行脚本自动搜索部署。
echo.
echo 请阅读以上温馨提示,5秒后按任意键继续。
choice /t 5 /d y /n >nul
pause

call :menu

:menu
findstr "listen \[::\]:443 ssl http2;" %vhosttemppath% >nul 2>nul && set ipv6title=关闭IPV6 || set ipv6title=开启IPV6
echo   __________________________________________________________
echo  ^|                                                          ^|
echo  ^|        IIS+NGINX反向代理环境部署程序 v%ver%                ^|
echo  ^|                                                          ^|
echo  ^|     1 - 安装                   2 - 卸载                  ^|
echo  ^|     3 - 部署ssl                4 - 更新ssl               ^|
echo  ^|     5 - %ipv6title%              6 - 退出                  ^|
echo  ^|                                                          ^|
echo  ^|__________________________________________________________^|
set /p choice=-^> 请选择:
if %choice% ==1 call :install
if %choice% ==2 call :uninstall
if %choice% ==3 call :newsetssl
if %choice% ==4 call :updatessl
if %choice% ==5 call :enableipv6
if %choice% ==6 call :exit
echo.
echo 不能输入除了1、2、3、4、5、6之外的其他字符!& choice /t 1 /d y /n >nul & cls & goto menu

:install
cls
if exist %nginxpath%\%sname%.exe (
    echo.
    echo 核实已安装Nginx环境,请检查服务是否启动,2s后返回主菜单。
    choice /t 2 /d y /n >nul & cls & goto menu
)
if not exist %nginxpath% (
    mkdir %nginxpath%
    echo 创建目录:%nginxpath%成功
)
if not exist %sslpath% (
    mkdir %sslpath%
    echo 创建目录:%sslpath%成功
)
if not exist %vhostpath% (
    mkdir %vhostpath%
    echo 创建目录:%vhostpath%成功
)
if not exist %nginxpath%\%suser%.rar (
    %wgetfile% %baseurl%/%suser%.rar -O %nginxpath%\%suser%.rar >nul 2>nul
    title IIS+NGINX反向代理环境部署程序v%ver%
    echo 下载文件:%nginxpath%\%suser%.rar成功
)
%winrarfile% x -inul -o+  %nginxpath%\%suser%.rar  %nginxpath%  -y >nul 2>nul
net user %suser% %webpasswd% /add /active:yes >nul 2>nul
sc create %sname% binPath= %nginxpath%\%sname%.exe >nul 2>nul
sc config %sname% start= auto type= share obj= .\%suser% password= %webpasswd% >nul 2>nul
%nginxpath%\ntrights.exe -u %suser% +r SeServiceLogonRight >nul 2>nul

cacls d:\ /G %suser%:R /E >nul 2>nul
cacls C:\Windows\System32\cmd.exe /G %suser%:R /E >nul 2>nul
echo y|cacls %sslpath% /P administrators:F %suser%:F /T >nul 2>nul
echo y|cacls %nginxpath% /P administrators:F %suser%:F /T >nul 2>nul
echo 创建用户:%suser%,创建服务:成功
iisreset /stop >nul 2>nul
netsh http add iplisten ipaddress=127.0.0.1 >nul 2>nul

netsh advfirewall firewall show rule name="allow443" verbose>tempfw.txt
for /f "delims=" %%a in (tempfw.txt) do ( 
    for /f "tokens=1* delims=:" %%i in ('call echo %%a^|find /i "本地端口:"') do (
    echo %%a>"tempfwch.txt"
    )  
) 
del /s /q tempfw.txt >nul 2>nul
if exist tempfwch.txt ( del /s /q tempfwch.txt >nul 2>nul ) else ( 
netsh advfirewall firewall add rule name="allow%port%" protocol=TCP dir=in localport=%port% action=allow >nul 2>nul
)
regedit /s %nginxpath%\good.reg >nul 2>nul
echo 调整IIS监听,放行443端口,导入优化方案成功
net start %sname%
iisreset /start >nul 2>nul
echo 服务:%sname%启动成功,IIS服务启动成功
echo 安装完成
goto menu
goto:eof

:uninstall
if not exist %nginxpath%\%sname%.exe (
    echo.
    echo 没有安装Nginx环境,不需要卸载,2s后返回主菜单。
    choice /t 2 /d y /n >nul & cls & goto menu
)
cls
net stop %sname%
sc delete %sname%
echo 停止删除:%sname%服务成功
cacls d:\ /e /c /r %suser% >nul 2>nul
cacls %nginxpath% /t /e /c /r %suser% >nul 2>nul
cacls %sslpath% /t /e /c /r %suser% >nul 2>nul
net user %suser% /delete
::sc config IISADMIN start= auto
echo 还原:%nginxpath%,%sslpath%权限成功
iisreset /stop
netsh http delete iplisten ipaddress=127.0.0.1
iisreset /start
echo 还原IIS监听成功
rd /s /q %nginxpath% >nul 2>nul
rd /s /q %sslpath% >nul 2>nul
echo 清理:%nginxpath%,%sslpath%目录成功
echo 卸载完成
goto menu
goto:eof

:newsetssl
set domain=
set crt1path=
set crt2path=
set keypath=
set /p domain=-^> 请输入域名:
::检查输入是否为空
call :isnul domain, newsetssl
if exist %vhostpath%\%domain%.conf (
    echo 核实已存在对应配置文件,请检查%domain%是否已部署SSL。
    pause >nul
    exit
)
echo 正在部署SSL证书的域名是%domain%...
call :forbiddenip %domain%
goto:eof

::检查是否禁止phpmyadmin被反向代理函数
:forbiddenip
if not exist %nginxpath%\%sname%.exe (
    echo.
    echo 没有安装Nginx环境,2s后返回主菜单,请选1安装。
    choice /t 2 /d y /n >nul & cls & goto menu
)
if not exist %sedexe% (
    %wgetfile% %baseurl%/sed.rar -O %sedfile% >nul 2>nul
    %winrarfile% x -inul -o+  %sedfile%  %downdir%  -y >nul 2>nul
    title IIS+NGINX反向代理环境部署程序v%ver%
    echo 下载解压文件:%sedfile%成功
)
::%1就是表示批处理的第一个参数
::%~1表示删除参数外面的引号
for /f "delims=" %%a in (%nginxconf%) do set "a=%%a"&if not "!a!"=="!a:if=!" if not "!a!"=="!a:($host ~* "\d+\.\d+\.\d+\.\d+")=!" call :setssl %~1
echo.
echo 程序检测未禁止IP访问,为加固安全将自动添加以下规则禁止。
echo.
echo if ($host ~* "\d+\.\d+\.\d+\.\d+") {
echo    return 403;
echo }
echo.
%sedexe% -i "/listen/a\        if ($host ~* \"\\d+\\.\\d+\\.\\d+\\.\\d+\") {" %nginxconf%
%sedexe% -i "/if/a\            return 403;" %nginxconf%
%sedexe% -i "/return 403;/a\       }" %nginxconf%
::C:\Windows\system32\net stop %sname%
::C:\Windows\system32\net start %sname%
::安装后一起重载nginx服务
for /f "delims=" %%j in ('dir /b /a-d "sed*"') do del %%j
call :setssl %~1
goto:eof

::一键更新SSL证书函数
:updatessl
set domain=
set crt1path=
set crt2path=
set keypath=
set /p domain=-^> 请输入域名:
call :isnul domain, updatessl
if not exist %vhostpath%\%domain%.conf (
    echo 核实不存在%domain%配置文件,请检查是否已部署SSL。
    pause >nul
    exit
)
echo 正在更新SSL证书的域名是%domain%...
call :setssl %domain%

::新安装ssl证书函数
:setssl
set domain=%~1
echo %domain%
for /f "tokens=2 delims= " %%a in ('%appcmdfile% list site http://%domain%') do (set "ftpnametemp=%%a") 
set ftpname=%ftpnametemp:~1,-1%
for /f %%i in ('%appcmdfile% list vdirs /app.name:%ftpname%/ /text:physicalPath') do @set webpath=%%i

:crtflg
if not exist %webpath%\%domain%.crt (
    echo 请输入证书文件[%domain%.crt]的绝对路径
    set /p crtpath=-^>
    call :isnul crtpath,crtflg
    call :crtpath 
) else ( 
    echo.
    echo 在%domain%网站根目录找到证书文件
    echo [%webpath%\%domain%.crt]
    set crtpath=%webpath%\%domain%.crt
)
set crtpathtemp=%crtpath:~0,-4%
set keypathtemp=%crtpathtemp%.key

:keyflg
if not exist %keypathtemp% (
    echo 请输入秘钥文件[%domain%.key]的绝对路径
    set /p keypath=-^>
    call :isnul keypath,keyflg
    call :keypath 
) else ( 
    echo.
    echo 在证书文件1的目录找到秘钥文件
    echo [%keypathtemp%]
    set keypath=%keypathtemp%
    echo.
)
C:\Windows\system32\more "%crtpath%" > "%sslpath%\%domain%.crt"
copy "%keypath%" "%sslpath%\%domain%.key" >nul 2>nul
if not exist %vhosttemppath% (
    echo 找不到nginx模板配置文件%vhosttemppath%,程序将自动退出。
    pause >nul
    exit
)
copy "%vhosttemppath%" "%vhostpath%\%domain%.conf" >nul 2>nul
set sslvhostpath=%vhostpath%\%domain%.conf
set sslpathtemp=d:/ssl
set crt=%sslpathtemp%/%domain%.crt
set key=%sslpathtemp%/%domain%.key

%sedexe% -i "/listen/a\    server_name %domain%;" %sslvhostpath%
%sedexe% -i "/server_name/a\   ssl_certificate %crt%;" %sslvhostpath%
%sedexe% -i "/ssl_certificate/a\   ssl_certificate_key %key%;" %sslvhostpath%
C:\Windows\system32\net stop %sname%
C:\Windows\system32\net start %sname%
for /f "delims=" %%j in ('dir /b /a-d "sed*"') do del %%j  
echo 安装完成,请关闭窗口
echo 站点配置文件:%sslvhostpath%
echo 证书文件路径:%sslpath%\%domain%.crt
echo               %sslpath%\%domain%.key
goto menu
::goto:eof cmd返回并将等待下一命令
goto:eof

:crtpath
if not exist %crtpath% ( 
    echo %crtpath% 不是有效证书文件
    set /p crtpath=-^>
    call :crtpath
)
goto:eof

:keypath
if not exist %keypath% ( 
    echo %keypath% 不是有效秘钥文件
    set /p keypath=-^>
    call :keypath
)
goto:eof

:logecho
echo %1
goto:eof

:isnul
if not defined %~1 ( 
    echo 输入为空,请重新输入。
    goto %~2
)
goto:eof

:enableipv6
%sedexe% -i "/listen/a\        listen [::]:80;" %nginxconf%
%sedexe% -i "/listen/a\    listen [::]:443 ssl http2;" %vhosttemppath%
echo 开启IPV6成功
goto menu
goto:eof

:exit
exit

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!