Skip to content
Snippets Groups Projects
Select Git revision
  • cb0771e63252f153a34fb3cdf35e5c2b60fec8fb
  • master default protected
2 results

nginx-https-config.sh

Blame
    • nginx-https-config.sh 2.23 KiB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85 
    

    

    

    #!/bin/bash

# Django usually listens on port 8000 without SSL.
# Some of our projects however require SSL.
# Run this script to set up nginx SSL proxy for Django.


if [[ "$EUID" != 0 ]]; then
    echo "Need to be run as root."
    exit 1
fi

SITES_AVAILABLE="/etc/nginx/sites-available"
SITES_ENABLED="/etc/nginx/sites-enabled"
CONFIG_FILENAME="443-ssl-to-8000"

CERT_PUB="/etc/ssl/certs/ssl-cert-snakeoil.pem"
CERT_KEY="/etc/ssl/private/ssl-cert-snakeoil.key"

set -e  # die on error
set -u  # die if some var not set

if [[ ! -d "$SITES_AVAILABLE" ]] || [[ ! -d "$SITES_AVAILABLE" ]]; then
    echo "Is nginx installed?"
    exit 1
fi

if [[ ! -e "$CERT_PUB" ]] || [[ ! -e "$CERT_KEY" ]]; then
    echo "No snakeoil certs?"
    exit 1
fi

echo "Seting up site config..."

sudo cat > "$SITES_AVAILABLE/$CONFIG_FILENAME" << EOF

upstream localhost8000 {
  server localhost:8000;
}

server {
  listen     443;
  ssl  on;

  allow 127.0.0.1;
  allow 141.71.113.0/24;
  deny all;

  ssl_certificate                $CERT_PUB;
  ssl_certificate_key            $CERT_KEY;
  ssl_protocols                  TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers                 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

  location / {
    proxy_pass        http://localhost8000;
    proxy_set_header  Host \$host;
    proxy_set_header  X-Forwarded-For \$remote_addr;
    proxy_set_header  X-Forwarded-Proto "https";
    proxy_set_header  REMOTE-USER \$remote_user;
  }
}

EOF

set +e  # stop dying on errors now

sudo ln -f -s "$SITES_AVAILABLE/$CONFIG_FILENAME" "$SITES_ENABLED/"

echo "Restarting nginx..."

sudo systemctl restart nginx

if [[ "`systemctl is-active nginx`" == "active" ]]; then
    echo "http://localhost:8000 with SSL is here: https://localhost"
else
    echo "Oops. Seems like nginx is dead now."
    echo
    systemctl status nginx | cat
    echo
fi

exit