怎样使用SHELL脚本在NGINX上一键部署SSL
#!/bin/bash
#######################################################
# $Name: nginx-ssl.sh
# $Version: v1.2
# $Function: 基于nginx一键部署https
# $Author: Ropon
# $organization: west.cn
# $Create Date: 2017-3-23
# $Description: 1、基于nginx自动部署https,自动设置301
# 2、自动判断是否升级nginx和openssl
# 3、支持wdcp或其他已安装好nginx环境
# 4、部署后nginx配置文件推荐放到/home/nginx-vhost/目录下(可选)
# 5、证书路径/home/ssl 以域名命名www.test.com.crt www.test.com.key
# 6、部署后nginx站点配置文件名为test.com_ssl.conf
#v1.2
#若我司申请证书,仅输入test.com.cer文件路径,自动补全其他文件路径
#智能判断放行443端口
#智能判断程序是否已运行,避免再次运行。
#######################################################
# Shell Env
SHELL_NAME="nginx-ssl.sh"
SHELL_DIR="/root"
SHELL_LOG="${SHELL_DIR}/${SHELL_NAME}.log"
LOCK_FILE="/tmp/${SHELL_NAME}.lock"
function myi18n(){
if [[ "$#" -ne 1 ]]
then
echo "demo"
fi
if [[ $LANG =~ [Uu][Tt][Ff] ]]
then
echo "$1"
else
echo "$1" | iconv -f utf-8 -t gbk
fi
}
#Write Log
shell_log(){
LOG_INFO=$1
myi18n "$(date "+%Y-%m-%d") $(date "+%H-%M-%S") : ${SHELL_NAME} : ${LOG_INFO}" >> ${SHELL_LOG}
}
shell_lock(){
touch ${LOCK_FILE}
}
shell_unlock(){
rm -f ${LOCK_FILE}
}
end(){
shell_unlock
exit
}
shell_log "信息:脚本开始运行"
if [ -f "$LOCK_FILE" ];then
shell_log "${SHELL_NAME} 脚本正在运行中,若不是请使用 rm -rf /tmp/nginx-ssl.sh.lock 命令清理锁文件"
myi18n "${SHELL_NAME} 脚本正在运行中,若不是请使用 rm -rf /tmp/nginx-ssl.sh.lock 命令清理锁文件" && exit
fi
shell_lock
homeconfpath=/home/nginx-ssl/conf
if [ ! -d "$homeconfpath" ];then
myi18n "请输入nginx安装路径,比如:/usr/local/nginx"
myi18n "如果使用wdcp环境,请直接回车"
read -p ": " confpath
if [ -z "$confpath" ] ;then
confpath=/www/wdlinux/nginx
fi
confpath1=${confpath}/conf
while [ ! -d "$confpath1" ]
do
myi18n "您输入路径${confpath1}不存在,请重新输入"
shell_log "错误:您输入路径${confpath1}不存在,请重新输入"
read -p ": " confpath
if [ -z "$confpath" ] ;then
confpath=/www/wdlinux/nginx
fi
confpath1=${confpath}/conf
done
temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'`
while ([ -z $temp ] || [ ! -f "$temp" ])
do
myi18n "nginx安装路径不对,请重新输入"
shell_log "错误:${confpath1} 路径下没有找到nginx.conf,请检查"
echo
read -p ": " confpath
if [ -z $confpath ] ;then
confpath=/www/wdlinux/nginx
wdcp=y
fi
confpath1=${confpath}/conf
temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'`
done
shell_log "信息:nginx配置文件路径 ${confpath1}"
myi18n "是否一键移动nginx配置文件到/home/nginx目录下并创建好软连接"
read -p "[y/n]: " conf_move
while [[ ! $conf_move =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " conf_move
done
if [ "$conf_move" == 'y' ] ;then
if [ ! -d "$homeconfpath" ];then
mkdir -p $homeconfpath
cp -rf ${confpath}/conf/* $homeconfpath
cd $confpath
mv conf/ conf-bak/
ln -sf $homeconfpath conf
if [ "$wdcp" == 'y' ] ;then
chown wdcpu.wdcpg $homeconfpath -R
fi
fi
else
homeconfpath=${confpath}/conf
fi
else
echo
myi18n "自动搜索到:nginx配置文件路径为 ${homeconfpath}"
shell_log "信息:自动搜索到:nginx配置文件路径为 ${homeconfpath}"
echo
fi
if [ -d "/www/wdlinux/nginx" ] ;then
wdcp=y
myi18n "使用wdcp环境,nginx版本为"
/www/wdlinux/nginx/sbin/nginx -v 2>&1|awk -F '/' '{print $2}'
shell_log "信息:当前使用wdcp环境"
fi
shell_log "信息:nginx的vhost文件路径 ${homeconfpath}"
homesslpath=/home/ssl
[ ! -d "$homesslpath" ] && mkdir -p $homesslpath
shell_log "信息:ssl证书存放路径 ${homesslpath}"
pushd ${homeconfpath}/vhost/
myi18n "请输入需要安装证书站点绑定的域名,比如:www.test.com"
myi18n "如果二级域名有绑定到其他站点,请使用www.test.com,不要输入顶级域名"
read -p ": " domain
while [ -z $domain ]
do
myi18n "域名不能为空,请重新输入。"
echo
read -p ": " domain
done
files=`grep -l " ${domain}" *.conf|awk 'NR==1{print}'|sed 's/\.conf//'`
if [ ! -n "$files" ] ;then
echo
echo ${domain}
myi18n "关联站点,没有找到!"
shell_log "警告:没有找到域名 ${domain} 对应配置文件"
echo
end 1
fi
files1=${homeconfpath}/vhost/${files}.conf
shell_log "信息:要部署域名 ${domain} 的配置文件是 ${files1}"
sslfile=${homeconfpath}/vhost/${files}_ssl.conf
if [ -f "$sslfile" ];then
crt=`grep -E 'ssl_certificate' ${sslfile}|awk -F 'ssl_certificate ' '{print $2}'|awk 'NR==1{print}'|sed 's/\;//'`
key=`grep -E 'ssl_certificate_key' ${sslfile}|awk -F 'ssl_certificate_key ' '{print $2}'|sed 's/\;//'`
if [ -f "$crt" ] && [ -f "$key" ];then
echo
echo ${domain}
myi18n "关联站点证书已安装!"
shell_log "警告:域名 ${domain} 已成功部署"
echo
end 1
fi
echo
echo ${domain}
myi18n "关联站点ssl配置文件已存在,是否需要删除?"
read -p "[y/n]: " ssl_check
while [[ ! $ssl_check =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " ssl_check
done
if [ "$ssl_check" == 'y' ];then
rm -rf $sslfile
else
echo
echo ${domain}
myi18n "已存在ssl配置文件,请核实后重新运行程序。"
shell_log "警告:要部署域名 ${domain} 已存在部署后配置文件 ${sslfile}"
end 1
fi
fi
temp12=`grep -E 'https://' ${files1}`
if [ -n "$temp12" ] ;then
echo
echo ${domain}
myi18n "对应配置文件存在301转向(return 301),是否需要删除?"
read -p "[y/n]: " s_check
while [[ ! $s_check =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " s_check
done
if [ "$s_check" == 'y' ];then
sed -i '/^.*return.*301 https/d' $files1
else
echo
echo ${domain}
myi18n "域名 ${domain} 对应配置文件${files}存在301转向,请先删除对应行"
shell_log "警告:域名 ${domain} 对应配置文件${files}存在301转向,请先删除对应行"
end 1
fi
fi
crt1=${homesslpath}/${domain}.crt
key1=${homesslpath}/${domain}.key
if [ ! -f "$crt1" ];then
myi18n "我司申请在nginx上部署需要先合并,请输入y或者n?"
read -p "[y/n]: " crt_yn
while [[ ! $crt_yn =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " crt_yn
done
if [ "$crt_yn" == 'y' ] ;then
myi18n "请输入cer证书路径,比如 /root/test.com.cer"
myi18n "/root/test.com.cer"
read -p "Please reinput crtpath1 : " crtpath1
while ([ -z "$crtpath1" ] || [ ! -f "$crtpath1" ])
do
myi18n "需要合并证书1不能为空或路径错误,请重新输入。"
shell_log "警告:需要合并证书1 ${crtpath1} 为空或路径错误"
echo
read -p ": " crtpath1
done
pathtemp=`echo $crtpath1|awk -F '.cer' '{print $1}'`
crtpath2temp=${pathtemp}_ca.crt
keypathtemp=${pathtemp}.key
echo $crtpath2temp
echo $keypathtemp
if [ ! -f "$crtpath2temp" ];then
myi18n "/root/test.com_ca.crt"
read -p "Please reinput crtpath2 : " crtpath2
while ([ -z "$crtpath2" ] || [ ! -f "$crtpath2" ])
do
myi18n "需要合并证书2不能为空或路径错误,请重新输入。"
shell_log "警告:需要合并证书2 ${crtpath2} 为空或路径错误"
echo
read -p ": " crtpath2
done
else
crtpath2=$crtpath2temp
echo
myi18n "自动搜索到:域名 ${domain} 证书cacrt文件路径为 ${crtpath2temp}"
myi18n "系统会自动补全合并为~/${domain}.crt"
shell_log "自动搜索到:域名 ${domain} 证书cacrt文件路径为 ${crtpath2temp}"
echo
fi
shell_log "信息:域名 ${domain} 需要合并证书1 ${crtpath1}"
shell_log "信息:域名 ${domain} 需要合并证书2 ${crtpath2}"
cat $crtpath1 $crtpath2 >> ~/$domain.crt
crtpath=~/${domain}.crt
else
myi18n "请输入需要安装证书路径:eg /root/test.com.crt"
read -p "Please reinput crtpath : " crtpath
while ([ -z "$crtpath" ] || [ ! -f "$crtpath" ])
do
myi18n "crt证书路径不能为空或路径错误,请重新输入。"
shell_log "警告:crt证书路径 ${crtpath} 为空或路径错误"
echo
read -p ": " crtpath
done
fi
cp ${crtpath} ${homesslpath}/${domain}.crt
else
echo
myi18n "自动搜索到:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
shell_log "信息:自动搜索到:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
echo
fi
if [ ! -f "$key1" ] ;then
if [ ! -f "$keypathtemp" ] ;then
myi18n "请输入需要安装证书路径:eg /root/test.com.key"
read -p "Please reinput keypath : " keypath
while ([ -z "$keypath" ] || [ ! -f "$keypath" ])
do
myi18n "key证书路径不能为空或路径错误,请重新输入。"
shell_log "警告:key证书路径 ${keypath} 为空或路径错误"
echo
read -p ": " keypath
done
else
keypath=$keypathtemp
echo
myi18n "自动搜索到:域名 ${domain} 证书key文件路径为 ${keypathtemp}"
shell_log "自动搜索到:域名 ${domain} 证书key文件路径为 ${keypathtemp}"
echo
fi
cp ${keypath} ${homesslpath}/${domain}.key
else
echo
myi18n "自动搜索到:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
shell_log "信息:自动搜索到:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
echo
fi
shell_log "信息:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
shell_log "信息:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
cp ${files}".conf" ${homeconfpath}/vhost/${files}"_ssl.conf"
shell_log "信息:域名 ${domain} 部署后 ssl配置文件为 ${homeconfpath}/${files}_ssl.conf"
if [ "$wdcp" == 'y' ] ;then
chown wdcpu.wdcpg * -R
shell_log "信息:核实为wdcp环境,设置${homeconfpath} 所有者及所属组为wdcpu.wdcpg"
fi
sed -i "s/80/443 ssl/g" ${sslfile}
sed -i "/root/a\ ssl_certificate $crt1;" ${sslfile}
sed -i "/ssl_certificate/a\ ssl_certificate_key $key1;" ${sslfile}
sed -i "/ssl_certificate_key/a\ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" ${sslfile}
sed -i "/ssl_protocols/a\ ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;" ${sslfile}
myi18n "是否需要一键设置301转向,请输入y或者n?"
read -p "[y/n]: " zx_yn
while [[ ! $zx_yn =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " zx_yn
done
if [ "$zx_yn" == 'y' ] ;then
myi18n "请输入跳转后地址比如:"
read -p "${domain}: " server_name1
if [ -z $server_name1 ] ;then
server_name1='$server_name'
fi
request_uri1='$request_uri'
sed -i "/server_name/a\ return 301 https://$server_name1$request_uri1;" ${files1}
shell_log "信息:域名 ${domain} 已设置301跳转到https://${server_name1}${request_uri1} ${files1}"
fi
service nginxd restart
iptables -L -n |grep -w dpt:80 >/dev/null
if [ $? -eq 0 ] ;then
iptables -L -n |grep -w dpt:443 >/dev/null
if [ $? -ne 0 ] ;then
echo
myi18n "正在放行443端口"
echo
sed -i "/dport 80 -j ACCEPT/a\-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT" /etc/sysconfig/iptables
service iptables restart
else
myi18n "核实已放行443端口"
fi
else
myi18n "iptables服务似乎没有运行"
fi
curl -I https://${domain}
echo
echo ${domain}
myi18n "关联站点证书已安装完成!"
myi18n "证书文件存放/home/ssl,以域名方式命名。"
echo
myi18n "域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
myi18n "域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
echo
cp -rf ${homeconfpath}/vhost /home/nginx-vhost-bak
myi18n "同时已备份当前nginx配置文件到/home/nginx-vhost-bak"
if [ "$wdcp" == 'y' ] ;then
myi18n "如果使用wdcp环境,请不要登录wdcp切换web引擎,否则配置文件将被覆盖!"
fi
shell_log "信息:${domain} 关联站点证书已安装完成"
pushd /root/
if [ "$wdcp" == 'y' ] && [ ! -d /www/wdlinux/nginx-1.10.2 ] ;then
myi18n "核实nginx和openssl版本较低,若要通过苹果ats认证,请升级"
function homemove(){
confpath=/www/wdlinux/nginx
if [ "${homeconfpath}" == "/www/wdlinux/nginx/conf" ] ;then
echo $homeconfpath;
myi18n "不需要移动配置文件"
else
cp -rf ${confpath}/conf/* $homeconfpath
cd $confpath
mv conf/ conf-bak/
ln -sf $homeconfpath conf
chown wdcpu.wdcpg $homeconfpath -R
fi
}
read -p "[y/n]: " update
while [[ ! $update =~ ^[y,n]$ ]]
do
echo "input error! Please only input 'y' or 'n'"
echo
read -p "[y/n]: " update
done
if [ "$update" == 'y' ];then
wget http://downinfo.myhostadmin.net/wdcp/nginx_up.sh
sh nginx_up.sh
homemove
shell_log "信息:核实为wdcp环境,已选择升级nginx和OpenSSL"
fi
fi
shell_log "信息:脚本正常退出"
shell_unlock
442956988