From 7079d0048c3399d2c23d3c80ab9aa065511b262e Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 19 Mar 2013 12:55:14 +0100 Subject: [PATCH] Correction : vm_{hosted,remote} : rule_{apache2,nginx}_configure : $site . --- vm_hosted | 171 +++++++++++++++++++++++++++--------------------------- vm_remote | 36 +++++------- 2 files changed, 101 insertions(+), 106 deletions(-) diff --git a/vm_hosted b/vm_hosted index 4a4749d..19ea6be 100755 --- a/vm_hosted +++ b/vm_hosted @@ -107,52 +107,51 @@ rule_apache2_configure () { for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf do conf=${conf#"$tool"/etc/apache2/site.d/} local port site - IFS=. read -r port site <<-EOF + IFS=. read -r port domain <<-EOF ${conf%\/VirtualHost\.conf} EOF - assert 'test "${site:+set}"' assert 'test "${port:+set}"' - local site_user="$user.$port.$site" - local site_dir="$user.$port.$site" + assert 'test "${domain:+set}"' + local site="$port.$domain" case $port in (443) local hint="run vm_remote apache2_key_send before" - assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint - sudo install -d -m 770 -o "$user" -g "$user" \ + assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint + sudo install -d -m 770 -o www."$site" -g www."$site" \ /etc/apache2 \ - /etc/apache2/site.d/"$site_dir" \ - /etc/apache2/site.d/"$site_dir"/x509 \ - /etc/apache2/site.d/"$site_dir"/x509/ca \ - /etc/apache2/site.d/"$site_dir"/x509/empty \ - /etc/apache2/site.d/"$site_dir"/x509/rvk \ - /etc/apache2/site.d/"$site_dir"/x509/usr + /etc/apache2/site.d/"$site" \ + /etc/apache2/site.d/"$site"/x509 \ + /etc/apache2/site.d/"$site"/x509/ca \ + /etc/apache2/site.d/"$site"/x509/empty \ + /etc/apache2/site.d/"$site"/x509/rvk \ + /etc/apache2/site.d/"$site"/x509/usr sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ - /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem - #sudo install -m 664 -o "$user" -g "$user" \ + "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ + /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem + #sudo install -m 664 -o www."$site" -g www."$site" \ # "$tool"/var/pub/x509/"$site"/rvk.pem \ - # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem + # /etc/apache2/site.d/"$site"/x509/rvk.pem sudo install -m 664 -o www -g www \ "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \ - /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem + /etc/apache2/site.d/"$site"/x509/ca/crt.pem sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.pem \ - /etc/apache2/site.d/"$site_dir"/x509/crt.pem + "$tool"/var/pub/x509/"$site"/crt.pem \ + /etc/apache2/site.d/"$site"/x509/crt.pem ;; esac case $port in (80) cat <<-EOF - AssignUserID $site_user $site_user - CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined + AssignUserID www.$site www.$site + CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined #CustomLog "/dev/null" Combined - DocumentRoot /home/www/pub/$site_dir - ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60" + DocumentRoot /home/www/pub/$site + ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" #ErrorLog "/dev/null" - ServerName $site + ServerName $domain LogLevel Warn - $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf) + $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf) EOF ;; @@ -160,26 +159,26 @@ rule_apache2_configure () { cat <<-EOF - AssignUserID $site_user $site_user + AssignUserID www.$site www.$site BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown - CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined + CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined #CustomLog "/dev/null" Combined - DocumentRoot /home/www/pub/$site_dir - ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60" + DocumentRoot /home/www/pub/$site + ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" #ErrorLog "/dev/null" LogLevel Warn - ServerName $site - SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem - SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/ - #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem - SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem - SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/ + ServerName $domain + SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem + SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/ + #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem + SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem + SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/ # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés - SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/ - SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem - SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem - SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem + SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/ + SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem + SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem + SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem SSLCipherSuite AES+RSA+SHA256 SSLEngine On SSLInsecureRenegotiation Off @@ -191,45 +190,45 @@ rule_apache2_configure () { SSLUserName SSL_CLIENT_S_DN_CN SSLVerifyClient None SSLVerifyDepth 1 - $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf) + $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf) EOF ;; esac | sudo install -m 660 -o root -g root /dev/stdin \ - /etc/apache2/site.d/"$site_dir"/VirtualHost.conf + /etc/apache2/site.d/"$site"/VirtualHost.conf sudo ln -fns \ - ../site.d/"$site_dir"/VirtualHost.conf \ - /etc/apache2/sites-available/"$site_dir" - sudo install -d -m 770 -o "$user" -g "$user" \ - /home/www/log/"$site_dir" \ - /home/www/log/"$site_dir"/apache2 + ../site.d/"$site"/VirtualHost.conf \ + /etc/apache2/sites-available/"$site" + sudo install -d -m 770 -o www."$site" -g www."$site" \ + /home/www/log/"$site" \ + /home/www/log/"$site"/apache2 sudo ln -fns \ - /etc/apache2/site.d/"$site_dir" \ - /home/www/etc/apache2/"$site_dir" - test -e /home/www/pub/"$site_dir" || - sudo install -d -m 770 -o "$user" -g "$user" \ - /home/www/pub/"$site_dir" - getent passwd "$site_user" >/dev/null || + /etc/apache2/site.d/"$site" \ + /home/www/etc/apache2/"$site" + test -e /home/www/pub/"$site" || + sudo install -d -m 770 -o www."$site" -g www."$site" \ + /home/www/pub/"$site" + getent passwd www."$site" >/dev/null || sudo adduser \ --disabled-password \ --group \ --no-create-home \ - --home /home/www/pub/"$site_dir" \ + --home /home/www/pub/"$site" \ --shell /bin/false \ --system \ - "$site_user" - sudo setfacl -m u:"$site_user":--x \ - /home/www/ \ - /home/www/pub/ \ - /home/www/pub/"$site_dir"/ - sudo setfacl -m d:u:"$site_user":rwx \ - "$home"/pub/www/"$site_dir"/ - test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh || - . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh - test -e /etc/apache2/sites-enabled/"$site_dir" || - sudo a2ensite "$site_dir" + www."$site" + #sudo setfacl -m u:"www.$site":--x \ + # /home/www/ \ + # /home/www/pub/ \ + # /home/www/pub/"$site"/ + #sudo setfacl -m d:u:"www.$site":rwx \ + # "$home"/pub/www/"$site"/ + test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh || + . "$tool"/etc/apache2/site.d/"$site"/configure.sh + test -e /etc/apache2/sites-enabled/"$site" || + sudo a2ensite "$site" done sudo service apache2 restart } @@ -809,13 +808,13 @@ rule_nginx_configure () { done for conf in "$tool"/etc/nginx/site.d/*/server.conf do conf=${conf#"$tool"/etc/nginx/site.d/} - local port site - IFS=. read -r port site <<-EOF + local port domain + IFS=. read -r port domain <<-EOF ${conf%\/server\.conf} EOF assert 'test "${port:+set}"' - assert 'test "${site:+set}"' - site="$port.$site" + assert 'test "${domain:+set}"' + local site="$port.$domain" getent passwd www."$site" >/dev/null || sudo adduser \ --disabled-login \ @@ -853,7 +852,7 @@ rule_nginx_configure () { access_log /home/www/log/$site/nginx/access.log main; error_log /home/www/log/$site/nginx/error.log warn; root /home/www/pub/$site; - server_name $site; + server_name $domain; $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf) } EOF @@ -866,7 +865,7 @@ rule_nginx_configure () { error_log /home/www/log/$site/nginx/error.log warn; keepalive_timeout 70; root /home/www/pub/$site; - server_name $site; + server_name $domain; # DOC: http://wiki.nginx.org/HttpSslModule ssl on; ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem; @@ -882,9 +881,9 @@ rule_nginx_configure () { esac | sudo install -m 660 -o www -g www /dev/stdin \ /etc/nginx/site.d/"$site"/server.conf - adduser www-data "$site" + adduser www-data www."$site" test -e /home/www/pub/"$site" || - sudo install -d -m 3770 -o "$site" -g "$site" \ + sudo install -d -m 3770 -o www."$site" -g www."$site" \ /home/www/pub/"$site" sudo install -d -m 3770 -o log."$site" -g log."$site" \ /home/www/log/"$site"/nginx @@ -916,14 +915,14 @@ rule_php5_fpm_configure () { sudo rm -f /etc/php5/fpm/pool.d/* for conf in "$tool"/etc/php5/fpm/pool.d/*.conf do conf=${conf#"$tool"/etc/php5/fpm/pool.d/} - local port site - IFS=. read -r port site <<-EOF + local port domain + IFS=. read -r port domain <<-EOF ${conf%\.conf} EOF assert 'test "${port:+set}"' - assert 'test "${site:+set}"' - site="$port.$site" - getent passwd php5"$site" >/dev/null || + assert 'test "${domain:+set}"' + local site="$port.$domain" + getent passwd php5."$site" >/dev/null || sudo adduser \ --disabled-login \ --disabled-password \ @@ -938,7 +937,7 @@ rule_php5_fpm_configure () { /home/www/log/php5/fpm sudo install -d -m 770 -o log."$site" -g log."$site" \ /home/www/log/"$site" - sudo adduser php5."$user" www."$site" + sudo adduser php5."$site" www."$site" sudo install -m 660 -o root -g root /dev/stdin \ /etc/php5/fpm/pool.d/"$conf" <<-EOF [php5.$site] @@ -1000,17 +999,17 @@ rule_postfix_configure () { ../crt+crl.self-signed.pem \ /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem + "$tool"/var/pub/x509/smptd.$vm_domainname/crt+crl.self-signed.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt.pem + "$tool"/var/pub/x509/smptd.$vm_domainname/crt.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/crt.pem sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem + "$tool"/var/pub/x509/smptd.$vm_domainname/crt+ca.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem + "$tool"/var/pub/x509/smptd.$vm_domainname/crt+crl.self-signed.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem sudo install -m 660 -o root -g root \ "$tool"/etc/postfix/$vm_domainname/header_checks \ /etc/postfix/$vm_domainname/header_checks diff --git a/vm_remote b/vm_remote index b7ce833..438f922 100755 --- a/vm_remote +++ b/vm_remote @@ -103,29 +103,27 @@ rule_apache2_key_send () { local -; set +f for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf do conf=${conf#"$tool"/etc/apache2/site.d/} - local user port service site - IFS=. read -r user port service site <<-EOF + local port domain + IFS=. read -r port domain <<-EOF ${conf%\/VirtualHost\.conf} EOF - assert 'test "${user:+set}"' - assert 'test "${service:+set}"' - assert 'test "${site:+set}"' assert 'test "${port:+set}"' - local site_dir="$user.$port.$service.$site" + assert 'test "${domain:+set}"' + local site="$port.$domain" case $port in (443) rule ssh -l root ' \ sudo install -d -m 770 -o '"$user"' -g '"$user"' \ /etc/apache2 \ - /etc/apache2/site.d/'"$site_dir"' \ - /etc/apache2/site.d/'"$site_dir"'/x509; \ + /etc/apache2/site.d/'"$site"' \ + /etc/apache2/site.d/'"$site"'/x509; \ sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \ - /etc/apache2/site.d/'"$site_dir"'/x509/.gitignore <<-EOF + /etc/apache2/site.d/'"$site"'/x509/.gitignore <<-EOF key.pem EOF ' rule _x509_service_key_send_deciphered $service \ - ~"$user"/etc/apache2/"$site_dir"/x509/key.pem -l root "$@" + /etc/apache2/"$site"/x509/key.pem -l root "$@" ;; esac done @@ -159,30 +157,28 @@ rule_nginx_key_send () { local -; set +f for conf in "$tool"/etc/nginx/site.d/*/server.conf do conf=${conf#"$tool"/etc/nginx/site.d/} - local user port service site - IFS=. read -r user port service site <<-EOF + local port domain + IFS=. read -r port domain <<-EOF ${conf%\/server\.conf} EOF - assert 'test "${user:+set}"' - assert 'test "${service:+set}"' - assert 'test "${site:+set}"' assert 'test "${port:+set}"' - local site_dir="$user.$port.$service.$site" + assert 'test "${domain:+set}"' + local site="$port.$domain" case $port in (443) rule ssh -l root ' \ sudo install -d -m 770 -o root -g root \ /etc/nginx \ /etc/nginx/site.d \ - /etc/nginx/site.d/'"$site_dir"' \ - /etc/nginx/site.d/'"$site_dir"'/x509; \ + /etc/nginx/site.d/'"$site"' \ + /etc/nginx/site.d/'"$site"'/x509; \ sudo install -m 644 -o root -g root /dev/stdin \ - /etc/nginx/site.d/'"$site_dir"'/x509/.gitignore <<-EOF + /etc/nginx/site.d/'"$site"'/x509/.gitignore <<-EOF key.pem EOF ' rule _x509_service_key_send_deciphered $service \ - /etc/nginx/"$site_dir"/x509/key.pem -l root "$@" + /etc/nginx/"$site"/x509/key.pem -l root "$@" ;; esac done -- 2.20.1