正在加载中...
怎样使用SHELL脚本在NGINX上一键部署SSL
#!/bin/bash ####################################################### # $Name: nginx-ssl.sh # $Version: v1.2 # $Function: 基于nginx一键部署https # $Author: Ropon # $organization: west.cn # $Create Date: 2017-3-23 # $Description: 1、基于nginx自动部署https,自动设置301 # 2、自动判断是否升级nginx和openssl # 3、支持wdcp或其他已安装好nginx环境 # 4、部署后nginx配置文件推荐放到/home/nginx-vhost/目录下(可选) # 5、证书路径/home/ssl 以域名命名www.test.com.crt www.test.com.key # 6、部署后nginx站点配置文件名为test.com_ssl.conf #v1.2 #若我司申请证书,仅输入test.com.cer文件路径,自动补全其他文件路径 #智能判断放行443端口 #智能判断程序是否已运行,避免再次运行。 ####################################################### # Shell Env SHELL_NAME="nginx-ssl.sh" SHELL_DIR="/root" SHELL_LOG="${SHELL_DIR}/${SHELL_NAME}.log" LOCK_FILE="/tmp/${SHELL_NAME}.lock" function myi18n(){ if [[ "$#" -ne 1 ]] then echo "demo" fi if [[ $LANG =~ [Uu][Tt][Ff] ]] then echo "$1" else echo "$1" | iconv -f utf-8 -t gbk fi } #Write Log shell_log(){ LOG_INFO=$1 myi18n "$(date "+%Y-%m-%d") $(date "+%H-%M-%S") : ${SHELL_NAME} : ${LOG_INFO}" >> ${SHELL_LOG} } shell_lock(){ touch ${LOCK_FILE} } shell_unlock(){ rm -f ${LOCK_FILE} } end(){ shell_unlock exit } shell_log "信息:脚本开始运行" if [ -f "$LOCK_FILE" ];then shell_log "${SHELL_NAME} 脚本正在运行中,若不是请使用 rm -rf /tmp/nginx-ssl.sh.lock 命令清理锁文件" myi18n "${SHELL_NAME} 脚本正在运行中,若不是请使用 rm -rf /tmp/nginx-ssl.sh.lock 命令清理锁文件" && exit fi shell_lock homeconfpath=/home/nginx-ssl/conf if [ ! -d "$homeconfpath" ];then myi18n "请输入nginx安装路径,比如:/usr/local/nginx" myi18n "如果使用wdcp环境,请直接回车" read -p ": " confpath if [ -z "$confpath" ] ;then confpath=/www/wdlinux/nginx fi confpath1=${confpath}/conf while [ ! -d "$confpath1" ] do myi18n "您输入路径${confpath1}不存在,请重新输入" shell_log "错误:您输入路径${confpath1}不存在,请重新输入" read -p ": " confpath if [ -z "$confpath" ] ;then confpath=/www/wdlinux/nginx fi confpath1=${confpath}/conf done temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'` while ([ -z $temp ] || [ ! -f "$temp" ]) do myi18n "nginx安装路径不对,请重新输入" shell_log "错误:${confpath1} 路径下没有找到nginx.conf,请检查" echo read -p ": " confpath if [ -z $confpath ] ;then confpath=/www/wdlinux/nginx wdcp=y fi confpath1=${confpath}/conf temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'` done shell_log "信息:nginx配置文件路径 ${confpath1}" myi18n "是否一键移动nginx配置文件到/home/nginx目录下并创建好软连接" read -p "[y/n]: " conf_move while [[ ! $conf_move =~ ^[y,n]$ ]] do echo "input error! Please only input 'y' or 'n'" echo read -p "[y/n]: " conf_move done if [ "$conf_move" == 'y' ] ;then if [ ! -d "$homeconfpath" ];then mkdir -p $homeconfpath cp -rf ${confpath}/conf/* $homeconfpath cd $confpath mv conf/ conf-bak/ ln -sf $homeconfpath conf if [ "$wdcp" == 'y' ] ;then chown wdcpu.wdcpg $homeconfpath -R fi fi else homeconfpath=${confpath}/conf fi else echo myi18n "自动搜索到:nginx配置文件路径为 ${homeconfpath}" shell_log "信息:自动搜索到:nginx配置文件路径为 ${homeconfpath}" echo fi if [ -d "/www/wdlinux/nginx" ] ;then wdcp=y myi18n "使用wdcp环境,nginx版本为" /www/wdlinux/nginx/sbin/nginx -v 2>&1|awk -F '/' '{print $2}' shell_log "信息:当前使用wdcp环境" fi shell_log "信息:nginx的vhost文件路径 ${homeconfpath}" homesslpath=/home/ssl [ ! -d "$homesslpath" ] && mkdir -p $homesslpath shell_log "信息:ssl证书存放路径 ${homesslpath}" pushd ${homeconfpath}/vhost/ myi18n "请输入需要安装证书站点绑定的域名,比如:www.test.com" myi18n "如果二级域名有绑定到其他站点,请使用www.test.com,不要输入顶级域名" read -p ": " domain while [ -z $domain ] do myi18n "域名不能为空,请重新输入。" echo read -p ": " domain done files=`grep -l " ${domain}" *.conf|awk 'NR==1{print}'|sed 's/\.conf//'` if [ ! -n "$files" ] ;then echo echo ${domain} myi18n "关联站点,没有找到!" shell_log "警告:没有找到域名 ${domain} 对应配置文件" echo end 1 fi files1=${homeconfpath}/vhost/${files}.conf shell_log "信息:要部署域名 ${domain} 的配置文件是 ${files1}" sslfile=${homeconfpath}/vhost/${files}_ssl.conf if [ -f "$sslfile" ];then crt=`grep -E 'ssl_certificate' ${sslfile}|awk -F 'ssl_certificate ' '{print $2}'|awk 'NR==1{print}'|sed 's/\;//'` key=`grep -E 'ssl_certificate_key' ${sslfile}|awk -F 'ssl_certificate_key ' '{print $2}'|sed 's/\;//'` if [ -f "$crt" ] && [ -f "$key" ];then echo echo ${domain} myi18n "关联站点证书已安装!" shell_log "警告:域名 ${domain} 已成功部署" echo end 1 fi echo echo ${domain} myi18n "关联站点ssl配置文件已存在,是否需要删除?" read -p "[y/n]: " ssl_check while [[ ! $ssl_check =~ ^[y,n]$ ]] do echo "input error! Please only input 'y' or 'n'" echo read -p "[y/n]: " ssl_check done if [ "$ssl_check" == 'y' ];then rm -rf $sslfile else echo echo ${domain} myi18n "已存在ssl配置文件,请核实后重新运行程序。" shell_log "警告:要部署域名 ${domain} 已存在部署后配置文件 ${sslfile}" end 1 fi fi temp12=`grep -E 'https://' ${files1}` if [ -n "$temp12" ] ;then echo echo ${domain} myi18n "对应配置文件存在301转向(return 301),是否需要删除?" read -p "[y/n]: " s_check while [[ ! $s_check =~ ^[y,n]$ ]] do echo "input error! Please only input 'y' or 'n'" echo read -p "[y/n]: " s_check done if [ "$s_check" == 'y' ];then sed -i '/^.*return.*301 https/d' $files1 else echo echo ${domain} myi18n "域名 ${domain} 对应配置文件${files}存在301转向,请先删除对应行" shell_log "警告:域名 ${domain} 对应配置文件${files}存在301转向,请先删除对应行" end 1 fi fi crt1=${homesslpath}/${domain}.crt key1=${homesslpath}/${domain}.key if [ ! -f "$crt1" ];then myi18n "我司申请在nginx上部署需要先合并,请输入y或者n?" read -p "[y/n]: " crt_yn while [[ ! $crt_yn =~ ^[y,n]$ ]] do echo "input error! Please only input 'y' or 'n'" echo read -p "[y/n]: " crt_yn done if [ "$crt_yn" == 'y' ] ;then myi18n "请输入cer证书路径,比如 /root/test.com.cer" myi18n "/root/test.com.cer" read -p "Please reinput crtpath1 : " crtpath1 while ([ -z "$crtpath1" ] || [ ! -f "$crtpath1" ]) do myi18n "需要合并证书1不能为空或路径错误,请重新输入。" shell_log "警告:需要合并证书1 ${crtpath1} 为空或路径错误" echo read -p ": " crtpath1 done pathtemp=`echo $crtpath1|awk -F '.cer' '{print $1}'` crtpath2temp=${pathtemp}_ca.crt keypathtemp=${pathtemp}.key echo $crtpath2temp echo $keypathtemp if [ ! -f "$crtpath2temp" ];then myi18n "/root/test.com_ca.crt" read -p "Please reinput crtpath2 : " crtpath2 while ([ -z "$crtpath2" ] || [ ! -f "$crtpath2" ]) do myi18n "需要合并证书2不能为空或路径错误,请重新输入。" shell_log "警告:需要合并证书2 ${crtpath2} 为空或路径错误" echo read -p ": " crtpath2 done else crtpath2=$crtpath2temp echo myi18n "自动搜索到:域名 ${domain} 证书cacrt文件路径为 ${crtpath2temp}" myi18n "系统会自动补全合并为~/${domain}.crt" shell_log "自动搜索到:域名 ${domain} 证书cacrt文件路径为 ${crtpath2temp}" echo fi shell_log "信息:域名 ${domain} 需要合并证书1 ${crtpath1}" shell_log "信息:域名 ${domain} 需要合并证书2 ${crtpath2}" cat $crtpath1 $crtpath2 >> ~/$domain.crt crtpath=~/${domain}.crt else myi18n "请输入需要安装证书路径:eg /root/test.com.crt" read -p "Please reinput crtpath : " crtpath while ([ -z "$crtpath" ] || [ ! -f "$crtpath" ]) do myi18n "crt证书路径不能为空或路径错误,请重新输入。" shell_log "警告:crt证书路径 ${crtpath} 为空或路径错误" echo read -p ": " crtpath done fi cp ${crtpath} ${homesslpath}/${domain}.crt else echo myi18n "自动搜索到:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt" shell_log "信息:自动搜索到:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt" echo fi if [ ! -f "$key1" ] ;then if [ ! -f "$keypathtemp" ] ;then myi18n "请输入需要安装证书路径:eg /root/test.com.key" read -p "Please reinput keypath : " keypath while ([ -z "$keypath" ] || [ ! -f "$keypath" ]) do myi18n "key证书路径不能为空或路径错误,请重新输入。" shell_log "警告:key证书路径 ${keypath} 为空或路径错误" echo read -p ": " keypath done else keypath=$keypathtemp echo myi18n "自动搜索到:域名 ${domain} 证书key文件路径为 ${keypathtemp}" shell_log "自动搜索到:域名 ${domain} 证书key文件路径为 ${keypathtemp}" echo fi cp ${keypath} ${homesslpath}/${domain}.key else echo myi18n "自动搜索到:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key" shell_log "信息:自动搜索到:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key" echo fi shell_log "信息:域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt" shell_log "信息:域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key" cp ${files}".conf" ${homeconfpath}/vhost/${files}"_ssl.conf" shell_log "信息:域名 ${domain} 部署后 ssl配置文件为 ${homeconfpath}/${files}_ssl.conf" if [ "$wdcp" == 'y' ] ;then chown wdcpu.wdcpg * -R shell_log "信息:核实为wdcp环境,设置${homeconfpath} 所有者及所属组为wdcpu.wdcpg" fi sed -i "s/80/443 ssl/g" ${sslfile} sed -i "/root/a\ ssl_certificate $crt1;" ${sslfile} sed -i "/ssl_certificate/a\ ssl_certificate_key $key1;" ${sslfile} sed -i "/ssl_certificate_key/a\ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" ${sslfile} sed -i "/ssl_protocols/a\ ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;" ${sslfile} myi18n "是否需要一键设置301转向,请输入y或者n?" read -p "[y/n]: " zx_yn while [[ ! $zx_yn =~ ^[y,n]$ ]] do echo "input error! Please only input 'y' or 'n'" echo read -p "[y/n]: " zx_yn done if [ "$zx_yn" == 'y' ] ;then myi18n "请输入跳转后地址比如:" read -p "${domain}: " server_name1 if [ -z $server_name1 ] ;then server_name1='$server_name' fi request_uri1='$request_uri' sed -i "/server_name/a\ return 301 https://$server_name1$request_uri1;" ${files1} shell_log "信息:域名 ${domain} 已设置301跳转到https://${server_name1}${request_uri1} ${files1}" fi service nginxd restart iptables -L -n |grep -w dpt:80 >/dev/null if [ $? -eq 0 ] ;then iptables -L -n |grep -w dpt:443 >/dev/null if [ $? -ne 0 ] ;then echo myi18n "正在放行443端口" echo sed -i "/dport 80 -j ACCEPT/a\-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT" /etc/sysconfig/iptables service iptables restart else myi18n "核实已放行443端口" fi else myi18n "iptables服务似乎没有运行" fi curl -I https://${domain} echo echo ${domain} myi18n "关联站点证书已安装完成!" myi18n "证书文件存放/home/ssl,以域名方式命名。" echo myi18n "域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt" myi18n "域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key" echo cp -rf ${homeconfpath}/vhost /home/nginx-vhost-bak myi18n "同时已备份当前nginx配置文件到/home/nginx-vhost-bak" if [ "$wdcp" == 'y' ] ;then myi18n "如果使用wdcp环境,请不要登录wdcp切换web引擎,否则配置文件将被覆盖!" fi shell_log "信息:${domain} 关联站点证书已安装完成" pushd /root/ if [ "$wdcp" == 'y' ] && [ ! -d /www/wdlinux/nginx-1.10.2 ] ;then myi18n "核实nginx和openssl版本较低,若要通过苹果ats认证,请升级" function homemove(){ confpath=/www/wdlinux/nginx if [ "${homeconfpath}" == "/www/wdlinux/nginx/conf" ] ;then echo $homeconfpath; myi18n "不需要移动配置文件" else cp -rf ${confpath}/conf/* $homeconfpath cd $confpath mv conf/ conf-bak/ ln -sf $homeconfpath conf chown wdcpu.wdcpg $homeconfpath -R fi } read -p "[y/n]: " update while [[ ! $update =~ ^[y,n]$ ]] do echo "input error! Please only input 'y' or 'n'" echo read -p "[y/n]: " update done if [ "$update" == 'y' ];then wget http://downinfo.myhostadmin.net/wdcp/nginx_up.sh sh nginx_up.sh homemove shell_log "信息:核实为wdcp环境,已选择升级nginx和OpenSSL" fi fi shell_log "信息:脚本正常退出" shell_unlock