#! /bin/bash
. /usr/src/k_framework/main.sh
SCRIPT_NAME="SSL install"
VERSION="1.1.2"
k_start
external_ip=$(timeout 10 curl ifconfig.me)
if [[ -z "$external_ip" ]]; then
external_ip=$(ip route get 1 | awk '{print $NF;exit}')
fi
function install_ssl() {
yum -y install mod_ssl openssl
mkdir -p /etc/httpd/ssl
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=LT/ST=Vilnius/CN=$external_ip" \
-keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
}
function configure_ssl() {
local backup_date=$(date +"%Y%m%d_%H%M%S")
cp -f /etc/httpd/conf.d/ssl.conf "/etc/httpd/conf.d/ssl.conf_$backup_date"
if ! grep -Fq 'SSLCertificateKeyFile /etc/pki/tls/private/localhost.key' /etc/httpd/conf.d/ssl.conf; then
report "/etc/httpd/conf.d/ssl.conf is not default. You can find backup here --> /etc/httpd/conf.d/ssl.conf_$backup_date" 2
fi
sed -i "s#^SSLCertificateFile.*#SSLCertificateFile /etc/httpd/ssl/apache.crt#" /etc/httpd/conf.d/ssl.conf
sed -i "s#^SSLCertificateKeyFile.*#SSLCertificateKeyFile /etc/httpd/ssl/apache.key#" /etc/httpd/conf.d/ssl.conf
sed -i 's/SSLProtocol.*/SSLProtocol all -SSLv2 -SSLv3 -TLSv1/' /etc/httpd/conf.d/ssl.conf
sed -i 's/SSLCipherSuite.*/SSLCipherSuite HIGH:!aNULL:!MD5:!3DES/' /etc/httpd/conf.d/ssl.conf
sed -i 's/#SSLHonorCipherOrder .*/SSLHonorCipherOrder on/' /etc/httpd/conf.d/ssl.conf
}
function configure_gui_for_ssl() {
cat > /etc/httpd/conf.d/gui_ssl.conf << EOF
DocumentRoot /var/www/html
Allow from all
RailsBaseURI /billing
Options -MultiViews
ServerName $external_ip
# RedirectMatch permanent ^/$ https://$external_ip/billing/callc/login
EOF
if ! grep -Fq 'gui_ssl.conf' /etc/httpd/conf.d/ssl.conf; then
sed -i '/<\/VirtualHost>/i\Include conf.d\/gui_ssl.conf' /etc/httpd/conf.d/ssl.conf
fi
}
install_ssl
configure_ssl
configure_gui_for_ssl
k_exit $EXIT_CODE