├── README.md
├── http_website_easy_install.bash
├── https_website_easy_install.bash
└── screenshot
    └── 20170613.gif


/README.md:
--------------------------------------------------------------------------------
  1 | # https_website_easy_install
  2 | one command to generate https website on Nginx.All you need to do is input your domain names and set your web directory according the terminal prompt.
  3 | 
  4 | ### Prerequisites
  5 | 
  6 | - **Port 80 and port 443 have been allowed in your server's firewall rule.**
  7 | 
  8 | ### Usage
  9 | 
 10 | - Step 1: install Nginx on Linux
 11 | 
 12 |   - Ubuntu/Debian
 13 | 
 14 |     ```shell
 15 |     sudo apt-get update && sudo apt-get -y install nginx
 16 |     ```
 17 | 
 18 |   - Centos/Redhat
 19 | 
 20 |     ```shell
 21 |     sudo yum -y update && sudo yum -y install nginx
 22 |     ```
 23 | 
 24 | - Step 2: download this script
 25 | 
 26 |   ```shell
 27 |   wget https://git.io/vHQLm -O https_website_easy_install.bash
 28 |   ```
 29 | 
 30 | - Step 3: generate https website on your linux server
 31 | 
 32 |   ```shell
 33 |   sudo bash https_website_easy_install.bash
 34 |   ```
 35 | 
 36 | 
 37 | ### Notes
 38 | 
 39 | - This script will set a cron task to update the certificate on the 01:01 am of the random day of every month,so you do not have to worry about the free certificate would be expired.
 40 | 
 41 | - If you just want to generate a http website,you can download the `http_website_easy_install.bash` instead.
 42 | 
 43 |   ```shell
 44 |   wget https://git.io/vQfud -O http_website_easy_install.bash
 45 |   ```
 46 | 
 47 | - Some cloud platform's loading balance service has a key length limit,e.g. Google Cloud loading balance only support RSA-2048.So if you want to deploy the ssl certificate on the loading balance.You can modify the key length before running this script.
 48 | 
 49 |   ```shell
 50 |   sed -i 's/4096/2048/g' https_website_easy_install.bash
 51 |   ```
 52 | 
 53 | - If you want to use chinese domain,you need to [convert chinese domain to punycode](http://www.jb51.net/article/101397.htm),then when you are asking to input the domain name by this script, just input the punycode.e.g.[https://王祥.我爱你](https://xn--qbyu8j.xn--6qq986b3xl),the punycode is `xn--qbyu8j.xn--6qq986b3xl`
 54 | 
 55 | 
 56 | 
 57 | ### Issues
 58 | 
 59 | - #### SELinux cause the Nginx 403 error
 60 | 
 61 |   The SELinux mode may be opened in centos/redhat 6.6 and later,you will fail in the first step to establish a http website.You can check whether the SELinux is enabled in your server through execute `sestatus -v` command.this error can be solved by closing the SELinux simply,you can close the SELinux and restart your server
 62 | 
 63 |   ```shell
 64 |   sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
 65 |   sudo init 6
 66 |   ```
 67 | 
 68 |   or you can solve this problem through these solutions
 69 | 
 70 |   https://stackoverflow.com/a/26228135
 71 | 
 72 |   https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/#gs.iz_rbNA
 73 | 
 74 | - #### CentOS/RedHat No package nginx available
 75 | 
 76 |   you should enable the **EPEL**(*Extra Packages for Enterprise Linux*) repository or install nginx by other ways.
 77 | 
 78 |   [How to enable EPEL repository](https://www.liquidweb.com/kb/enable-epel-repository/)
 79 | 
 80 |   [Amazon EC2 enable EPEL](https://aws.amazon.com/cn/premiumsupport/knowledge-center/ec2-enable-epel/)
 81 | 
 82 | - #### Firewalls Issues
 83 | 
 84 |   - Vultr CentOS7 firewalls
 85 | 
 86 |     https://www.vultr.com/docs/using-firewalld-to-manage-your-firewall-on-centos-7
 87 | 
 88 |     ```
 89 |     firewall-cmd --zone=public --add-port=80/tcp --permanent
 90 |     firewall-cmd --zone=public --add-port=443/tcp --permanent
 91 |     systemctl restart  firewalld
 92 |     ```
 93 | 
 94 |   - AWS EC2 Security Groups
 95 | 
 96 |     http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
 97 | 
 98 |   - Google Cloud Firewall rules
 99 | 
100 |     https://cloud.google.com/compute/docs/vpc/using-firewalls
101 | 
102 |   - Aliyun Security Groups
103 | 
104 |     https://help.aliyun.com/document_detail/25471.html?spm=5176.100241.0.0.SK8N6Y
105 | 
106 | 
107 | ### Screenshot
108 | 
109 | ![screenshot](screenshot/20170613.gif)
110 | 
111 | 
112 | 
113 | ###  Inspired
114 | 
115 | [Let's Encrypt](https://letsencrypt.org)
116 | 
117 | [diafygi/acme-tiny](https://github.com/diafygi/acme-tiny)
118 | 
119 | 
120 | 


--------------------------------------------------------------------------------
/http_website_easy_install.bash:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | check_ip() {
 3 |     IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
 4 |     printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
 5 | }
 6 | PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
 7 | check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
 8 | check_ip "$PUBLIC_IP" || exiterr "Cannot find your server ip address"
 9 | 
10 | echo "your server ip is:${PUBLIC_IP}"
11 | echo "please input your website domain name which has been resolved to $PUBLIC_IP"
12 | echo "if you want to bind mutiple domain names,you can split them using space"
13 | echo "if you want to allow any domain name to visit your website,you can leave this input empty(just carrige return)"
14 | read -p "> " web_domains
15 | # TODO check the domain resolve dig +short domain
16 | web_first_domain=$(echo $web_domains|tr -s [:blank:]|cut -d ' ' -f 1)
17 | nginx_web_config_file=$web_first_domain".conf"
18 | nginx_web_config_domain=$web_domains
19 | web_names=$web_domains
20 | if [[ -z $(echo $web_domains|sed 's/ //g') ]]; then
21 |     nginx_web_config_domain=~^.*\$ 
22 |     web_names="  any domain which has been resolved to this server"
23 |     nginx_web_config_file="free_domain_web.conf"
24 | fi
25 | echo "please input your website absolute path"
26 | echo "if your input is not absolute path,the current directory will be preappend"
27 | read -p "> " web_dir
28 | if [[ ! "$web_dir" == /* ]]; then
29 | 	web_dir=$(pwd)"/"$web_dir
30 | fi
31 | echo "your web directory will be "$web_dir
32 | mkdir -p ${web_dir}
33 | cur_chmod_dir=$web_dir
34 | while [[ $cur_chmod_dir != / ]]; do
35 |     chmod o+x "$cur_chmod_dir"
36 |     cur_chmod_dir=$(dirname "$cur_chmod_dir")
37 | done
38 | echo "please input the nginx config dir"
39 | echo "you can carrige return if it's default /etc/nginx"
40 | read -p "> " nginx_config_dir
41 | if [[ -z "$nginx_config_dir" ]]; then
42 |     nginx_config_dir=/etc/nginx
43 | fi
44 | echo -e "\n"
45 | cat << EOF
46 | your configuration are as follows
47 | 
48 | web directory: $web_dir
49 | web domain: $web_names
50 | nginx config dir: $nginx_config_dir
51 | 
52 | please input the number to confirm these information
53 | 1):confirm
54 | 2):not correct,I want to quit
55 | EOF
56 | read -p "> " confirm
57 | if [[  $confirm -eq 2 ]]; then
58 |     exit 0
59 | fi
60 | cat > $nginx_config_dir"/conf.d/"$nginx_web_config_file <<EOF
61 | server {
62 |     listen 80;
63 |     server_name $nginx_web_config_domain;
64 |     index index.html index.htm;
65 |     location / {
66 | 	root $web_dir;
67 |     }
68 | }
69 | EOF
70 | if [[ ! -f $web_dir/index.html ]]; then
71 | cat > $web_dir/index.html << EOF
72 | generate http website succssfully<br/>
73 | this is the index.html of $web_names <br/>
74 | EOF
75 | fi
76 | # current_user=$USER
77 | # current_user=$(id -un) not work for sudo
78 | current_user=$(who am i|awk '{print $1}')
79 | current_user_group=$(id -gn $current_user)
80 | chown -R $current_user:$current_user_group $web_dir
81 | chown $current_user:$current_user_group $nginx_config_dir"/conf.d/"$nginx_web_config_file
82 | chmod -R 755 $web_dir
83 | service nginx restart
84 | echo -e "\n\n"
85 | cat << EOF
86 | generate http website succssfully
87 | your website directory is $web_dir
88 | your nginx config file is $nginx_config_dir/conf.d/$nginx_web_config_file
89 | you can visit your website through $web_names
90 | EOF
91 | 


--------------------------------------------------------------------------------
/https_website_easy_install.bash:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | python_command=''
  3 | if command -v python > /dev/null 2>&1; then
  4 |     echo 'python environment check succ..'
  5 |     python_command=python
  6 | else
  7 |     if command -v python3 > /dev/null 2>&1; then
  8 |         echo 'your python command is python3'
  9 |         python_command=python3
 10 |     else
 11 |         echo 'your server has no python environment,now install python for you'
 12 |         apt-get -y install python || yum -y install python
 13 |         echo 'python install succ..'
 14 |         python_command=python
 15 |     fi
 16 | fi 
 17 | if command -v openssl > /dev/null 2>&1; then
 18 |     echo 'openssl check succ..'
 19 | else
 20 |     echo 'no openssl,now install for you'
 21 |     apt-get -y install openssl || yum -y install openssl
 22 | fi 
 23 | exiterr()  {
 24 |     echo "Error: $1" >&2;
 25 |     exit 1; 
 26 | }
 27 | check_ip() {
 28 |     IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
 29 |     printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
 30 | }
 31 | PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
 32 | check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
 33 | check_ip "$PUBLIC_IP" || exiterr "Cannot find your server ip address"
 34 | 
 35 | echo "your server ip is:${PUBLIC_IP}"
 36 | echo "please input your website domain name which has been resolved to $PUBLIC_IP"
 37 | echo "if you want to bind mutiple domain names,you can split them using space"
 38 | read -p "> " web_domains
 39 | # TODO check the domain resolve dig +short domain
 40 | domain_length=0
 41 | sign_domain_str=''
 42 | web_first_domain=$(echo $web_domains|tr -s [:blank:]|cut -d ' ' -f 1)
 43 | nginx_web_config_file=$web_first_domain".conf"
 44 | for web_domain in ${web_domains[@]}
 45 | do
 46 |     sign_domain_str=$sign_domain_str"DNS:"$web_domain","
 47 |     domain_length=$(($domain_length+1))
 48 | done
 49 | sign_domain_str=${sign_domain_str:0:${#sign_domain_str}-1}
 50 | echo "please input your website absolute path"
 51 | echo "if your input is not absolute path,the current directory will be preappend"
 52 | read -p "> " web_dir
 53 | if [[ ! "$web_dir" == /* ]]; then
 54 | 	web_dir=$(pwd)"/"$web_dir
 55 | fi
 56 | echo "your web directory will be "$web_dir
 57 | echo "please input the nginx config dir"
 58 | echo "you can carrige return if it's default /etc/nginx"
 59 | read -p "> " nginx_config_dir
 60 | if [[ -z "$nginx_config_dir" ]]; then
 61 |     nginx_config_dir=/etc/nginx
 62 | fi
 63 | echo -e "\n"
 64 | cat << EOF
 65 | your configuration are as follows
 66 | 
 67 | web directory: $web_dir
 68 | web domain: $web_domains
 69 | nginx config dir: $nginx_config_dir
 70 | 
 71 | please input the number to confirm these information
 72 | 1):confirm
 73 | 2):not correct,I want to quit
 74 | EOF
 75 | read -p "> " confirm
 76 | if [[  $confirm -eq 2 ]]; then
 77 |     exit 0
 78 | fi
 79 | mkdir -p ${web_dir}"/certificate/challenges"
 80 | cur_chmod_dir=$web_dir
 81 | while [[ $cur_chmod_dir != / ]]; do
 82 |     chmod o+x "$cur_chmod_dir"
 83 |     cur_chmod_dir=$(dirname "$cur_chmod_dir")
 84 | done
 85 | cd $web_dir"/certificate"
 86 | # Create a Let's Encrypt account private key
 87 | openssl genrsa 4096 > account.key
 88 | # generate a domain private key
 89 | openssl genrsa 4096 > domain.key
 90 | if [[ $domain_length -gt 1 ]]; then
 91 |     openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=$sign_domain_str")) > domain.csr || openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=$sign_domain_str")) > domain.csr
 92 | else
 93 |     openssl req -new -sha256 -key domain.key -subj "/CN=$web_domains" > domain.csr
 94 | fi
 95 | cat > $nginx_config_dir"/conf.d/"$nginx_web_config_file <<EOF
 96 | server {
 97 |     listen 80;
 98 |     server_name $web_domains;
 99 |     location /.well-known/acme-challenge/ {
100 |         alias $web_dir/certificate/challenges/;
101 |         try_files \$uri =404;
102 |     }
103 | }
104 | EOF
105 | service  nginx restart
106 | wget --no-check-certificate https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
107 | $python_command acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir $web_dir/certificate/challenges > ./signed.crt || exiterr "create the http website failed,please view the issue of github doc"
108 | #NOTE: For nginx, you need to append the Let's Encrypt intermediate cert to your cert
109 | wget --no-check-certificate  https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O intermediate.pem
110 | cat signed.crt intermediate.pem > chained.pem
111 | cat > $nginx_config_dir"/conf.d/"$nginx_web_config_file <<EOF
112 | server {
113 |     listen 80;
114 |     server_name $web_domains;
115 |     rewrite ^(.*) https://\$host\$1 permanent;
116 | }
117 | server {
118 |     listen 443 ssl;
119 |     server_name $web_domains;
120 |     root $web_dir;
121 |     index index.html index.htm index.php;
122 |     ssl_certificate $web_dir/certificate/chained.pem;
123 |     ssl_certificate_key $web_dir/certificate/domain.key;
124 |     ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
125 |     ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
126 |     ssl_session_cache shared:SSL:50m;
127 |     ssl_prefer_server_ciphers on;
128 | 
129 |     location /.well-known/acme-challenge/ {
130 |             alias $web_dir/certificate/challenges/;
131 |             try_files \$uri =404;
132 |     }
133 |     location /download {
134 |             autoindex on;
135 |             autoindex_exact_size off;
136 |             autoindex_localtime on;
137 |     }
138 | }
139 | EOF
140 | if [[ ! -f $web_dir/index.html ]]; then
141 | cat > $web_dir/index.html << EOF
142 | generate https website succssfully<br/>
143 | this is the index.html of $web_first_domain <br/>
144 | yout can visit this page from $web_domains
145 | EOF
146 | fi
147 | # current_user=$USER
148 | # current_user=$(id -un) not work for sudo
149 | current_user=$(who am i|awk '{print $1}')
150 | current_user_group=$(id -gn $current_user)
151 | chown -R $current_user:$current_user_group $web_dir
152 | chown $current_user:$current_user_group $nginx_config_dir"/conf.d/"$nginx_web_config_file
153 | chmod -R 755 $web_dir
154 | service nginx restart
155 | echo -e "\n\n"
156 | cat << EOF
157 | generate https website succssfully
158 | your website directory is $web_dir
159 | your nginx config file is $nginx_config_dir/conf.d/$nginx_web_config_file
160 | you can visit your website through these domains
161 | EOF
162 | for web_domain in ${web_domains[@]}
163 | do
164 |     echo https://$web_domain
165 | done
166 | cat > $web_dir/certificate/renew_cert.bash <<EOF
167 | cd $web_dir/certificate
168 | wget --no-check-certificate https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py -O acme_tiny.py
169 | $python_command ./acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir $web_dir/certificate/challenges/ > /tmp/signed.crt || exit
170 | wget --no-check-certificate -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
171 | cat /tmp/signed.crt intermediate.pem > $web_dir/certificate/chained.pem
172 | service nginx reload
173 | EOF
174 | if command -v crontab > /dev/null 2>&1; then
175 |     echo 'crontab check succ..'
176 | else
177 |     echo 'no crontab program,now install for you'
178 |     apt-get -y install cron || yum -y install cron
179 | fi 
180 | # (crontab -u $current_user -l ; echo "1 1 1 * * bash $web_dir/certificate/renew_cert.bash >> /var/log/renew_cert_error.log 2 >> /var/log/renew_cert.log") | crontab -u $current_user -
181 | random_day=$((RANDOM % (28 - 1) + 1))
182 | echo "1 1 "$random_day" * * root bash $web_dir/certificate/renew_cert.bash >> /var/log/renew_cert_error.log 2 >> /var/log/renew_cert.log" >> /etc/crontab
183 | # nginx reload need root privilege,so the renew task need to be added in root's crontab
184 | #(crontab -l; echo "1 1 1 * * bash $web_dir/certificate/renew_cert.bash > /var/log/renew_cert_stdout.log 2 > /var/log/renew_cert_stderr.log") | crontab -
185 | echo "create renewal certificate task succ!"
186 | 


--------------------------------------------------------------------------------
/screenshot/20170613.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/elsonwx/https_website_easy_install/3598a2dc591a98f71fce497a36a6d24d418fcb68/screenshot/20170613.gif


--------------------------------------------------------------------------------