A bash tool script to allow for DHEC on Nginx. It generates a key and adds the path to the Nginx SSL conf file.
It has additional mode for stricter SSL cipher suite and limiting to TLSv1.2. Also 4096 bit key can generated as well. JKO
This commit is contained in:
parent
dd91553689
commit
5caa176291
|
@ -0,0 +1,110 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Author by JKO Email: jonathan@kosar.email
|
||||
# This script tool enables DHEC for SSL on Nginx.
|
||||
# A user can also add a more hardened SSL cipher suite.
|
||||
# Otherwise a default 2048 EC key is generated and added to nginx-ssl.conf.
|
||||
# No suite or protocols are changed. Only in hardened mode they are changed.
|
||||
# But only clients that support the suites will be able to connect, please remember that.
|
||||
# http://www.roushtech.net/2014/04/01/100-qualys-ssl-test-a/
|
||||
# See usage command for more.
|
||||
# Sidenote: -h -b 2048 will produce a hardened settings with 2048 bit key.
|
||||
|
||||
source /etc/mailinabox.conf # load global vars
|
||||
source setup/functions.sh #functions
|
||||
|
||||
apt_install openssl
|
||||
|
||||
nginx_ssl_conf=/etc/nginx/nginx-ssl.conf
|
||||
DEFAULT_BIT_SIZE=2048
|
||||
isHardened="false"
|
||||
hardened_ciphers="'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH';"
|
||||
hardened_protocol="TLSv1.2;"
|
||||
|
||||
DHEC_path=$STORAGE_ROOT/ssl/dhparam.pem
|
||||
|
||||
# Functions
|
||||
update_config()
|
||||
{
|
||||
lineNUM=$(grep -n "$2" $1 | tail -n1 | sed 's/:.*//')
|
||||
[ "$lineNUM" ] || lineNUM="$"
|
||||
sed -i -r "$lineNUM s|#?(.*)|#\1\n$4\n$2 $3|" "$1"
|
||||
}
|
||||
|
||||
ok()
|
||||
{
|
||||
echo -e '\e[32m'$1'\e[m';
|
||||
}
|
||||
|
||||
|
||||
# Usage info
|
||||
usage()
|
||||
{
|
||||
cat << EOF
|
||||
Usage: ${0##*/} [-h] [-b BIT_SIZE] [-p DIR_DHEC_KEY] [-c DIR_NGINX_SSL]
|
||||
This script generates and enables DHEC for Nginx. Defaulted to 2048 key.
|
||||
Hardened mode will generate 4096 key and the following cipher suites:
|
||||
'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH'
|
||||
|
||||
-h Enable hardened ciphers and 4096 bit key.
|
||||
-b Specify the bit size to generate which will override any other default.
|
||||
-p Specify dir to generate the DHEC key.
|
||||
-c Specify dir nginx ssl conf is.
|
||||
EOF
|
||||
exit 1
|
||||
}
|
||||
|
||||
while getopts "hb:c:p:" opt ; do
|
||||
case "${opt}" in
|
||||
b)
|
||||
BIT_SIZE=${OPTARG}
|
||||
if [ -z "${OPTARG}" ]; then
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
h)
|
||||
isHardened=true
|
||||
BIT_SIZE=4096
|
||||
;;
|
||||
p)
|
||||
DHEC_path=${OPTARG}
|
||||
if [ -z "${OPTARG}" ]; then
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
c)
|
||||
nginx_ssl_conf=${OPTARG}
|
||||
if [ -z "${OPTARG}" ]; then
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift $((OPTIND-1))
|
||||
|
||||
if [ -z "${BIT_SIZE}" -a "true" == ${isHardened} ]; then
|
||||
BIT_SIZE=4096
|
||||
elif [ -z "${BIT_SIZE}" ]; then
|
||||
BIT_SIZE=$DEFAULT_BIT_SIZE
|
||||
fi
|
||||
|
||||
ok "❯❯❯ It might take a while, grab a coffee!"
|
||||
|
||||
if [ ! -f $DHEC_path ]; then
|
||||
# Generate a 4096 bit random parameter for DH elliptic curves.
|
||||
# Generated by OpenSSL with the following command:
|
||||
# openssl dhparam -outform pem -out dhparam.pem 2048
|
||||
# openssl dhparam -outform pem -out dhparam.pem 4096
|
||||
openssl dhparam -outform pem -out $DHEC_path $BIT_SIZE
|
||||
fi
|
||||
update_config $nginx_ssl_conf ssl_dhparam $DHEC_path';' "#Path to DHEC key"
|
||||
|
||||
if [ $isHardened == "true" ]; then
|
||||
update_config $nginx_ssl_conf ssl_ciphers $hardened_ciphers "#Hardened SSL Ciphers DHEC"
|
||||
update_config $nginx_ssl_conf ssl_protocols $hardened_protocol "#Hardened SSL Protocol"
|
||||
fi
|
||||
|
||||
service nginx reload
|
Loading…
Reference in New Issue