Bladeren bron

* Cambios en todos los VirtualHosts para ssl
* Añadido instalarLetsEncrypt()
* Añadido generarCertAutofirmado()
* Añadido generarDHParam()
* Cambios en instalarApache() para SSL
* Cambios en configurarApache() para SSL
* Cambios en instalarVirtualHost() para SSL
* Limpieza de código
* Cambios menores

Guzmán Castanedo Villalba 6 jaren geleden
bovenliggende
commit
8b0b9d566e

+ 35 - 0
etc/apache2/sites-available/mediawiki-ssl.conf

@@ -0,0 +1,35 @@
+<VirtualHost *:80>
+	ServerName localhost
+
+	<IfModule mod_rewrite.c>
+		RewriteEngine On
+		RewriteCond %{HTTPS} off
+		RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+	</IfModule>
+
+</VirtualHost>
+
+<VirtualHost _default_:443>
+	ServerName localhost
+	DocumentRoot /var/www/mediawiki
+
+	SSLEngine on
+	SSLProtocol all -SSLv2
+	SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
+	SSLCertificateFile ssl/autofirmado.crt
+	SSLCertificateKeyFile ssl/autofirmado.key
+
+	<IfModule mod_headers.c>
+		Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
+	</IfModule>
+
+	ErrorLog logs/error.log
+	LogFormat "%h %l %u %t \"%r\" %>s %b" common
+	CustomLog logs/access.log common
+
+	RewriteEngine On
+	RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
+	RewriteRule ^/*$ %{DOCUMENT_ROOT}/index.php [L]
+
+</VirtualHost>
+

+ 31 - 0
etc/apache2/sites-available/moodle-ssl.conf

@@ -0,0 +1,31 @@
+<VirtualHost *:80>
+	ServerName localhost
+
+	<IfModule mod_rewrite.c>
+		RewriteEngine On
+		RewriteCond %{HTTPS} off
+		RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+	</IfModule>
+
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName localhost
+	DocumentRoot /var/www/mediawiki
+	
+	SSLEngine on
+	SSLProtocol all -SSLv2
+	SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
+	SSLCertificateFile ssl/autofirmado.crt
+	SSLCertificateKeyFile ssl/autofirmado.key
+
+	<IfModule mod_headers.c>
+		Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
+	</IfModule>
+
+	ErrorLog logs/error.log
+	LogFormat "%h %l %u %t \"%r\" %>s %b" common
+	CustomLog logs/access.log common
+
+</VirtualHost>
+

+ 1 - 1
etc/apache2/sites-available/moodle.conf

@@ -1,4 +1,4 @@
-<VirtualHost _default_:80>
+<VirtualHost *:80>
 	ServerName localhost
 	DocumentRoot /var/www/mediawiki
 

+ 4 - 2
etc/apache2/sites-available/phpinfo-ssl.conf

@@ -18,10 +18,12 @@
 	SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
 	SSLCertificateFile ssl/autofirmado.crt
 	SSLCertificateKeyFile ssl/autofirmado.key
-	SSLOpenSSLConfCmd DHParameters "ssl/dhparam.pem"
 
-	Header always set Strict-Transport-Security "max-age=63072000; includeSibdomains;"
+	<IfModule mod_headers.c>
+		Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
+	</IfModule>
 	
+	ErrorLog logs/error.log
 	LogFormat "%h %l %u %t \"%r\" %>s %b" common
 	CustomLog logs/access.log common
 

+ 3 - 7
etc/nginx/sites-available/mediawiki-ssl.conf

@@ -12,19 +12,15 @@ server {
 	#
 	listen 443 ssl;
 	listen [::]:443;
-    ssl_certificate /etc/letsencrypt/live/wiki.castanedo.es/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/wiki.castanedo.es/privkey.pem; # managed by Certbot
+    ssl_certificate /etc/nginx/ssl/localhost.crt;
+    ssl_certificate_key /etc/nginx/ssl/localhost.key;
 	#
 	# Note: You should disable gzip for SSL traffic.
 	# See: https://bugs.debian.org/773332
+	gzip off;
 	#
 	# Read up on ssl_ciphers to ensure a secure configuration.
 	# See: https://bugs.debian.org/765782
-	#
-	# Self signed certs generated by the ssl-cert package
-	# Don't use them in a production server!
-	#
-	# include snippets/snakeoil.conf;
 
 	root /var/www/wiki;
 

+ 3 - 7
etc/nginx/sites-available/moodle-ssl.conf

@@ -12,19 +12,15 @@ server {
 	#
 	listen 443 ssl;
 	listen [::]:443;
-    ssl_certificate /etc/letsencrypt/live/wiki.castanedo.es/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/wiki.castanedo.es/privkey.pem; # managed by Certbot
+    ssl_certificate /etc/nginx/ssl/localhost.crt;
+    ssl_certificate_key /etc/nginx/ssl/localhost.key;
 	#
 	# Note: You should disable gzip for SSL traffic.
 	# See: https://bugs.debian.org/773332
+	gzip off;
 	#
 	# Read up on ssl_ciphers to ensure a secure configuration.
 	# See: https://bugs.debian.org/765782
-	#
-	# Self signed certs generated by the ssl-cert package
-	# Don't use them in a production server!
-	#
-	# include snippets/snakeoil.conf;
 
 	root /var/www/moodle;
 

+ 69 - 0
etc/nginx/sites-available/phpinfo-ssl.conf

@@ -0,0 +1,69 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+server {
+	listen 80;
+	listen [::]:80;
+	server_name localhost;
+	# Redirect HTTP to HTTPS
+	return 301 https://$host$request_uri;
+}
+
+server {
+	# SSL configuration
+	#
+	listen 443 ssl;
+	listen [::]:443;
+    ssl_certificate /etc/nginx/ssl/localhost.crt;
+    ssl_certificate_key /etc/nginx/ssl/localhost.key;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	gzip off;
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.php;
+
+	server_name localhost;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	location ~ \.php$ {
+		include snippets/fastcgi-php.conf;
+	#
+		# With php-fpm (or other unix sockets):
+		fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
+	}
+
+	# deny access to .htaccess files
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}

+ 151 - 25
install

@@ -144,6 +144,12 @@ comprobarError() {
 		401)
 			error="\n$type $codeNum:\tError al instalar 'certbot' (Let's Encrypt).\n"
 			;;
+		402)
+			error="\n$type $codeNum:\tImposible generar Certificados Autofirmados.\n"
+			;;
+		403)
+			error="\n$type $codeNum:\tImposible generar claves de intercambio Diffie-Hellman.\n"
+			;;
 		501)
 			error="\n$type $codeNum:\tImposible descargar MediaWiki-1.31.0.\n"
 			;;
@@ -774,6 +780,11 @@ instalarApache() {
 		webServerName="httpd"
 		result=$(yum -y install httpd 2>&1)
 		comprobarError $? 101 $result
+		if [ $sslOn = true ];then
+			# Instalamos módulo mod_ssl (no se instala por defecto)
+			result=$(yum -y install mod_ssl 2>&1)
+			comprobarError $? 101 $result
+		fi
 	else
 		comprobarError 1 104
 	fi
@@ -798,21 +809,39 @@ configurarApache() {
 		# Activamos mod_rewrite (no viene activado por defecto)
 		a2enmod rewrite >/dev/null 2>&1
 		comprobarError $? 108
+		# Activamos mod_ssl y mod_headers (no viene activado por defecto)
+		if [ $sslOn = true ];then
+			a2enmod ssl >/dev/null 2>&1
+			comprobarError $? 108
+			a2enmod headers >/dev/null 2>&1
+			comprobarError $? 108
+		fi
+		unset apacheConfFile
 	elif [ $rhelOS = true ];then
 		apacheConfFile="./etc/apache2/conf/httpd.conf"
+		sslConfFile="./etc/apache2/conf.d/ssl.conf"
 		welcomeConfFile="/etc/apache2/conf.d/welcome.conf"
 		if [ ! -f $apacheConfFile ];then
 			comprobarError 1 4 $apacheConfFile
 		fi
 		cp -f $apacheConfFile /etc/$webServerName/conf/httpd.conf 2>/dev/null
 		comprobarError $? 108
+		# Desactivamos Mensaje de Bienvenida
 		if [ -f $welcomeConfFile ];then
 			sed -i -e 's/^/#/' $welcomeConfFile
 			comprobarError $? 108
 		fi
+		# Configuramos mod_ssl
+		if [ $sslOn = true ];then
+			if [ ! -f $sslConfFile ];then
+				comprobarError 1 4 $sslConfFile
+			fi
+			cp -f $sslConfFile /etc/$webServerName/conf.d/ssl.conf 2>/dev/null
+			comprobarError $? 108
+		fi
 		webServerUser=$(grep ^User /etc/$webServerName/conf/httpd.conf | cut -d ' ' -f 2)
 		webServerGroup=$(grep ^Group /etc/$webServerName/conf/httpd.conf | cut -d ' ' -f 2)
-		unset apacheConfFile welcomeConfFile
+		unset apacheConfFile sslConfFile welcomeConfFile
 	fi
 	if [ ! -d "/etc/$webServerName/sites-available" ];then
 		mkdir "/etc/$webServerName/sites-available" 2>/dev/null
@@ -916,6 +945,12 @@ instalarVirtualHost() {
 		comprobarError $? 908
 		sed -i '/CustomLog /c\\tCustomLog logs/'"$dominioVirtualHost"'-access.log common' $virtualHostFile
 		comprobarError $? 908
+		if [ $sslOn = true ];then
+			sed -i '/SSLCertificateFile /c\\tSSLCertificateFile ssl/'"$dominioVirtualHost"'.crt' $virtualHostFile
+			comprobarError $? 908
+			sed -i '/SSLCertificateKeyFile /c\\tSSLCertificateKeyFile ssl/'"$dominioVirtualHost"'.key' $virtualHostFile
+			comprobarError $? 908
+		fi
 	elif [ $nginxOn = true ];then
 		# Configuramos root, dominio, logs y php-fpm.sock (NGINX)
 		sed -i '/root /c\\troot '$rootVirtualHost';' "$virtualHostFile"
@@ -928,6 +963,13 @@ instalarVirtualHost() {
 		comprobarError $? 908
 		socket=$(find /var/run/ -type s -name 'php*.sock')
 		sed -i '/fastcgi_pass /c\\t\tfastcgi_pass unix:'"$socket"';' $virtualHostFile
+		comprobarError $? 908
+		if [ $sslOn = true ];then
+			sed -i '/ssl_certificate /c\\tssl_certificate ssl/'"$dominioVirtualHost"'.crt;' $virtualHostFile
+			comprobarError $? 908
+			sed -i '/ssl_certificate_key /c\\tssl_certificate_key ssl/'"$dominioVirtualHost"'.key;' $virtualHostFile
+			comprobarError $? 908
+		fi
 	fi
 	# Copiamos ficheros de configuración
 	cp -f $virtualHostFile "/etc/$webServerName/sites-available/$virtualHostName" >> $logFile 2>&1
@@ -1230,6 +1272,68 @@ instalarLetsEncrypt() {
 	fi
 }
 
+generarCertAutofirmado() {
+# Genera certificados autofirmados
+# Estos certificados no son seguros, pero valen para pruebas o como paso intermedio para obtener los válidos
+# Uso: generarCertAutofirmado $dominio
+	dominio=$1
+	sslDir="/etc/$webServerName/ssl"
+	keyFile="$sslDir/$dominio.key"
+	reqFile="$sslDir/$dominio.csr"
+	certFile="$sslDir/$dominio.crt"
+	if [ ! -d "$sslDir" ];then
+		mkdir "$sslDir" 2>/dev/null
+		comprobarError $? 5 "$sslDir"
+	fi
+	# Generamos clave privada RSA de 2048 bits
+	openssl genrsa -out "$keyFile" 2048 >/dev/null 2>&1
+	comprobarError $? 402
+	# Generamos petición de firma
+	echo -en "ES\nMadrid\nMadrid\n$dominio\n$dominio\n$dominio\nadmin@$dominio\n\n\n" | openssl req -new -key "$keyFile" -out "$reqFile" >/dev/null 2>&1
+	comprobarError $? 402
+	# Autofirmados clave para 2 años (730 días)
+	openssl x509 -req -days 730 -in "$reqFile" -signkey "$keyFile" -out "$certFile" >/dev/null 2>&1
+	comprobarError $? 402
+	# Eliminamos petición
+	rm -f $reqFile
+	comprobarError $? 402
+	# Cambiamos permisos
+	chmod 644 $certFile
+	comprobarError $? 402
+	chmod 400 $keyFile
+	comprobarError $? 402
+	unset dominio sslDir keyFile reqFile certFile
+}
+
+generarDHParam() {
+# Genera clave de intercambio Diffie-Hellman y lo configuramos
+# Esto aumenta notablemente la seguridad de SSL/TLS
+	sslDir="/etc/$webServerName/ssl"
+	dhParamFile="$sslDir/dhparam.pem"
+	apacheConfFile=""
+	nginxConfFile="/etc/$webServerName/nginx.conf"
+	if [ ! -d "$sslDir" ];then
+		mkdir "$sslDir" 2>/dev/null
+		comprobarError $? 5 "$sslDir"
+	fi
+	openssl dhparam -out "$dhParamFile" 2048
+	comprobarError $? 403
+	# Configuramos Servidor Web
+	if [ $apacheOn = true ];then
+		if [ $debianOS = true ];then
+			apacheConfFile="/etc/$webServerName/apache2.conf"
+		elif [ $rhelOS = true ];then
+			apacheConfFile="/etc/$webServerName/conf/httpd.conf"
+		fi
+		echo -en "\n# Set Stronger Diffie-Hellman key exchange\n" >> $apacheConfFile
+		echo -en "SSLOpenSSLConfCmd DHParameters \"$dhParamFile\"\n" >> $apacheConfFile
+	elif [ $nginxOn = true ];then
+		sed -i '/ssl_param /c\\tssl_dhparam '$dhParamFile';' $nginxConfFile
+		comprobarError $? 403
+	fi
+	unset sslDir dhParamFile apacheConfFile nginxConfFile
+}
+
 habilitarServicio() {
 # Arrancamos y habilitamos el servicio (con SystemD, Upstart o SystemV)
 	# Intentamos con systemctl (SystemD)
@@ -1604,15 +1708,16 @@ instalarPHPInfo() {
 }
 
 # Comprobación del sistema e inicialización
-inicializarVariables
-comprobarRoot
-OSInfo
-comprobarDependencias
+	inicializarVariables
+	comprobarRoot
+	OSInfo
+	comprobarDependencias
 
 # Bienvenida
-mostrarBienvenida
+	mostrarBienvenida
+	
 # Selección de componentes (express vs avanzada)
-mostrarExpress
+	mostrarExpress
 
 # Instalación Servidor Web
 	if [ $apacheOn = true ]; then
@@ -1624,6 +1729,7 @@ mostrarExpress
 		instalarNginx
 		echo -en " OK.\n" | tee -a $logFile
 	fi
+
 # Instalación Base de Datos
 	if [ $mySQLOn = true ]; then
 		echo -en "Instalando Base de Datos MySQL..." | tee -a $logFile
@@ -1634,6 +1740,7 @@ mostrarExpress
 		instalarMariaDB
 		echo -en " OK.\n" | tee -a $logFile
 	fi
+
 # Instalación PHP-7.2
 	if [ $phpOn = true ]; then
 		echo -en "Instalando PHP-7..." | tee -a $logFile
@@ -1646,6 +1753,7 @@ mostrarExpress
 		instalarLetsEncrypt
 		echo -en " OK.\n" | tee -a $logFile
 	fi
+
 # Configuración Web Server
 	if [ $apacheOn = true ];then
 		echo -en "Configurando Servidor Web Apache..." | tee -a $logFile
@@ -1656,7 +1764,8 @@ mostrarExpress
 		configurarNginx
 		echo -en " OK.\n" | tee -a $logFile
 	fi
-# Configuración Database (Arrancar Base de Datos, establecer contraseña y configuración segura)
+
+# Configuración Database (Configurar Ficheros, Arrancar Base de Datos, establecer contraseña y configuración segura)
 	if [ $mySQLOn = true ] || [ $mariaDBOn = true ];then
 		echo -en "Configurando Base de Datos..." | tee -a $logFile
 		configurarSQL
@@ -1666,37 +1775,44 @@ mostrarExpress
 		establecerSQLPasswd
 		echo -en " OK.\n" | tee -a $logFile
 	fi
+
 # Configuración PHP (cgi.fix_pathinfo=0 y Configurar máximo de subida de archivos)
 	if [ $phpOn = true ];then
 		echo -en "Configurando PHP-7..." | tee -a $logFile
 		configurarPHP
 		echo -en " OK.\n" | tee -a $logFile
 	fi
+
 # Configuración SSL/TLS
 	# Generar certificados auto-firmados
 	if [ $sslOn = true ];then
-		echo -en "Generando certificados autofirmados..." | tee -a $logFile
-		sleep 2
+		echo -en "Generando Certificados Auto-Firmados..." | tee -a $logFile
+		if [ $mediaWikiOn = true ];then
+			generarCertAutofirmado $dominioMediaWiki
+		fi
+		if [ $moodleOn = true ];then
+			generarCertAutofirmado $dominioMoodle
+		fi
+		if [ $infoPHPOn = true ];then
+			generarCertAutofirmado "localhost"
+		fi
 		echo -en " OK.\n" | tee -a $logFile
-	fi
-	# Generar certificados Let's Encrypt
-	if [ $letsEncryptOn = true ];then
-		echo -en "Generando certificados válidos Let's Encrypt..." | tee -a $logFile
-		sleep 2
+		echo -en "Generando claves de intercambio Diffie-Hellman (puede llevar un largo tiempo)..." | tee -a $logFile
+		generarDHParam
 		echo -en " OK.\n" | tee -a $logFile
 	fi
+
 # Arrancar y habilitar todos los servicios (SystemD, Service o SystemV)
 	echo -en "Habilitando todos los servicios..." | tee -a $logFile
-	if [ $apacheOn = true ];then
-		habilitarServicio $webServerName
-	elif [ $nginxOn = true ];then
+	if [ $apacheOn = true ] || [ $nginxOn = true ];then
 		habilitarServicio $webServerName
-		if [ $phpOn = true ];then
-			habilitarServicio $phpFPMName
-		fi
+	fi
+	if [ $nginxOn = true ] && [ $phpOn = true ];then
+		habilitarServicio $phpFPMName
 	fi
 	echo -en " OK.\n" | tee -a $logFile
-# MediaWiki
+
+# Instalar MediaWiki
 	if [ $mediaWikiOn = true ]; then
 		# Descargar MediaWiki
 		echo -en "Descargando MediaWiki-1.31.0..." | tee -a $logFile
@@ -1707,7 +1823,8 @@ mostrarExpress
 		configurarMediaWiki
 		echo -en " OK.\n" | tee -a $logFile
 	fi
-# Moodle
+
+# Instalar Moodle
 	if [ $moodleOn = true ]; then
 		# Descargar Moodle
 		echo -en "Descargando Moodle-3.5.1..." | tee -a $logFile
@@ -1718,8 +1835,8 @@ mostrarExpress
 		configurarMoodle
 		echo -en " OK.\n" | tee -a $logFile
 	fi
-# Configurar Virtual Hosts
-	# Instalar info.php
+
+# Instalar info.php
 	if [ $infoPHPOn = true ];then
 		echo -en "Configurando 'info.php'..." | tee -a $logFile
 		instalarPHPInfo
@@ -1729,10 +1846,19 @@ mostrarExpress
 			echo -en " Ya se encuentra configurado.\n" | tee -a $logFile
 		fi
 	fi
+
 # Añadir reglas del cortafuegos
 	echo -en "Configurando Cortafuegos..." | tee -a $logFile
 	configurarCortafuegos
 	echo -en " OK.\n" | tee -a $logFile
+
+# Generar certificados Let's Encrypt
+	if [ $letsEncryptOn = true ];then
+		echo -en "Generando Certificados Válidos Let's Encrypt..." | tee -a $logFile
+		sleep 2
+		echo -en " OK.\n" | tee -a $logFile
+	fi
+
 # Configurar Backup
 	if [ $backupOn = true ]; then
 		echo -en "Configurando Backup Automático..." | tee -a $logFile