jyio · February 18, 2020 06:32
diff --git a/acme-autocert.sh b/acme-autocert.sh
 #/bin/sh

 get_domains()
 {
 	cat /etc/nginx/sites-enabled/* \
 		| sed 's/^[[:blank:]]*//' \
 		| grep ^server_name \
 		| grep -v '# NOSSL' \
 		| cut -d';' -f1 \
 		| awk '{for(i=2; i<=NF; i++) print $i}' \
 		| awk '{$1=$1};1' \
 		| grep -E '^[[:alnum:]_-]+([.][[:alnum:]_-]+)*$' \
 		| sort | uniq
 }

 get_args()
 {
 	echo --issue
 	echo -w
 	echo /var/www
 	for h in `get_domains`; do
 		echo -d
 		echo "$h"
 	done
 }

 # https://github.com/acmesh-official/acme.sh
 /root/.acme.sh/acme.sh `get_args` --key-file /etc/nginx/ssl.key --fullchain-file /etc/nginx/ssl.cer "$@"
diff --git a/etc_nginx_sites-enabled_example b/etc_nginx_sites-enabled_example
 # /etc/nginx/sites-enabled/example

 server {
 	server_name	example.com;
 	include snippets/ssl.conf;
 	root	/var/www;
 	index	index.html;
 }
diff --git a/etc_nginx_snippets_ssl.conf b/etc_nginx_snippets_ssl.conf
 # /etc/nginx/snippets/ssl.conf

 listen	80;
 listen	[::]:80;
 listen	443 ssl;
 listen	[::]:443 ssl;

 if ($scheme != "https") {
 	return	302 https://$host$request_uri;
 }

 # https://wiki.mozilla.org/Security/Server_Side_TLS
 # https://ssl-config.mozilla.org/
 ssl_certificate		/etc/nginx/ssl.cer;	# bootstrap with snake oil package `ssl-cert'
 ssl_certificate_key	/etc/nginx/ssl.key;	# bootstrap with snake oil package `ssl-cert'
 ssl_session_timeout	1d;
 ssl_session_cache	shared:SSL:10m;
 ssl_session_tickets	off;
 ssl_protocols		TLSv1.2 TLSv1.3;
 ssl_ciphers		ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_prefer_server_ciphers	off;
 add_header	Strict-Transport-Security "max-age=63072000" always;	# HSTS (needs ngx_http_headers_module)
 ssl_stapling	on;	# OCSP stapling
 ssl_stapling_verify	on;

 location /.well-known/ {
 	root /var/www;
 }
	#/bin/sh

	get_domains()
	{
	cat /etc/nginx/sites-enabled/* \
	\| sed 's/^[[:blank:]]*//' \
	\| grep ^server_name \
	\| grep -v '# NOSSL' \
	\| cut -d';' -f1 \
	\| awk '{for(i=2; i<=NF; i++) print $i}' \
	\| awk '{$1=$1};1' \
	\| grep -E '^[[:alnum:]_-]+([.][[:alnum:]_-]+)*$' \
	\| sort \| uniq
	}

	get_args()
	{
	echo --issue
	echo -w
	echo /var/www
	for h in `get_domains`; do
	echo -d
	echo "$h"
	done
	}

	# https://github.com/acmesh-official/acme.sh
	/root/.acme.sh/acme.sh `get_args` --key-file /etc/nginx/ssl.key --fullchain-file /etc/nginx/ssl.cer "$@"
	# /etc/nginx/sites-enabled/example

	server {
	server_name example.com;
	include snippets/ssl.conf;
	root /var/www;
	index index.html;
	}
	# /etc/nginx/snippets/ssl.conf

	listen 80;
	listen [::]:80;
	listen 443 ssl;
	listen [::]:443 ssl;

	if ($scheme != "https") {
	return 302 https://$host$request_uri;
	}

	# https://wiki.mozilla.org/Security/Server_Side_TLS
	# https://ssl-config.mozilla.org/
	ssl_certificate /etc/nginx/ssl.cer; # bootstrap with snake oil package `ssl-cert'
	ssl_certificate_key /etc/nginx/ssl.key; # bootstrap with snake oil package `ssl-cert'
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;
	add_header Strict-Transport-Security "max-age=63072000" always; # HSTS (needs ngx_http_headers_module)
	ssl_stapling on; # OCSP stapling
	ssl_stapling_verify on;

	location /.well-known/ {
	root /var/www;
	}