docs, various fixes and certbot-cloudflare example

2021-06-06 14:52:30 +02:00
parent e8f5db0b29
commit 678ad70b01
13 changed files with 168 additions and 34 deletions
--- a/examples/certbot-cloudflare/certbot-new.sh
+++ b/examples/certbot-cloudflare/certbot-new.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# you need to run it before starting bunkerized-nginx to get the first certificate
+
+# edit according to your values
+DOMAINS="kakou-corp.fr,*.kakou-corp.fr"
+EMAIL="contact@kakou-corp.fr"
+SERVICE="mywww"
+
+# ask for the certificate
+# don't forget to first edit the cloudflare.ini file
+docker run --rm \
+       -v "${PWD}/cloudflare.ini:/tmp/cloudflare.ini" \
+       -v "${PWD}/letsencrypt:/etc/letsencrypt" \
+       certbot/dns-cloudflare \
+       certonly \
+       --dns-cloudflare \
+       --dns-cloudflare-credentials /tmp/cloudflare.ini \
+       --dns-cloudflare-propagation-seconds 60 \
+       -d "$DOMAINS" \
+       --email "$EMAIL" \
+       --agree-tos \
+       --no-eff-email
+if [ $? -ne 0 ] ; then
+	echo "error while getting certificate for $DOMAINS"
+	exit 1
+fi
+
+# fix permissions
+chgrp -R 101 "${PWD}/letsencrypt"
+chmod -R 750 "${PWD}/letsencrypt"
+
+echo "Certificate for $DOMAINS created !"
--- a/examples/certbot-cloudflare/certbot-renew.sh
+++ b/examples/certbot-cloudflare/certbot-renew.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# you should add it to your crontab like :
+# 0 0 * * * cd /your/folder && ./certbot-renew.sh
+
+# edit with your service name
+SERVICE="mywww"
+
+# ask for the renew
+# don't forget to first edit the cloudflare.ini file
+docker run --rm \
+       -v "${PWD}/cloudflare.ini:/tmp/cloudflare.ini" \
+       -v "${PWD}/letsencrypt:/etc/letsencrypt" \
+       certbot/dns-cloudflare \
+       renew
+if [ $? -ne 0 ] ; then
+	echo "error while getting certificate for $DOMAINS"
+	exit 1
+fi
+
+# fix permissions
+chgrp -R 101 "${PWD}/letsencrypt"
+chmod -R 750 "${PWD}/letsencrypt"
+
+# reload bunkerized-nginx
+docker-compose kill -s SIGHUP mywww
+
+echo "Certificate(s) renewed (if needed) !"
--- a/examples/certbot-cloudflare/cloudflare.ini
+++ b/examples/certbot-cloudflare/cloudflare.ini
@@ -0,0 +1,5 @@
+# Cloudflare API token used by Certbot
+# More info :
+# https://certbot-dns-cloudflare.readthedocs.io/en/stable/index.html#credentials
+# https://developers.cloudflare.com/api/tokens/create
+dns_cloudflare_api_token = YOUR-API-TOKEN-HERE
--- a/examples/certbot-cloudflare/docker-compose.yml
+++ b/examples/certbot-cloudflare/docker-compose.yml
@@ -0,0 +1,36 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    # bunkerized-nginx runs as an unprivileged user with UID/GID 101
+    # don't forget to edit the permissions of the files and folders accordingly
+    volumes:
+      - ./web-files:/www:ro
+      - ./letsencrypt:/letsencrypt:ro
+    environment:
+      - SERVER_NAME=www.website.com # replace with your domain(s)
+      - USE_CUSTOM_HTTPS=yes
+      - CUSTOM_HTTPS_CERT=/letsencrypt/live/website.com/fullchain.pem # replace with your path
+      - CUSTOM_HTTPS_KEY=/letsencrypt/live/website.com/privkey.pem # replace with your path
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - PROXY_REAL_IP=yes
+      # networks from https://www.cloudflare.com/ips-v4/
+      # you should check if the networks listed are up to date
+      - PROXY_REAL_IP_FROM=173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 172.64.0.0/13 131.0.72.0/22 104.16.0.0/13 104.24.0.0/14
+      - DISABLE_DEFAULT_SERVER=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - REMOTE_PHP=myphp
+      - REMOTE_PHP_PATH=/app
+
+  myphp:
+    image: php:fpm
+    restart: always
+    volumes:
+      - ./web-files:/app
--- a/examples/certbot-cloudflare/web-files/index.php
+++ b/examples/certbot-cloudflare/web-files/index.php
@@ -0,0 +1,5 @@
+<?php
+
+echo "Hello World behind Cloudflare !";
+
+?>
--- a/examples/certbot-wildcard/certbot-wildcard.sh
+++ b/examples/certbot-wildcard/certbot-wildcard.sh
@@ -3,19 +3,28 @@
 # you need to run it before starting bunkerized-nginx
 # since it's manual there is no auto renew, you need to run it again before it expires

-DOMAIN="*.website.com"
+# replace with your values
+DOMAINS="website.com,*.website.com"
 SERVICE="mywww"

 # ask for wildcard certificate
 # it's interactive and you will need to add a DNS entry
-docker run --rm -it -v "${PWD}/letsencrypt:/etc/letsencrypt" certbot/certbot certonly --manual -d $DOMAIN --agree-tos
+docker run --rm \
+       -it \
+       -v "${PWD}/letsencrypt:/etc/letsencrypt" \
+       certbot/certbot \
+       certonly \
+       --manual \
+       -d "$DOMAINS" \
+       --agree-tos
 if [ $? -ne 0 ] ; then
-	echo "error while getting certificate for $DOMAIN"
+	echo "error while getting certificate for $DOMAINS"
 	exit 1
 fi

 # fix permissions
-chown -R 101:101 "${PWD}/letsencrypt"
+chgrp -R 101 "${PWD}/letsencrypt"
+chmod -R 750 "${PWD}/letsencrypt"

 # reload nginx if it's already running (in case of a "renew")
 if [ -z `docker-compose ps -q $SERVICE` ] || [ -z `docker ps -q --no-trunc | grep $(docker-compose ps -q $SERVICE)` ]; then