-
Notifications
You must be signed in to change notification settings - Fork 53
/
Copy pathbonus.SSL_for_RTL.sh
151 lines (122 loc) · 4.31 KB
/
bonus.SSL_for_RTL.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# Script to install nginx and certbot to enable SSL connection for RTL
# To download and run:
# $ wget https://github.com/openoms/bitcoin-tutorials/raw/master/nginx/bonus.SSL_for_RTL.sh && bash bonus.SSL_for_RTL.sh
# For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed
# Need to forward port 80 to the IP of your RaspiBlitz for certbot
# Forward port 3002 to be able to access RTL from outside of your LAN
# https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md
# check for certbot and nginx
if dpkg -l | grep -qw "certbot"; then
echo "# certbot is already installed"
else
sudo apt install -y certbot
fi
if dpkg -l | grep -qw "nginx"; then
echo "# nginx is already installed"
else
sudo apt install -y nginx
fi
echo ""
echo "***"
echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]"
read key
echo ""
echo "***"
echo "Please type the domain/ddns you have generated the certificate for followed by [ENTER]"
read YOUR_DOMAIN
echo ""
echo "***"
echo "Type an email address that will be used to register the SSL certificate and press [ENTER]"
read YOUR_EMAIL
echo "installing Nginx and certbot"
sudo apt-get install -y nginx-full certbot
sudo /etc/init.d/nginx start
echo "allow port 80 on ufw"
sudo ufw allow 80
# get SSL cert
sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start"
echo ""
echo "***"
echo "Setting up certbot-auto renewal service"
echo "***"
echo ""
sudo rm -f /etc/systemd/system/certbot.timer
echo "
[Unit]
Description=Certbot-auto renewal service
[Timer]
OnBootSec=20min
OnCalendar=*-*-* 4:00:00
[Install]
WantedBy=timers.target
" | sudo tee -a /etc/systemd/system/certbot.timer
sudo rm -f /etc/systemd/system/certbot.service
echo "
[Unit]
Description=Certbot-auto renewal service
After=bitcoind.service
[Service]
WorkingDirectory=/home/admin/
ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\"
User=admin
Group=admin
Type=simple
KillMode=process
TimeoutSec=60
Restart=always
RestartSec=60
" | sudo tee -a /etc/systemd/system/certbot.service
sudo systemctl enable certbot.timer
echo "Setting up nginx.conf"
echo "***"
echo ""
isRTL=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'upstream RTL')
if [ ${isRTL} -gt 0 ]; then
echo "RTL is already configured with Nginx. To edit manually run \`sudo nano /etc/nginx/nginx.conf\`"
elif [ ${isRTL} -eq 0 ]; then
isStream=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'stream {')
if [ ${isStream} -eq 0 ]; then
echo "
stream {
upstream RTL {
server 127.0.0.1:3000;
}
server {
listen 3002 ssl;
proxy_pass RTL;
ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem;
ssl_session_cache shared:SSL-RTL:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
}" | sudo tee -a /etc/nginx/nginx.conf
elif [ ${isStream} -eq 1 ]; then
sudo truncate -s-2 /etc/nginx/nginx.conf
echo "
upstream RTL {
server 127.0.0.1:3000;
}
server {
listen 3002 ssl;
proxy_pass RTL;
ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
}" | sudo tee -a /etc/nginx/nginx.conf
elif [ ${isStream} -gt 1 ]; then
echo " Too many \`stream\` commands in nginx.conf. Please edit manually: \`sudo nano /etc/nginx/nginx.conf\` and retry"
exit 1
fi
fi
echo "allow port 3002 on ufw"
sudo ufw allow 3002
sudo systemctl enable nginx
sudo systemctl restart nginx
echo ""
echo "Connect to RTL through https on the port 3002 and forward the port on your router to access outside of the LAN"