From 9ba9d5c90e67d1c6609255428db6a43c08c778c2 Mon Sep 17 00:00:00 2001 From: "John \"Elwin\" Edwards" Date: Fri, 30 Dec 2016 12:48:58 -0500 Subject: [PATCH] Add files related to SSL support. --- README.txt | 9 ++++++--- lighttpd/certbot-cli.ini | 10 ++++++++++ lighttpd/rlgallery-ssl.conf | 8 ++++++++ scripts/create-combined-pemfile | 26 ++++++++++++++++++++++++++ 4 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 lighttpd/certbot-cli.ini create mode 100644 lighttpd/rlgallery-ssl.conf create mode 100755 scripts/create-combined-pemfile diff --git a/README.txt b/README.txt index 9b80aab..1175d4c 100644 --- a/README.txt +++ b/README.txt @@ -4,8 +4,9 @@ dgl/ contains the Gallery's dgamelaunch.conf file, the dgamelaunch menus, and a patch to the Git version of dgamelaunch. The patch makes it compatible with the RLGWebD player and adds properly salted passwords. -lighttpd/ contains a configuration file for lighttpd which should be included -from the main lighttpd.conf. +lighttpd/ contains configuration files for lighttpd which should be included +from the main lighttpd.conf. It also includes a configuration file for +certbot, for obtaining an SSL certificate. py/ contains various Python scripts. Python 3 is required. The dependencies needed are psycopg2 and pytz. @@ -22,6 +23,8 @@ in /lib/python/site-packages or the equivalent location. py/rlgnotes is a basic blog creator. It makes a blog (with RSS feed!) at the URL /notes using text files as the source. Currently experimental. +scripts/ contains shell scripts that are useful in the setup process. + web/ contains the static parts of the rlgallery.org website. Note that when -installed, scoring/ needs to be writable by whatever user is running the +installed, web/scoring/ needs to be writable by whatever user is running the recorder.py script. diff --git a/lighttpd/certbot-cli.ini b/lighttpd/certbot-cli.ini new file mode 100644 index 0000000..ba5e598 --- /dev/null +++ b/lighttpd/certbot-cli.ini @@ -0,0 +1,10 @@ +# rlgallery.org configuration file for certbot +# Install at /etc/letsencrypt/cli.ini + +authenticator = webroot +webroot-path = /var/www/lighttpd + +agree-tos = True +non-interactive = True + +# email, domain, and post-hook need to be specified by options diff --git a/lighttpd/rlgallery-ssl.conf b/lighttpd/rlgallery-ssl.conf new file mode 100644 index 0000000..ab7c580 --- /dev/null +++ b/lighttpd/rlgallery-ssl.conf @@ -0,0 +1,8 @@ +# Lighttpd SSL configuration for rlgallery.org +# Include in the main lighttpd configuration file + +$SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/lighttpd/ssl/host.pem" + ssl.ca-file = "/etc/lighttpd/ssl/chain.pem" +} diff --git a/scripts/create-combined-pemfile b/scripts/create-combined-pemfile new file mode 100755 index 0000000..06c8561 --- /dev/null +++ b/scripts/create-combined-pemfile @@ -0,0 +1,26 @@ +#!/bin/sh +# Combines a private key and host cert into a single pemfile, for webservers +# that require it. + +if [ $# -lt 1 ] +then + echo "No domains given." + exit 1 +fi + +for DOMAIN in "$@" +do + LINKDIR=/etc/letsencrypt/live/"$DOMAIN" + if [ ! -d "$LINKDIR" ] + then + echo "No certificates for $DOMAIN, skipping" + continue + fi + REALCERTFILE=`readlink -f "$LINKDIR"/cert.pem` + PEMFILE=`dirname "$REALCERTFILE"`/combined.pem + touch "$PEMFILE" + chown root:root "$PEMFILE" + chmod 400 "$PEMFILE" + cat "$LINKDIR"/privkey.pem "$LINKDIR"/cert.pem >"$PEMFILE" + ln -s -f -r "$PEMFILE" "$LINKDIR"/combined.pem +done