-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathssl-manager.sh
More file actions
212 lines (180 loc) · 6.4 KB
/
ssl-manager.sh
File metadata and controls
212 lines (180 loc) · 6.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
#!/bin/bash
set -euo pipefail
# Source user configuration
if [[ -f "$HOME/.wsl_env" ]]; then
source "$HOME/.wsl_env"
else
echo "ERROR: ~/.wsl_env not found. Please run the setup installer first." >&2
exit 1
fi
# Validate variables
: "${WEB_ROOT:?ERROR: WEB_ROOT is not set.}"
: "${SSL_DIR:?ERROR: SSL_DIR is not set.}"
# ─────────────────────────────────────────────────────────────────
# Only run if project-folder set has changed since last run
# ─────────────────────────────────────────────────────────────────
HASH_FILE="$HOME/.wsl_projects.hash"
# List only first‑level dirs, sort them, hash the list
CURRENT_HASH=$(find "$WEB_ROOT" -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \
| sort \
| sha256sum \
| awk '{print $1}')
if [[ -f "$HASH_FILE" && "$(cat "$HASH_FILE")" == "$CURRENT_HASH" ]]; then
echo "🔎 No changes in $WEB_ROOT. Skipping SSL & vhost regeneration."
exit 0
fi
# Save the new state
echo "$CURRENT_HASH" >"$HASH_FILE"
echo "🔄 Detected change in projects, running SSL & vhost manager..."
# Validate variables
if [[ -z "${WEB_ROOT:-}" ]]; then
echo "ERROR: WEB_ROOT is not set." >&2
exit 1
fi
if [[ -z "${SSL_DIR:-}" ]]; then
echo "ERROR: SSL_DIR is not set." >&2
exit 1
fi
# Paths
CA_DIR="$SSL_DIR/ca"
CA_KEY="$CA_DIR/rootCA.key"
CA_CERT="$CA_DIR/rootCA.pem"
NGINX_SITES_AVAILABLE="/etc/nginx/sites-available"
NGINX_SITES_ENABLED="/etc/nginx/sites-enabled"
HOSTS_FILE="/mnt/c/Windows/System32/drivers/etc/hosts"
WIN_HOSTS_FILE="C:\Windows\System32\drivers\etc\hosts"
CERT_KEY="$SSL_DIR/laragon.test.key"
CERT_CRT="$SSL_DIR/laragon.test.crt"
CERT_CSR="$SSL_DIR/laragon.test.csr"
CERT_CNF="$SSL_DIR/laragon.test.cnf"
CERT_BUNDLE="$SSL_DIR/laragon-bundle.crt"
# Ensure directories
mkdir -p "$SSL_DIR" "$CA_DIR"
echo "🔐 Creating or reusing Root CA..."
if [[ ! -f "$CA_KEY" || ! -f "$CA_CERT" ]]; then
openssl genrsa -out "$CA_KEY" 2048
openssl req -x509 -new -nodes -key "$CA_KEY" -sha256 -days 3650 \
-out "$CA_CERT" -subj "/C=US/ST=WSL/L=Dev/O=Laragon/CN=Laragon Test CA"
sudo cp "$CA_CERT" /usr/local/share/ca-certificates/laragon-rootCA.crt
sudo update-ca-certificates
else
echo "✅ Reusing existing root CA"
fi
echo "🔧 Building SAN config..."
cat >"$CERT_CNF" <<EOF
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.test
EOF
i=2
for dirpath in "$WEB_ROOT"/*/; do
site=$(basename "${dirpath%/}")
echo "DNS.$i = ${site}.test" >>"$CERT_CNF"
((i++))
done
echo "🔐 Generating key and CSR..."
openssl req -new -newkey rsa:2048 -nodes \
-keyout "$CERT_KEY" -out "$CERT_CSR" \
-subj "/C=US/ST=WSL/L=Dev/O=Laragon/CN=*.test"
echo "✅ Signing cert with CA..."
openssl x509 -req -in "$CERT_CSR" -CA "$CA_CERT" -CAkey "$CA_KEY" \
-CAcreateserial -out "$CERT_CRT" -days 825 -sha256 \
-extfile "$CERT_CNF" -extensions v3_req
cat "$CERT_CRT" "$CA_CERT" >"$CERT_BUNDLE"
echo "🌐 Generating NGINX vhosts..."
for rawdir in "$WEB_ROOT"/*/; do
[[ ! -d "$rawdir" ]] && continue
dir="${rawdir%/}"
site=$(basename "$dir")
domain="$site.test"
# Determine document root
if [[ -f "$dir/public/index.php" ]]; then
root_path="$dir/public"
else
root_path="$dir"
fi
# Detect PHP version
composer_file="$dir/composer.json"
php_ver=$(jq -r '.require.php // empty' "$composer_file" 2>/dev/null |
grep -o "[0-9]\+\.[0-9]\+" | head -n1)
php_ver=${php_ver:-8.2}
php_socket="php${php_ver}-fpm.sock"
# Write vhost, expand Bash vars; escape Nginx vars
sudo tee "$NGINX_SITES_AVAILABLE/$domain" >/dev/null <<NGINX
server {
listen 80;
server_name $domain;
return 301 https://\$host\$request_uri;
}
server {
listen 443 ssl;
server_name $domain;
ssl_certificate $CERT_BUNDLE;
ssl_certificate_key $CERT_KEY;
root $root_path;
index index.php index.html;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php\$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/$php_socket;
}
location ~ /\.ht {
deny all;
}
}
NGINX
# Enable site
sudo ln -sf "$NGINX_SITES_AVAILABLE/$domain" "$NGINX_SITES_ENABLED/$domain"
entry="127.0.0.1 $domain"
if ! grep -Fxq "$entry" "$HOSTS_FILE"; then
if echo "$entry" | sudo tee -a "$HOSTS_FILE" >/dev/null; then
echo "Added $domain to $HOSTS_FILE"
else
echo "⚠️ Unable to modify Windows hosts file directly."
echo "Launching Notepad as Admin (or open WSL in admin mode to modify $HOSTS_FILE):"
powershell.exe -Command "Start-Process notepad.exe -ArgumentList '$WIN_HOSTS_FILE' -Verb runAs"
echo "Please add the line manually, then save and close Notepad."
fi
fi
done
if sudo test -w "$HOSTS_FILE"; then
echo "🧹 Cleaning up old vhosts..."
for conf in "$NGINX_SITES_AVAILABLE"/*.test; do
domain=$(basename "$conf")
site=${domain%.test}
if [[ ! -d "$WEB_ROOT/$site" ]]; then
echo "🗑️ Removing $domain"
sudo rm -f "$NGINX_SITES_AVAILABLE/$domain" "$NGINX_SITES_ENABLED/$domain"
sudo sed -i "/$domain/d" "$HOSTS_FILE" && \
echo "Removed $domain from $HOSTS_FILE"
fi
done
else
echo "⚠️ Skipping cleanup of old vhosts due to inability to modify $HOSTS_FILE"
fi
# Fix permissions
USER_NAME=$(whoami)
sudo chown -R "$USER_NAME":www-data "$WEB_ROOT"
sudo find "$WEB_ROOT" -type d -exec chmod 750 {} \;
sudo find "$WEB_ROOT" -type f -exec chmod 640 {} \;
for appdir in "$WEB_ROOT"/*; do
if [[ -d "$appdir/storage" ]]; then
echo "⚙️ Setting permissions for Laravel storage and cache in $(basename "$appdir")"
sudo chown -R "$USER_NAME":www-data "$appdir/storage" "$appdir/bootstrap/cache"
sudo chmod -R 775 "$appdir/storage" "$appdir/bootstrap/cache"
fi
done
sudo chmod o+x "$HOME" "$WEB_ROOT"
# Reload Nginx
if systemctl is-active --quiet nginx; then
sudo systemctl reload nginx
else
sudo systemctl start nginx
fi
echo "🎉 SSL Manager complete."
echo "Please restart your terminal or run 'source ~/.zshrc' to apply changes."
echo "You may need to restart your browser for the new SSL certificate to take effect."
echo "Also you need to install the certificate on your Windows host. See the README for instructions."