commit 1af63982767a382a490c38f07ac4a8fe3019db47
parent 0a0e2f52b4696631ffff404c84222df8c52e5f70
Author: bohdan-potuzhnyi <bohdan.potuzhnyi@gmail.com>
Date: Thu, 3 Apr 2025 12:45:56 +0200
changing the rproxy-setup to check root, check dns record, enable a2enmod packages
Diffstat:
1 file changed, 96 insertions(+), 36 deletions(-)
diff --git a/src/merchant-tools/taler-merchant-rproxy-setup b/src/merchant-tools/taler-merchant-rproxy-setup
@@ -12,7 +12,7 @@
# - At most one of {--nginx, --apache} (or auto-detection)
# - Optionally {--httponly} or {--httpsonly} (but not both)
# - Checks for required packages (nginx/apache2, certbot (unless HTTP-only))
-# - Verifies Apache modules if using --apache (proxy, proxy_http, headers)
+# - Verifies Apache modules if using --apache (proxy, proxy_http, headers, ssl)
# - Attempts to start the selected web server
# - Runs certbot to get certificates (unless HTTP-only)
# - Updates config(s), backs up originals, optionally forces HTTP->HTTPS
@@ -51,6 +51,14 @@ usage() {
exit 0
}
+##########################
+# 0.a. Must run as root
+##########################
+if [[ $EUID -ne 0 ]]; then
+ echo "ERROR: This script must be run as root (e.g. with sudo)."
+ exit 1
+fi
+
while [[ $# -gt 0 ]]; do
case "$1" in
--domain)
@@ -92,6 +100,46 @@ if [[ -z "$DOMAIN" ]]; then
fi
##############################
+# 0.b. Optional DNS check
+##############################
+# Checks that the domain resolves to at least one local IP.
+# If it doesn't, you can either warn or exit. Below, we exit.
+# If your environment uses NAT or multiple interfaces, you may
+# wish to relax this check into a warning.
+
+if command -v dig &>/dev/null; then
+ # Gather the local machine's IP addresses
+ local_ips="$(hostname -I 2>/dev/null || true)"
+ # Attempt to resolve $DOMAIN via DNS
+ domain_ips="$(dig +short A "$DOMAIN")"
+
+ if [[ -z "$domain_ips" ]]; then
+ echo "ERROR: DNS lookup for '$DOMAIN' returned no A record."
+ echo "Please ensure the domain name is configured correctly in DNS."
+ exit 1
+ fi
+
+ echo "Local IP(s): $local_ips"
+ echo "Domain IP(s): $domain_ips"
+
+ match_found=0
+ while read -r dip; do
+ if echo "$local_ips" | grep -qw "$dip"; then
+ match_found=1
+ break
+ fi
+ done <<< "$domain_ips"
+
+ if [[ $match_found -eq 0 ]]; then
+ echo "ERROR: None of the DNS IPs for '$DOMAIN' match this server's IP(s)."
+ echo "Fix DNS or check networking before continuing."
+ exit 1
+ fi
+else
+ echo "WARNING: 'dig' not installed; skipping DNS check."
+fi
+
+##############################
# Detect installed web server
##############################
check_installed() {
@@ -155,15 +203,20 @@ else
exit 1
fi
- # Check Apache modules
+ # Check Apache modules. If missing, enable them. Then restart Apache.
APACHE_MODULES="$(apache2ctl -M 2>/dev/null)"
- for mod in proxy proxy_http headers; do
+ for mod in proxy proxy_http headers ssl; do
if ! echo "$APACHE_MODULES" | grep -qE "^ $mod(_module)?"; then
- echo "ERROR: Apache module '$mod' is not enabled."
- echo "Enable it with: sudo a2enmod $mod && sudo systemctl restart apache2"
- exit 1
+ echo "Apache module '$mod' not enabled. Enabling it now..."
+ a2enmod "$mod"
+ NEED_RESTART=1
fi
done
+
+ if [[ -n "$NEED_RESTART" ]]; then
+ echo "Restarting apache2 to load newly enabled module(s)..."
+ systemctl restart apache2
+ fi
fi
###########################################
@@ -173,7 +226,7 @@ start_service() {
local service_name="$1"
if ! systemctl is-active --quiet "$service_name"; then
echo "Attempting to start $service_name ..."
- if ! sudo systemctl start "$service_name"; then
+ if ! systemctl start "$service_name"; then
echo "ERROR: Could not start $service_name. Fix manually or switch server type."
exit 1
fi
@@ -193,35 +246,39 @@ CONFIG_FILE_NGINX="/etc/nginx/sites-available/taler-merchant"
CONFIG_FILE_APACHE="/etc/apache2/sites-available/taler-merchant.conf"
backup_and_edit_nginx_http_only() {
- if [[ ! -f "${CONFIG_FILE_NGINX}.legacy" ]]; then
+ if [[ ! -f "${CONFIG_FILE_NGINX}.legacy" && -f "$CONFIG_FILE_NGINX" ]]; then
sudo cp "$CONFIG_FILE_NGINX" "${CONFIG_FILE_NGINX}.legacy"
fi
- sudo cp "${CONFIG_FILE_NGINX}.legacy" "$CONFIG_FILE_NGINX"
- sudo sed -i "s/%%your\.domain%%/$DOMAIN/g" "$CONFIG_FILE_NGINX"
- # Remove any 'server { ... listen 443 ... }' block (simple approach)
- sudo sed -i '/listen 443/,/}/d' "$CONFIG_FILE_NGINX"
+ if [[ -f "${CONFIG_FILE_NGINX}.legacy" ]]; then
+ sudo cp "${CONFIG_FILE_NGINX}.legacy" "$CONFIG_FILE_NGINX"
+ fi
+ sudo sed -i "s/%%your\.domain%%/$DOMAIN/g" "$CONFIG_FILE_NGINX" 2>/dev/null
+ # Remove any 'server { ... listen 443 ... }' block
+ sudo sed -i '/listen 443/,/}/d' "$CONFIG_FILE_NGINX" 2>/dev/null
}
backup_and_edit_apache_http_only() {
- if [[ ! -f "${CONFIG_FILE_APACHE}.legacy" ]]; then
+ if [[ ! -f "${CONFIG_FILE_APACHE}.legacy" && -f "$CONFIG_FILE_APACHE" ]]; then
sudo cp "$CONFIG_FILE_APACHE" "${CONFIG_FILE_APACHE}.legacy"
fi
- sudo cp "${CONFIG_FILE_APACHE}.legacy" "$CONFIG_FILE_APACHE"
- sudo sed -i "s/%%your\.domain%%/$DOMAIN/g" "$CONFIG_FILE_APACHE"
+ if [[ -f "${CONFIG_FILE_APACHE}.legacy" ]]; then
+ sudo cp "${CONFIG_FILE_APACHE}.legacy" "$CONFIG_FILE_APACHE"
+ fi
+ sudo sed -i "s/%%your\.domain%%/$DOMAIN/g" "$CONFIG_FILE_APACHE" 2>/dev/null
# Remove everything from "<VirtualHost *:443>" to "</VirtualHost>"
- sudo sed -i '/<VirtualHost \*:443>/,/<\/VirtualHost>/d' "$CONFIG_FILE_APACHE"
+ sudo sed -i '/<VirtualHost \*:443>/,/<\/VirtualHost>/d' "$CONFIG_FILE_APACHE" 2>/dev/null
}
if [[ $HTTP_ONLY -eq 1 ]]; then
if [[ $USE_NGINX -eq 1 ]]; then
backup_and_edit_nginx_http_only
- if ! sudo systemctl reload nginx; then
+ if ! systemctl reload nginx; then
echo "ERROR: Failed to reload nginx after HTTP-only config changes."
exit 1
fi
else
backup_and_edit_apache_http_only
- if ! sudo systemctl reload apache2; then
+ if ! systemctl reload apache2; then
echo "ERROR: Failed to reload apache2 after HTTP-only config changes."
exit 1
fi
@@ -234,7 +291,7 @@ fi
if [[ $HTTP_ONLY -eq 0 ]]; then
echo "Running certbot to obtain certificate for $DOMAIN ..."
echo "Please follow the certbot prompts."
- if ! sudo certbot certonly --webroot -w /var/www/html -d "$DOMAIN"; then
+ if ! certbot certonly --webroot -w /var/www/html -d "$DOMAIN"; then
echo "ERROR: certbot failed. Exiting."
exit 1
fi
@@ -244,44 +301,47 @@ fi
# 4. Update config to use SSL (unless strictly HTTP only)
##############################################################
backup_and_edit_nginx_https() {
- if [[ ! -f "${CONFIG_FILE_NGINX}.legacy" ]]; then
+ if [[ ! -f "${CONFIG_FILE_NGINX}.legacy" && -f "$CONFIG_FILE_NGINX" ]]; then
sudo cp "$CONFIG_FILE_NGINX" "${CONFIG_FILE_NGINX}.legacy"
fi
- sudo cp "${CONFIG_FILE_NGINX}.legacy" "$CONFIG_FILE_NGINX"
- sudo sed -i "s/%%your\.domain%%/$DOMAIN/g" "$CONFIG_FILE_NGINX"
+ if [[ -f "${CONFIG_FILE_NGINX}.legacy" ]]; then
+ sudo cp "${CONFIG_FILE_NGINX}.legacy" "$CONFIG_FILE_NGINX"
+ fi
+ sudo sed -i "s/%%your\.domain%%/$DOMAIN/g" "$CONFIG_FILE_NGINX" 2>/dev/null
if [[ $HTTPS_ONLY -eq 1 ]]; then
# Insert a simple HTTP->HTTPS redirect into the server block with "listen 80;"
sudo sed -i '/listen 80;/a \
- if ($scheme = http) { return 301 https://$host$request_uri; }' "$CONFIG_FILE_NGINX"
+ if ($scheme = http) { return 301 https://$host$request_uri; }' "$CONFIG_FILE_NGINX" 2>/dev/null
fi
}
backup_and_edit_apache_https() {
- if [[ ! -f "${CONFIG_FILE_APACHE}.legacy" ]]; then
+ if [[ ! -f "${CONFIG_FILE_APACHE}.legacy" && -f "$CONFIG_FILE_APACHE" ]]; then
sudo cp "$CONFIG_FILE_APACHE" "${CONFIG_FILE_APACHE}.legacy"
fi
- sudo cp "${CONFIG_FILE_APACHE}.legacy" "$CONFIG_FILE_APACHE"
- sudo sed -i "s/%%your\.domain%%/$DOMAIN/g" "$CONFIG_FILE_APACHE"
+ if [[ -f "${CONFIG_FILE_APACHE}.legacy" ]]; then
+ sudo cp "${CONFIG_FILE_APACHE}.legacy" "$CONFIG_FILE_APACHE"
+ fi
+ sudo sed -i "s/%%your\.domain%%/$DOMAIN/g" "$CONFIG_FILE_APACHE" 2>/dev/null
if [[ $HTTPS_ONLY -eq 1 ]]; then
# Insert naive rewrite for forcing HTTPS
sudo sed -i '/<VirtualHost \*:80>/a \
- RewriteEngine On\nRewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R=301,L]' "$CONFIG_FILE_APACHE"
- sudo a2enmod rewrite
+ RewriteEngine On\nRewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R=301,L]' "$CONFIG_FILE_APACHE" 2>/dev/null
fi
}
if [[ $HTTP_ONLY -eq 0 ]]; then
if [[ $USE_NGINX -eq 1 ]]; then
backup_and_edit_nginx_https
- if ! sudo systemctl reload nginx; then
+ if ! systemctl reload nginx; then
echo "ERROR: Failed to reload nginx after enabling HTTPS."
exit 1
fi
else
backup_and_edit_apache_https
- if ! sudo systemctl reload apache2; then
+ if ! systemctl reload apache2; then
echo "ERROR: Failed to reload apache2 after enabling HTTPS."
exit 1
fi
@@ -295,31 +355,31 @@ fi
##################################################
if [[ $USE_NGINX -eq 1 ]]; then
# Symlink into sites-enabled if not already done
- if [[ ! -e "/etc/nginx/sites-enabled/taler-merchant" ]]; then
+ if [[ -f "/etc/nginx/sites-available/taler-merchant" && ! -e "/etc/nginx/sites-enabled/taler-merchant" ]]; then
echo "Linking /etc/nginx/sites-available/taler-merchant to /etc/nginx/sites-enabled/"
- sudo ln -s /etc/nginx/sites-available/taler-merchant /etc/nginx/sites-enabled/
+ ln -s /etc/nginx/sites-available/taler-merchant /etc/nginx/sites-enabled/
fi
echo "Testing nginx configuration..."
- if ! sudo nginx -t; then
+ if ! nginx -t; then
echo "ERROR: 'nginx -t' reported a problem. Please fix the config before proceeding."
exit 1
fi
echo "Reloading nginx with new configuration..."
- if ! sudo systemctl reload nginx; then
+ if ! systemctl reload nginx; then
echo "ERROR: Failed to reload nginx after final activation."
exit 1
fi
else
echo "Enabling the taler-merchant site in Apache..."
- if ! sudo a2ensite taler-merchant; then
+ if ! a2ensite taler-merchant; then
echo "ERROR: Failed to run 'a2ensite taler-merchant'."
exit 1
fi
echo "Reloading Apache with new configuration..."
- if ! sudo systemctl reload apache2; then
+ if ! systemctl reload apache2; then
echo "ERROR: Failed to reload apache2 after final activation."
exit 1
fi
