[packages/dehydrated] hook: move each webserver logic to function; use atomic concat to avoid mitm problems
glen
glen at pld-linux.org
Tue Jan 3 07:35:05 CET 2017
commit 623687d092e9ead03848ce6d31a2bef893d5375a
Author: Elan Ruusamäe <glen at delfi.ee>
Date: Tue Jan 3 08:34:20 2017 +0200
hook: move each webserver logic to function; use atomic concat to avoid mitm problems
hook.sh | 79 ++++++++++++++++++++++++++++++++++++++++++++++-------------------
1 file changed, 56 insertions(+), 23 deletions(-)
---
diff --git a/hook.sh b/hook.sh
index 540b10a..d5387a4 100755
--- a/hook.sh
+++ b/hook.sh
@@ -1,5 +1,56 @@
#!/bin/sh
+# concat file atomic way
+atomic_concat() {
+ local file=$1; shift
+ > $file.new
+ chmod 600 $file.new
+ cat "$@" > $file.new
+ cp -f $file $file.dehydrated~
+ mv -f $file.new $file
+}
+
+lighttpd_reload() {
+ if [ ! -x /usr/sbin/lighttpd ] || [ ! -f /etc/lighttpd/server.pem ]; then
+ return
+ fi
+
+ echo " + Hook: Overwritting /etc/lighttpd/server.pem and reloading lighttpd..."
+ atomic_concat /etc/lighttpd/server.pem "$FULLCHAINCERT" "$PRIVKEY"
+ /sbin/service lighttpd reload
+}
+
+haproxy_reload() {
+ if [ ! -x /usr/sbin/haproxy ] || [ ! -f /etc/haproxy/server.pem ]; then
+ return
+ fi
+
+ echo " + Hook: Overwritting /etc/haproxy/server.pem and restarting haproxy..."
+ atomic_concat /etc/haproxy/server.pem "$FULLCHAINCERT" "$PRIVKEY"
+ /sbin/service haproxy reload
+}
+
+nginx_reload() {
+ if [ ! -f /etc/nginx/server.crt ] || [ ! -f /etc/nginx/server.key ]; then
+ return
+ fi
+
+ echo " + Hook: Overwritting /etc/nginx/server.{crt,key} and reloading nginx..."
+ atomic_concat /etc/nginx/server.crt "$FULLCHAINCERT"
+ atomic_concat /etc/nginx/server.key "$PRIVKEY"
+ /sbin/service nginx reload
+}
+
+httpd_reload() {
+ if [ ! -x /etc/rc.d/init.d/httpd ]; then
+ return
+ fi
+
+ echo " + Hook: Reloading Apache..."
+ /sbin/service httpd graceful
+}
+
+
case "$1" in
deploy_cert)
DOMAIN="$2"
@@ -8,29 +59,11 @@ deploy_cert)
FULLCHAINCERT="$5"
CHAINCERT="$6"
TIMESTAMP="$7"
- if [ -x /usr/sbin/lighttpd -a -f /etc/lighttpd/server.pem ]; then
- echo " + Hook: Overwritting /etc/lighttpd/server.pem and reloading lighttpd..."
- cp -a /etc/lighttpd/server.pem /etc/lighttpd/server.pem.letsencrypt~
- cat "$FULLCHAINCERT" "$PRIVKEY" > /etc/lighttpd/server.pem
- /sbin/service lighttpd reload
- fi
- if [ -f /etc/nginx/server.crt -a -f /etc/nginx/server.key ]; then
- echo " + Hook: Overwritting /etc/nginx/server.{crt,key} and reloading nginx..."
- cp -a /etc/nginx/server.crt /etc/nginx/server.crt.letsencrypt~
- cp -a /etc/nginx/server.crt /etc/nginx/server.key.letsencrypt~
- cat "$FULLCHAINCERT" > /etc/nginx/server.crt
- cat "$PRIVKEY" > /etc/nginx/server.key
- /sbin/service nginx reload
- fi
- if [ -x /etc/rc.d/init.d/httpd ]; then
- echo " + Hook: Reloading Apache..."
- /sbin/service httpd graceful
- fi
- if [ -x /usr/sbin/haproxy -a -f /etc/haproxy/server.pem ]; then
- echo " + Hook: Overwritting /etc/haproxy/server.pem and restarting haproxy..."
- cat "$FULLCHAINCERT" "$PRIVKEY" > /etc/haproxy/server.pem
- /sbin/service haproxy restart
- fi
+
+ lighttpd_reload
+ nginx_reload
+ httpd_reload
+ haproxy_reload
;;
clean_challenge)
CHALLENGE_TOKEN="$2"
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/dehydrated.git/commitdiff/623687d092e9ead03848ce6d31a2bef893d5375a
More information about the pld-cvs-commit
mailing list