tools and default site issues

Failing with SSL and some other issues.

lib/site-ssl

@@ -83,7 +83,7 @@ site_ssl_on() {
 		sudo certbot certonly --webroot -w /var/www/$root/htdocs/ $domset $param
 
 	elif [[ -a /etc/letsencrypt/live/$domain/fullchain.pem ]]; then
-		echo "${blu}Certificate for echo${end} $domain ${blu}already exist and found, wait while we configure your server to use it!${end}"
+		echo "${blu}Certificate for${end} $domain ${blu}already exist and found, wait while we configure your server to use it!${end}"
 	fi
 
 
@@ -94,16 +94,17 @@ site_ssl_on() {
 		sudo sed -i '/headers-http.conf/a \	include common/headers-https.conf;' /etc/nginx/sites-available/$domain
 		sudo sed -i '/server_name /r /opt/webinoly/templates/template-site-ssl' /etc/nginx/sites-available/$domain
 		sudo sed -i "/WebinolySSLstart/,/WebinolySSLend/{s/domain.com/$domain/}" /etc/nginx/sites-available/$domain
-
-		# In case this domain is used as tools-site.
-		[[ $(conf_read tools-site) == $domain ]] && sudo webinoly -tools-site=$domain
 
 		# HTTP to HTTPS Redirection
 		[[ $subdomflag == 1 ]] && local sername="server_name $domain;" || local sername="server_name $domain www.$domain;"
 		[[ $cache == "-wildcard" ]] && sername="server_name $domain *.$domain;"
 		sudo sed -i '1r /opt/webinoly/templates/template-site-sslredirect' /etc/nginx/sites-available/$domain
 		sudo sed -i "/#server_name;/c \	$sername" /etc/nginx/sites-available/$domain
 
+		# In case this domain is used as tools-site or default-site
+		[[ $(conf_read tools-site) == $domain ]] && sudo webinoly -tools-site=$domain
+		[[ $(conf_read default-site) == $domain ]] && sudo webinoly -default-site=$domain
+
 		# Auto-Renew Certificate
 		if [[ ! -a /var/spool/cron/crontabs/root ]]; then
 			sudo touch /var/spool/cron/crontabs/root
@@ -116,7 +117,7 @@ site_ssl_on() {
 		[[ -z $cronmail && -n $cermail && -z $cronrene ]] && echo "MAILTO=${cermail}" | sudo tee -a /var/spool/cron/crontabs/root
 		[[ -z $cronrene ]] && echo '15 3 * * 7 certbot renew --post-hook "service nginx restart"' | sudo tee -a /var/spool/cron/crontabs/root
 
-		[[ $(conf_read debug) == "true" ]] && echo "${blu}Debug Mode is enabled, this SSL Cert is just for testing purpose and should not be used in production enviroments.{end}"
+		[[ $(conf_read debug) == "true" ]] && echo "${red}Debug Mode is enabled, this SSL Cert is just for testing purpose and should not be used in production enviroments.${end}"
 		echo "${gre}SSL have been successfully enabled for your site -${blu} $domain${end}"
 	else
 		echo "${red}"
@@ -133,8 +134,9 @@ site_ssl_off() {
 	sudo sed -i '/WebinolySSLstart/,/WebinolySSLend/{/.*/d}' /etc/nginx/sites-available/$domain
 	sudo sed -i '/WebinolySSLredirectStart/,/WebinolySSLredirectEnd/{/.*/d}' /etc/nginx/sites-available/$domain
 
-	# In case this domain is used as tools-site.
+	# In case this domain is used as tools-site or default-site
 	[[ $(conf_read tools-site) == $domain ]] && sudo webinoly -tools-site=$domain
+	[[ $(conf_read default-site) == $domain ]] && sudo webinoly -default-site=$domain
 
 	if [[ -n $value && ( $value == "force" || $value == "off-force" ) ]]; then
 		answer=="N"

lib/sites

@@ -539,6 +539,9 @@ createsite() {
 		wp_cache_plugins
 	fi
 
+	# Check if only-error log is enabled
+	[[ $(conf_read global-access-log-off) == "true" ]] && sudo log $domain -only-error=on
+
 	sudo chown -R www-data:www-data /var/www
 	[[ $(conf_read login-www-data) == "true" ]] && sudo chown root:root /var/www
 
@@ -587,7 +590,7 @@ force_redirect() {
 	esac
 
 	# If SSL is enabled insert after that - First redirect should be to HTTPS due to HSTS.
-	isssl=$( grep -F "ssl_certificate_key" /etc/nginx/sites-available/$domain )
+	isssl=$(sed -n -e '/WebinolyNginxServerStart/,$p' /etc/nginx/sites-available/$domain | grep -F "ssl_certificate_key")
 	if [[ -z $isssl && $value =~ ^(www|root)$ ]]; then
 		sudo sed -i '1r /tmp/template-site-wwwredirect' /etc/nginx/sites-available/$domain
 	elif [[ -n $isssl && $value =~ ^(www|root)$ ]]; then

lib/webin

@@ -528,10 +528,16 @@ remove_domain_default_site() {
 	# In case we have a domain as default before.
 	if ! [[ $(conf_read default-site) =~ ^(default|blackhole)$ || -z $(conf_read default-site) ]]; then
 		[[ -L /etc/nginx/sites-enabled/default ]] || sudo ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
-		sudo sed -i "/WebinolyNginxServerStart/,/WebinolyNginxServerEnd/{s/listen 80 default_server;/listen 80;/}" /etc/nginx/sites-available/$(conf_read default-site)
-		sudo sed -i "/WebinolyNginxServerStart/,/WebinolyNginxServerEnd/{s/listen \[::\]:80 default_server;/listen [::]:80;/}" /etc/nginx/sites-available/$(conf_read default-site)
-		sudo sed -i "/WebinolyNginxServerStart/,/WebinolyNginxServerEnd/{s/listen 443 ssl http2 default_server;/listen 443 ssl http2;/}" /etc/nginx/sites-available/$(conf_read default-site)
-		sudo sed -i "/WebinolyNginxServerStart/,/WebinolyNginxServerEnd/{s/listen \[::\]:443 ssl http2 default_server;/listen [::]:443 ssl http2;/}" /etc/nginx/sites-available/$(conf_read default-site)
+		sudo sed -i "s/listen 80 default_server;/listen 80;/" /etc/nginx/sites-available/$(conf_read default-site)
+		sudo sed -i "s/listen \[::\]:80 default_server;/listen [::]:80;/" /etc/nginx/sites-available/$(conf_read default-site)
+		sudo sed -i "s/listen 443 ssl http2 default_server;/listen 443 ssl http2;/" /etc/nginx/sites-available/$(conf_read default-site)
+		sudo sed -i "s/listen \[::\]:443 ssl http2 default_server;/listen [::]:443 ssl http2;/" /etc/nginx/sites-available/$(conf_read default-site)
+		sudo sed -i '/WebinolyStartBlackhole/,/WebinolyEndBlackhole/{/.*/d}' /etc/nginx/sites-available/$(conf_read default-site)
 	fi
 }
 
+
+create_blackhole_cert() {
+	[[ ! -a /etc/ssl/certs/webinoly-blackhole.crt.pem ]] && sudo openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=blackhole" -keyout /etc/ssl/private/webinoly-blackhole.key.pem  -out /etc/ssl/certs/webinoly-blackhole.crt.pem
+}
+

plugins/site

@@ -316,7 +316,7 @@ elif [[ "$type" == "-delete" && -a /etc/nginx/sites-available/$domain ]]; then
 
 # SSL (Letsencrypt)
 elif [[ ( $type == "-ssl-on" || $type == "-ssl-off" || $type == "-ssl" ) && -a /etc/nginx/sites-available/$domain ]]; then
-	isssl=$( grep -F "ssl_certificate_key" /etc/nginx/sites-available/$domain )
+	isssl=$(sed -n -e '/WebinolyNginxServerStart/,$p' /etc/nginx/sites-available/$domain | grep -F "ssl_certificate_key")
 	if [[ ( $type == "-ssl-on" && -z $value ) || ( $type == "-ssl" && $value == "on" ) ]]; then
 		[[ -z $isssl ]] && site_ssl_on || echo "${red}SSL is already enabled for your site -${blu} $domain ${end}"
 	elif [[ ( $type == "-ssl-off" || ( $type == "-ssl" && ( $value == "off" || $value == "off-force" ))) ]]; then

plugins/webinoly

@@ -123,19 +123,26 @@ elif [[ $opt == "-tools-site" ]]; then
 		sudo sed -i "/listen \[::\]:$(conf_read tools-port)/c \	listen [::]:$(conf_read tools-port);" /etc/nginx/sites-available/$(conf_read tools-port)
 
 		# If SSL is enabled
-		isssl=$( grep -F "ssl_certificate_key" /etc/nginx/sites-available/$value )
+		isssl=$(sed -n -e '/WebinolyNginxServerStart/,$p' /etc/nginx/sites-available/$value | grep -F "ssl_certificate_key")
 		if [[ -n $isssl ]]; then
 			sudo sed -i "/listen $(conf_read tools-port)/c \	listen $(conf_read tools-port) ssl http2 deferred;" /etc/nginx/sites-available/$(conf_read tools-port)
 			sudo sed -i "/listen \[::\]:$(conf_read tools-port)/c \	listen [::]:$(conf_read tools-port) ssl http2;" /etc/nginx/sites-available/$(conf_read tools-port)
 			sudo sed -i '/server_name /r /opt/webinoly/templates/template-site-ssl' /etc/nginx/sites-available/$(conf_read tools-port)
 			sudo sed -i "/WebinolySSLstart/,/WebinolySSLend/{s/domain.com/$value/}" /etc/nginx/sites-available/$(conf_read tools-port)
 			sudo sed -i '/locations.conf/a \	include common/headers-https.conf;' /etc/nginx/sites-available/$(conf_read tools-port)
 			sudo sed -i "/WebinolySSLend/i \	error_page 497  https:\/\/\$host:\$server_port\$request_uri;" /etc/nginx/sites-available/$(conf_read tools-port)
+			create_blackhole_cert
 		fi
 
 		# Default blackhole for requests different from our assigned Tools-Site
 		sudo sed -i '/Webinoly Admin-Tools NGINX CONFIGURATION/r /opt/webinoly/templates/general/tools-site-blackhole' /etc/nginx/sites-available/$(conf_read tools-port)
 		sudo sed -i "/WebinolyToolsStartBlackhole/,/WebinolyToolsEndBlackhole/{s/22222/$(conf_read tools-port)/}" /etc/nginx/sites-available/$(conf_read tools-port)
+		if [[ -z $isssl ]]; then
+			sudo sed -i "/WebinolyToolsStartBlackhole/,/WebinolyToolsEndBlackhole/{/ssl_certificate/d}" /etc/nginx/sites-available/$(conf_read tools-port)
+			sudo sed -i "/WebinolyToolsStartBlackhole/,/WebinolyToolsEndBlackhole/{/error_page/d}" /etc/nginx/sites-available/$(conf_read tools-port)
+			sudo sed -i "/WebinolyToolsStartBlackhole/,/WebinolyToolsEndBlackhole/{s/ssl //}" /etc/nginx/sites-available/$(conf_read tools-port)
+			echo "${red}It's highly recommended having an SSL Cert enabled on this site. ${end}"
+		fi
 
 		conf_write tools-site $value
 		echo "${gre}Domain ${blu}- ${value}:$(conf_read tools-port) -${gre} was successfully assigned to access your server tools!${end}"
@@ -506,17 +513,27 @@ elif [[ $opt == "-default-site" ]]; then
 			exit 1
 		fi
 	elif [[ $value == "blackhole" ]]; then
-		remove_domain_default_site	
+		remove_domain_default_site
 		sudo cat /opt/webinoly/templates/general/nginx-blackhole >| /etc/nginx/sites-available/default
+		create_blackhole_cert
 		conf_write default-site blackhole
 		echo "${gre}Blackhole Nginx site was successfully assigned as default site!${end}"
 	else
 		# Domain option
 		if [[ -L /etc/nginx/sites-enabled/$value ]]; then
-			sudo sed -i "/WebinolyNginxServerStart/,/WebinolyNginxServerEnd/{s/listen 80;/listen 80 default_server;/}" /etc/nginx/sites-available/$value
-			sudo sed -i "/WebinolyNginxServerStart/,/WebinolyNginxServerEnd/{s/listen \[::\]:80;/listen [::]:80 default_server;/}" /etc/nginx/sites-available/$value
-			sudo sed -i "/WebinolyNginxServerStart/,/WebinolyNginxServerEnd/{s/listen 443 ssl http2;/listen 443 ssl http2 default_server;/}" /etc/nginx/sites-available/$value
-			sudo sed -i "/WebinolyNginxServerStart/,/WebinolyNginxServerEnd/{s/listen \[::\]:443 ssl http2;/listen [::]:443 ssl http2 default_server;/}" /etc/nginx/sites-available/$value
+			remove_domain_default_site
+			sudo sed -i "s/listen 80;/listen 80 default_server;/" /etc/nginx/sites-available/$value
+			sudo sed -i "s/listen \[::\]:80;/listen [::]:80 default_server;/" /etc/nginx/sites-available/$value
+			sudo sed -i "s/listen 443 ssl http2;/listen 443 ssl http2 default_server;/" /etc/nginx/sites-available/$value
+			sudo sed -i "s/listen \[::\]:443 ssl http2;/listen [::]:443 ssl http2 default_server;/" /etc/nginx/sites-available/$value
+
+			# If default site is Non-SSL, we need add a blackhole for port 443.
+			isssl=$(sed -n -e '/WebinolyNginxServerStart/,$p' /etc/nginx/sites-available/$value | grep -F "ssl_certificate_key")
+			if [[ -z $isssl ]]; then
+				create_blackhole_cert
+				sudo sed -i '1r /opt/webinoly/templates/general/nginx-blackhole' /etc/nginx/sites-available/$value
+				sudo sed -i '/NonSSL/,/NonSSLend/{/.*/d}' /etc/nginx/sites-available/$value
+			fi
 
 			sudo rm -rf /etc/nginx/sites-enabled/default
 			conf_write default-site $value

templates/general/nginx-blackhole

@@ -3,15 +3,17 @@ server {
 	listen 443 ssl http2 default_server;
 	listen [::]:443 ssl http2 default_server;
 
-	ssl_certificate /etc/ssl/certs/blackhole.crt.pem;
-	ssl_certificate_key /etc/ssl/private/blackhole.key.pem;
+	ssl_certificate /etc/ssl/certs/webinoly-blackhole.crt.pem;
+	ssl_certificate_key /etc/ssl/private/webinoly-blackhole.key.pem;
 
 	return 444;
 }
+# NonSSL
 server {
 	listen 80 default_server;
 	listen [::]:80 default_server;
 
 	return 444;
 }
-# WebinolyEndBlackhole
+# NonSSLend
+# WebinolyEndBlackhole

templates/general/tools-site-blackhole

@@ -1,11 +1,11 @@
 
 # WebinolyToolsStartBlackhole
 server {
-	listen 11111 ssl default_server;
-	listen [::]:11111 ssl default_server;
+	listen 22222 ssl default_server;
+	listen [::]:22222 ssl default_server;
 
-	ssl_certificate /etc/ssl/certs/blackhole.crt.pem;
-	ssl_certificate_key /etc/ssl/private/blackhole.key.pem;
+	ssl_certificate /etc/ssl/certs/webinoly-blackhole.crt.pem;
+	ssl_certificate_key /etc/ssl/private/webinoly-blackhole.key.pem;
 	error_page 497  https://$host:$server_port$request_uri;
 
 	return 444;