289 lines
6.8 KiB
Bash
289 lines
6.8 KiB
Bash
#!/bin/bash
|
|
|
|
RELEASE=$(whiptail --title "Traefik" --inputbox "Release :" 0 30 "2.7.1" 3>&1 1>&2 2>&3)
|
|
ACCOUNT=$(whiptail --title "Traefik" --inputbox "ACME E-Mail :" 0 30 "" 3>&1 1>&2 2>&3)
|
|
|
|
main() {
|
|
Traefik-etc-certs-selfsigned
|
|
Traefik-etc-services
|
|
Traefik-etc-config
|
|
Traefik-etc-iptable
|
|
Traefik-bin-update-traefik
|
|
Traefik-service
|
|
}
|
|
|
|
|
|
Traefik-etc-certs-selfsigned() {
|
|
mkdir -p /etc/traefik/certs
|
|
openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key
|
|
openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650
|
|
}
|
|
|
|
Traefik-etc-services() {
|
|
mkdir -p /etc/traefik/services
|
|
Traefik-etc-services-shared
|
|
Traefik-etc-services-default
|
|
}
|
|
|
|
Traefik-etc-services-shared() {
|
|
cat >> /etc/traefik/services/_shared.yaml << "EOF"
|
|
tls:
|
|
stores:
|
|
default:
|
|
defaultCertificate:
|
|
certFile: "/etc/traefik/certs/self.crt"
|
|
keyFile: "/etc/traefik/certs/self.key"
|
|
|
|
options:
|
|
default:
|
|
minVersion: "VersionTLS12"
|
|
# sniStrict: true
|
|
cipherSuites:
|
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
|
|
mintls13:
|
|
minVersion: "VersionTLS13"
|
|
|
|
http:
|
|
middlewares:
|
|
to-https:
|
|
redirectScheme:
|
|
scheme: "https"
|
|
permanent: true
|
|
to-no-www:
|
|
redirectRegex:
|
|
regex: "^https://www.(.*)"
|
|
replacement: "https://${1}"
|
|
permanent: true
|
|
|
|
hsts-min:
|
|
headers:
|
|
sslRedirect: true
|
|
stsIncludeSubdomains: false
|
|
stsPreload: true
|
|
stsSeconds: 63072000
|
|
contentTypeNosniff: true
|
|
accessControlMaxAge: 100
|
|
addVaryheader: true
|
|
hsts_light:
|
|
headers:
|
|
sslRedirect: true
|
|
frameDeny: true
|
|
stsIncludeSubdomains: false
|
|
stsPreload: true
|
|
stsSeconds: 63072000
|
|
contentTypeNosniff: true
|
|
accessControlMaxAge: 100
|
|
addVaryheader: true
|
|
hsts:
|
|
headers:
|
|
sslRedirect: true
|
|
frameDeny: true
|
|
stsIncludeSubdomains: false
|
|
stsPreload: true
|
|
stsSeconds: 63072000
|
|
contentTypeNosniff: true
|
|
accessControlMaxAge: 100
|
|
addVaryheader: true
|
|
referrerPolicy: "origin-when-cross-origin"
|
|
hsts-strict:
|
|
headers:
|
|
sslRedirect: true
|
|
frameDeny: true
|
|
stsIncludeSubdomains: false
|
|
stsPreload: true
|
|
stsSeconds: 63072000
|
|
contentTypeNosniff: true
|
|
accessControlMaxAge: 100
|
|
addVaryheader: true
|
|
contentSecurityPolicy: "script-src 'self'"
|
|
referrerPolicy: "origin-when-cross-origin"
|
|
|
|
services:
|
|
dummy:
|
|
loadBalancer:
|
|
servers:
|
|
- url: "https://127.0.0.1:2"
|
|
|
|
# matomo:
|
|
# loadBalancer:
|
|
# servers:
|
|
# - url: "https://x.x.x.x:xxx"
|
|
EOF
|
|
}
|
|
|
|
Traefik-etc-services-default() {
|
|
cat >> /etc/traefik/services/_default.yaml << "EOF"
|
|
http:
|
|
routers:
|
|
_default:
|
|
entryPoints:
|
|
- http
|
|
rule: "PathPrefix(`/`)"
|
|
# priority: 100
|
|
# service: _default-matomo
|
|
service: _default
|
|
|
|
_default-secure:
|
|
entryPoints:
|
|
- https
|
|
rule: "PathPrefix(`/`)"
|
|
# priority: 100
|
|
# service: _default-matomo
|
|
service: _default
|
|
tls:
|
|
acmev2-staging
|
|
|
|
services:
|
|
# _default-matomo:
|
|
# mirroring:
|
|
# service: _default
|
|
# maxBodySize: 1024
|
|
# mirrors:
|
|
# - name: matomo
|
|
# percent: 100
|
|
|
|
_default:
|
|
loadBalancer:
|
|
servers:
|
|
- url: https://127.0.0.1:2
|
|
EOF
|
|
}
|
|
|
|
Traefik-etc-config() {
|
|
cat >> /etc/traefik/traefik.yaml << "EOF"
|
|
entryPoints:
|
|
http:
|
|
address: ":80"
|
|
https:
|
|
address: ":443"
|
|
traefik:
|
|
address: ":8099"
|
|
|
|
api:
|
|
dashboard: true
|
|
insecure: true
|
|
|
|
serversTransport:
|
|
insecureSkipVerify: true
|
|
|
|
providers:
|
|
file:
|
|
directory: "/etc/traefik/services/"
|
|
watch: true
|
|
|
|
certificatesResolvers:
|
|
acmev2:
|
|
acme:
|
|
email: "X{ACCOUNT}"
|
|
caserver: "https://acme-v02.api.letsencrypt.org/directory"
|
|
storage: "/etc/traefik/certs/acmev2.json"
|
|
keyType: "EC384"
|
|
tlsChallenge: {}
|
|
acmev2-staging:
|
|
acme:
|
|
email: "X{ACCOUNT}"
|
|
caserver: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
storage: "/etc/traefik/certs/acmev2-staging.json"
|
|
keyType: "EC384"
|
|
tlsChallenge: {}
|
|
EOF
|
|
|
|
sed -i "s/X{ACCOUNT}/${ACCOUNT}/g" /etc/traefik/traefik.yaml
|
|
|
|
}
|
|
|
|
Traefik-etc-iptable() {
|
|
if [ -f "/etc/iptables/rules.v4" ]; then
|
|
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
|
|
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
|
|
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
|
|
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules.v4
|
|
iptables-restore /etc/iptables/rules.v4
|
|
fi
|
|
}
|
|
|
|
Traefik-bin-update-traefik() {
|
|
cat >> /usr/local/bin/update-traefik << "EOF"
|
|
#/bin/bash
|
|
|
|
getcurrentversion() {
|
|
if [ -f /var/opt/traefik/version ]; then
|
|
cat /var/opt/traefik/version
|
|
else
|
|
echo "0"
|
|
fi
|
|
}
|
|
getlatestversion() {
|
|
if ! GITHUBTAGNAME=$(curl -sL "https://api.github.com/repos/traefik/traefik/releases/latest" | jq -r ".tag_name"); then
|
|
echo "Error in Github API"
|
|
return 1
|
|
fi
|
|
if [ "${GITHUBTAGNAME}" == "" ]; then
|
|
echo "Error in Github API"
|
|
return 1
|
|
fi
|
|
local -r GITHUBVERSION=${GITHUBTAGNAME//[[:alpha:]-]/}
|
|
if [ "${GITHUBVERSION}" == "" ]; then
|
|
echo "Error in Github API"
|
|
return 1
|
|
fi
|
|
echo "${GITHUBVERSION}"
|
|
}
|
|
update() {
|
|
VERSION=${1}
|
|
mkdir -p /tmp/traefik
|
|
cd /tmp/traefik
|
|
wget https://github.com/traefik/traefik/releases/download/v${VERSION}/traefik_v${VERSION}_linux_amd64.tar.gz
|
|
tar -xf traefik_v${VERSION}_linux_amd64.tar.gz
|
|
systemctl stop traefik
|
|
cp traefik /usr/local/bin
|
|
systemctl start traefik
|
|
if [ ! -d /var/opt/traefik ]; then
|
|
mkdir -p /var/opt/traefik
|
|
fi
|
|
echo "${VERSION}" > /var/opt/traefik/version
|
|
rm -R /tmp/traefik
|
|
}
|
|
|
|
CURVER=$(getcurrentversion)
|
|
LATESTVER=$(getlatestversion)
|
|
|
|
if [ "${CURVER}" != "${LATESTVER}" ]; then
|
|
echo "${CURVER} -> ${LATESTVER}"
|
|
update "${LATESTVER}"
|
|
fi
|
|
EOF
|
|
chmod 755 /usr/local/bin/update-traefik
|
|
update-traefik ${RELEASE}
|
|
}
|
|
|
|
Traefik-service() {
|
|
cat >> /etc/systemd/system/traefik.service << "EOF"
|
|
[Unit]
|
|
Description=Traefik
|
|
After=network.target auditd.service
|
|
|
|
[Service]
|
|
ExecStart=/usr/local/bin/traefik -configFile /etc/traefik/traefik.yaml
|
|
ExecReload=/bin/killall traefik
|
|
KillMode=process
|
|
Restart=on-failure
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
|
|
systemctl daemon-reload
|
|
systemctl enable traefik
|
|
systemctl restart traefik
|
|
}
|
|
|
|
|
|
main
|