diff --git a/README.md b/README.md index 6d04f07..986e989 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,5 @@ # fpbx-lewatch Monitor FreePBX letsencrypt certificate generation and temporarily allow http connection for certman. + +Certman 15.0.25+ now does manages le rules automatically if using the FreePBX firewall module, but this script may still be useful for those who manage their own firewall rules. + diff --git a/lewatch.sh b/lewatch.sh new file mode 100755 index 0000000..8557ea1 --- /dev/null +++ b/lewatch.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +fullme="$(realpath -- "$0")" +baseme="$(basename -- "$0")" +me="${baseme%.*}" + +rule="INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment $me " +timeout=60 + +addRule() { + echo "adding le rule" + iptables -w -C $rule 2>/dev/null || iptables -w -I $rule + sleep $timeout + deleteRule +} + +deleteRule() { + while iptables -w -C $rule 2>/dev/null; do + echo deleting le rule + iptables -w -D $rule + sleep 0.1 + done +} + +install() { + # (re)create fpbx le web folders + chattr -R -i /var/www/html/.well-known /var/www/html/.freepbx-known + rm -rf /var/www/html/.well-known /var/www/html/.freepbx-known + mkdir -p /var/www/html/.well-known/acme-challenge /var/www/html/.freepbx-known + chown -R asterisk:asterisk /var/www/html/.well-known /var/www/html/.freepbx-known + # prevent folders from being deleted for stable incrond usage + touch /var/www/html/.well-known/acme-challenge/.nodelete /var/www/html/.freepbx-known/.nodelete + chattr +i /var/www/html/.well-known/acme-challenge/.nodelete /var/www/html/.freepbx-known/.nodelete + # install incrond + [ -f /etc/redhat-release ] && { + yum -y install incron + systemctl enable incrond + systemctl start incrond + } || { + apt-get -y install incron + systemctl enable incron + systemctl start incron + } + # monitor fpbx le web folders + echo '/var/www/html/.well-known/acme-challenge IN_CREATE,IN_DELETE "'$fullme'" "$@" "$#" "$%" "$&"' > /etc/incron.d/$me + echo '/var/www/html/.freepbx-known IN_CREATE,IN_DELETE "'$fullme'" "$@" "$#" "$%" "$&"' >> /etc/incron.d/$me + exit 0 +} + +uninstall() { + deleteRule + rm /etc/incron.d/$me +} + +main() { + echo "START Path:$1, File:$2, Event:$3" + + [ "$1" = /var/www/html/.freepbx-known ] && [ "$3" = IN_CREATE ] && addRule + [ "$1" = /var/www/html/.well-known/acme-challenge ] && [ "$3" = IN_CREATE ] && addRule + [ "$1" = /var/www/html/.well-known/acme-challenge ] && [ "$3" = IN_DELETE ] && deleteRule + + echo "END Path:$1, File:$2, Event:$3" + exit 0 +} + +[ "$1" = install ] && install +[ "$1" = remove ] && uninstall +[ "$1" = uninstall ] && uninstall +[ "$1" = deleterule ] && deleteRule +[ "$1" = deleteRule ] && deleteRule +main "$@" 2>&1 | /usr/bin/logger -t "$me[$$]"