HiveBrain v1.2.0
Get Started
← Back to all entries
patternbashMinor

Updating an Nginx config file for SSL

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
fileupdatingnginxconfigforssl

Problem

This script updates a settings in ssl config file for Nginx. I generate DHEC key and then update the Nginx SSL file to that location. I also give an option for the user through arguments if they want to change the bit size of the key and if they want more conservative or hardened SSL cipher suites.

I don't know how to deal with the long wait on a large key because the user might think the program froze because it takes a long time generate. Its dependent on the environment of course how long you wait. How would you deal with this, through a percentage output? I'm using a spinner at the moment which does the same thing as the 'openssl' command does. So I will probably not use it if I can't find something uses a line or two at most instead of continuous outputting and pushing everything off screen.

```
#!/bin/bash

source /etc/global.conf # load global vars
source setup/functions.sh #functions

apt_install openssl

nginx_ssl_conf=/etc/nginx/nginx-ssl.conf
DEFAULT_BIT_SIZE=2048
isHardened="false"
hardened_ciphers="'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH';"
hardened_protocol="TLSv1.2;"

DHEC_path=$STORAGE_ROOT/ssl/dhparam.pem

# Functions
update_config()
{
lineNUM=$(grep -n "$2" $1 | tail -n1 | sed 's/:.*//')
[ "$lineNUM" ] || lineNUM="$"
sed -i -r "$lineNUM s|#?(.*)|#\1\n$4\n$2 $3|" "$1"
}

ok()
{
echo -e '\e[32m'$1'\e[m';
}

spinner()
{
local pid=$1
local delay=0.75
local spinstr='|/-\'
while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do
local temp=${spinstr#?}
printf " [%c] " "$spinstr"
local spinstr=$temp${spinstr%"$temp"}
sleep $delay
printf "\b\b\b\b\b\b"
done
printf " \b\b\b\b"
}

# Usage info
usage()
{
cat << EOF
Usage: ${0##*/} [-h] [-p DIR_DHEC_KEY] [-b BIT_SIZE] [-c DIR_NGINX_SSL]...
This script generates and enables DHEC for Nginx. Defaulted to 2048 key.
Hardened mode will generate 4096 key an

Solution

How would you deal with this, through a percentage output?

I don't know a better way. It seems fine the way you did it, using a spinner.

Quoting

The quoting is unnecessary here:

isHardened="false"


You can safely write this simply as:

isHardened=false


Here, on the other hand, you should quote $1:

lineNUM=$(grep -n "$2" $1 | tail -n1 | sed 's/:.*//')


And you could use sed to include what tail does:

lineNUM=$(grep -n "$2" "$1" | sed -ne '$s/:.*//p')


Prefer [[ ... ]] instead of [ ... ]

[ "$lineNUM" ] || lineNUM="$"


[ ... ] is obsoleted, unless you require POSIX compatibility. Using [[ ... ]] is recommended, and it let's you simplify the quoting:

[[ $lineNUM ]] || lineNUM="$"


Don't use echo for non-trivial things

Avoid using echo with any of it's flags, like -e, because it's not portable. You also don't need the trailing ; here:

echo -e '\e[32m'$1'\e[m';


It's better to rewrite using printf:

printf '\e[32m%s\e[m\n' $1


Simplify logic

You evaluate -z "${BIT_SIZE}" twice, unnecessarily:

if [ -z "${BIT_SIZE}" -a "true" == ${isHardened} ]; then
    BIT_SIZE=4096
elif [ -z "${BIT_SIZE}" ]; then
    BIT_SIZE=$DEFAULT_BIT_SIZE
fi


You can simplify the logic, and using [[ ... ]] also helps:

if [[ ! $BIT_SIZE ]]; then
    if [[ $isHardened = true ]]; then
        BIT_SIZE=4096
    else
        BIT_SIZE=$DEFAULT_BIT_SIZE
    fi
fi


Formatting

The formatting is strange here, and it makes your script harder to read:

if [ ! -f $DHEC_path ]; then
  # Generate a 4096 bit random parameter for DH elliptic curves.
  # Generated by OpenSSL with the following command:
  #   openssl dhparam -outform pem -out dhparam.pem 2048
  #   openssl dhparam -outform pem -out dhparam.pem 4096
   ( openssl dhparam -outform pem -out $DHEC_path $BIT_SIZE) &
    spinner $!
fi
        update_config $nginx_ssl_conf ssl_dhparam $DHEC_path';' "#Path to DHEC key"


Write like this instead:

if [[ ! -f $DHEC_path ]]; then
    # Generate a 4096 bit random parameter for DH elliptic curves.
    # Generated by OpenSSL with the following command:
    #   openssl dhparam -outform pem -out dhparam.pem 2048
    #   openssl dhparam -outform pem -out dhparam.pem 4096
    (openssl dhparam -outform pem -out $DHEC_path $BIT_SIZE) &
    spinner $!
fi
update_config $nginx_ssl_conf ssl_dhparam $DHEC_path';' "#Path to DHEC key"

Code Snippets

isHardened="false"
isHardened=false
lineNUM=$(grep -n "$2" $1 | tail -n1 | sed 's/:.*//')
lineNUM=$(grep -n "$2" "$1" | sed -ne '$s/:.*//p')
[ "$lineNUM" ] || lineNUM="$"

Context

StackExchange Code Review Q#63456, answer score: 4

Revisions (0)

No revisions yet.