From 6aba7b79355986a88a67b6f1dffdf097e12be724 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 18 Sep 2020 12:04:31 +0200 Subject: [PATCH] create open_port function to automatically open ports over upnp (#1469) Co-authored-by: szaimen --- apps/bitwarden-rs.sh | 16 ++++++++--- apps/collabora_docker.sh | 17 +++++++++++- apps/onlyoffice_docker.sh | 17 +++++++++++- apps/talk.sh | 18 +++++++++---- apps/talk_signaling.sh | 43 ++++++++++++++++++++--------- apps/tmbitwarden.sh | 19 ++++++++++++- lets-encrypt/activate-tls.sh | 52 ++++++++++++++++++------------------ lib.sh | 20 ++++++++++++++ 8 files changed, 153 insertions(+), 49 deletions(-) diff --git a/apps/bitwarden-rs.sh b/apps/bitwarden-rs.sh index 7bc1c2e3..39730ef0 100644 --- a/apps/bitwarden-rs.sh +++ b/apps/bitwarden-rs.sh @@ -64,11 +64,21 @@ SUBDOMAIN=$(input_box_flow "Please enter the Domain that you want to use for Bit # shellcheck source=lib.sh . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) -msg_box "Please make sure that you have you have edited the dns-settings of your domain and open ports 80 and 443." +msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 directly to this servers IP. A full exstensive guide can be found here: +https://www.techandme.se/open-port-80-443 -if ! yesno_box_yes "Have you made the necessary preparations?" +This can be done automatically if you have UNNP enabled in your firewall/router. You will be offered to use UNNP in the next step. + +PLEASE NOTE: +Using other ports than the default 80 and 443 is not supported, though it may be possible with some custom modification: +https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17" + +if yesno_box_no "Do you want to use UPNP to open port 80 and 443?" then - exit + unset FAIL + open_port 80 TCP + open_port 443 TCP + cleanup_open_port fi # Check if $SUBDOMAIN exists and is reachable diff --git a/apps/collabora_docker.sh b/apps/collabora_docker.sh index 7142753e..95c842b1 100644 --- a/apps/collabora_docker.sh +++ b/apps/collabora_docker.sh @@ -162,8 +162,23 @@ NCDOMAIN_ESCAPED=${NCDOMAIN//[.]/\\\\.} nc_update # Notification -msg_box "Before you start, please make sure that port 80+443 is directly forwarded to this machine!" +msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 directly to this servers IP. A full exstensive guide can be found here: +https://www.techandme.se/open-port-80-443 +This can be done automatically if you have UNNP enabled in your firewall/router. You will be offered to use UNNP in the next step. + +PLEASE NOTE: +Using other ports than the default 80 and 443 is not supported, though it may be possible with some custom modification: +https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17" + +if yesno_box_no "Do you want to use UPNP to open port 80 and 443?" +then + unset FAIL + open_port 80 TCP + open_port 443 TCP + cleanup_open_port +fi + # Get the latest packages apt update -q4 & spinner_loading diff --git a/apps/onlyoffice_docker.sh b/apps/onlyoffice_docker.sh index 5f8ec87a..11feee52 100644 --- a/apps/onlyoffice_docker.sh +++ b/apps/onlyoffice_docker.sh @@ -175,7 +175,22 @@ true nc_update # Notification -msg_box "Before you start, please make sure that port 80+443 is directly forwarded to this machine!" +msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 directly to this servers IP. A full exstensive guide can be found here: +https://www.techandme.se/open-port-80-443 + +This can be done automatically if you have UNNP enabled in your firewall/router. You will be offered to use UNNP in the next step. + +PLEASE NOTE: +Using other ports than the default 80 and 443 is not supported, though it may be possible with some custom modification: +https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17" + +if yesno_box_no "Do you want to use UPNP to open port 80 and 443?" +then + unset FAIL + open_port 80 TCP + open_port 443 TCP + cleanup_open_port +fi # Get the latest packages apt update -q4 & spinner_loading diff --git a/apps/talk.sh b/apps/talk.sh index 0978184e..68606d07 100644 --- a/apps/talk.sh +++ b/apps/talk.sh @@ -41,7 +41,7 @@ then choice=$(whiptail --title "$TITLE" --menu "It seems like 'Nextcloud Talk' is already installed.\nChoose what you want to do." "$WT_HEIGHT" "$WT_WIDTH" 4 \ "Reinstall Nextcloud Talk" "" \ "Uninstall Nextcloud Talk" "" 3>&1 1>&2 2>&3) - + case "$choice" in "Uninstall Nextcloud Talk") print_text_in_color "$ICyan" "Uninstalling Nextcloud Talk and resetting all settings..." @@ -151,11 +151,19 @@ check_command systemctl restart coturn.service # Warn user to open port msg_box "You have to open $TURN_PORT TCP/UDP in your firewall or your TURN/STUN server won't work! -After you hit OK the script will check for the firewall and eventually exit on failure. -To run again the setup, after fixing your firewall: -sudo -sLO $APP/talk.sh -sudo bash talk.sh" +This can be done automatically if you have UNNP enabled in your firewall/router. You will be offered to use UNNP in the next step." + +After you hit OK, the script will check if the port is open or not. If it fails and you want to run this script again, just execute this in your CLI: +sudo bash /var/scripts/menu.sh, and choose 'Talk'. + +if yesno_box_no "Do you want to use UPNP to open port $TURN_PORT?" +then + unset FAIL + open_port "$TURN_PORT" TCP + open_port "$TURN_PORT" UDP + cleanup_open_port +fi # Check if the port is open check_open_port "$TURN_PORT" "$TURN_DOMAIN" diff --git a/apps/talk_signaling.sh b/apps/talk_signaling.sh index a68ead3b..14d2c723 100644 --- a/apps/talk_signaling.sh +++ b/apps/talk_signaling.sh @@ -173,10 +173,19 @@ check_command systemctl restart coturn.service # Warn user to open port msg_box "You have to open $TURN_PORT TCP/UDP in your firewall or your TURN/STUN server won't work! -After you hit OK the script will check for the firewall and eventually exit on failure. -To run again the setup, after fixing your firewall: -sudo -sLO $APP/talk_signaling.sh -sudo bash talk_signaling.sh" + +This can be done automatically if you have UNNP enabled in your firewall/router. You will be offered to use UNNP in the next step." + +After you hit OK, the script will check if the port is open or not. If it fails and you want to run this script again, just execute this in your CLI: +sudo bash /var/scripts/menu.sh, and choose 'Talk'. + +if yesno_box_no "Do you want to use UPNP to open port $TURN_PORT?" +then + unset FAIL + open_port "$TURN_PORT" TCP + open_port "$TURN_PORT" UDP + cleanup_open_port +fi # Check if the port is open check_open_port "$TURN_PORT" "$TURN_DOMAIN" @@ -225,6 +234,24 @@ SUBDOMAIN=$(input_box_flow "Talk Signaling Server subdomain e.g: talk.yourdomain # shellcheck source=lib.sh . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +# Notification +msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 directly to this servers IP. A full exstensive guide can be found here: +https://www.techandme.se/open-port-80-443 + +This can be done automatically if you have UNNP enabled in your firewall/router. You will be offered to use UNNP in the next step. + +PLEASE NOTE: +Using other ports than the default 80 and 443 is not supported, though it may be possible with some custom modification: +https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17" + +if yesno_box_no "Do you want to use UPNP to open port 80 and 443?" +then + unset FAIL + open_port 80 TCP + open_port 443 TCP + cleanup_open_port +fi + # Check if $SUBDOMAIN exists and is reachable print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..." domain_check_200 "$SUBDOMAIN" @@ -303,14 +330,6 @@ check_command systemctl enable signaling # Apache Proxy # https://github.com/strukturag/nextcloud-spreed-signaling#apache -# Check if $SUBDOMAIN exists and is reachable -print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..." -domain_check_200 "$SUBDOMAIN" - -# Check open ports with NMAP -check_open_port 80 "$SUBDOMAIN" -check_open_port 443 "$SUBDOMAIN" - # Install Apache2 install_if_not apache2 diff --git a/apps/tmbitwarden.sh b/apps/tmbitwarden.sh index 7e725889..94ae1850 100644 --- a/apps/tmbitwarden.sh +++ b/apps/tmbitwarden.sh @@ -56,7 +56,7 @@ It's a good idea to read that before you start this script. Please also report any issues regarding this script setup to $ISSUES" msg_box "The necessary preparations to run expose Bitwarden to the internet are: -1. Please open port 443 and 80 and point to this server. +1. Please open port 443 and 80 and point to this server. (You will be asked if you want to use UPNP to open those ports automatically in the next step.) 2. Please create a DNS record for your subdomain and point that to this server. 3. Raise the amount of RAM to this server to at least 4 GB." @@ -185,6 +185,23 @@ check_command sudo -u "$BITWARDEN_USER" ./bitwarden.sh updatedb # Produce reverse-proxy config and get lets-encrypt certificate msg_box "We'll now setup the Apache Proxy that will act as TLS front for your Bitwarden installation." +msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 directly to this servers IP. A full exstensive guide can be found here: +https://www.techandme.se/open-port-80-443 + +This can be done automatically if you have UNNP enabled in your firewall/router. You will be offered to use UNNP in the next step. + +PLEASE NOTE: +Using other ports than the default 80 and 443 is not supported, though it may be possible with some custom modification: +https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17" + +if yesno_box_no "Do you want to use UPNP to open port 80 and 443?" +then + unset FAIL + open_port 80 TCP + open_port 443 TCP + cleanup_open_port +fi + # Curl the lib another time to get the correct HTTPS_CONF # shellcheck source=lib.sh . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) diff --git a/lets-encrypt/activate-tls.sh b/lets-encrypt/activate-tls.sh index 3078869f..9c2c71f2 100644 --- a/lets-encrypt/activate-tls.sh +++ b/lets-encrypt/activate-tls.sh @@ -17,53 +17,53 @@ debug_mode root_check # Information -msg_box "Important! Please read this: +# Information +msg_box "Before we begin the installation of your TLS certificate you need to: -This script will install TLS from Let's Encrypt. -It's free of charge, and very easy to maintain. +1. Have a domain like: cloud.example.com +If you want to get a domain at a fair price, please check this out: https://store.binero.se/?lang=en-US -Before we begin the installation you need to have -a domain that the TLS certs will be valid for. -If you don't have a domain yet, get one before -you run this script! - -You also have to open port 80+443 against this VMs -IP address: $ADDRESS - do this in your router/FW. +2. Open port 80 and 443 against this VMs IP address: $ADDRESS. Here is a guide: https://goo.gl/Uyuf65 +It's also possible automatically open ports with UPNP, if you have that enabled in your firewall/router. -You can find the script here: $SCRIPTS/activate-tls.sh -and you can run it after you got a domain. - -Please don't run this script if you don't have -a domain yet. You can get one for a fair price here: -https://store.binero.se/?lang=en-US" +PLEASE NOTE: +This script can be run again by executing: sudo bash $SCRIPTS/menu.sh, and choose 'Server Configuration' --> 'Activate TLS'" if ! yesno_box_yes "Are you sure you want to continue?" then -msg_box "OK, but if you want to run this script later, -just type: sudo bash $SCRIPTS/activate-tls.sh" +msg_box "OK, but if you want to run this script later, just execute this in your CLI: sudo bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'" exit fi -if ! yesno_box_yes "Have you forwarded port 80+443 in your router?" +if ! yesno_box_yes "Have you opened port 80 and 443 in your router, or are you using UPNP?" then -msg_box "OK, but if you want to run this script later, -just type: sudo bash /var/scripts/activate-tls.sh" +msg_box "OK, but if you want to run this script later, just execute this in your CLI: sudo bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'" exit fi -if yesno_box_yes "Do you have a domain that you will use?" +if ! yesno_box_yes "Do you have a domain that you will use?" then - sleep 1 -else -msg_box "OK, but if you want to run this script later, -just type: sudo bash /var/scripts/activate-tls.sh" +msg_box "OK, but if you want to run this script later, just execute this in your CLI: sudo bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'" exit fi # Nextcloud Main Domain (activate-tls.sh) TLSDOMAIN=$(input_box_flow "Please enter the domain name you will use for Nextcloud.\n\nMake sure it looks like this:\nyourdomain.com, or cloud.yourdomain.com") +msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $TLSDOMAIN, and opened port 80 and 443 directly to this servers IP. A full exstensive guide can be found here: +https://www.techandme.se/open-port-80-443 + +This can be done automatically if you have UNNP enabled in your firewall/router. You will be offered to use UNNP in the next step." + +if yesno_box_no "Do you want to use UPNP to open port 80 and 443?" +then + unset FAIL + open_port 80 TCP + open_port 443 TCP + cleanup_open_port +fi + # Curl the lib another time to get the correct https_conf # shellcheck source=lib.sh . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) diff --git a/lib.sh b/lib.sh index 05f5d2f3..a545ba41 100644 --- a/lib.sh +++ b/lib.sh @@ -698,6 +698,26 @@ fi restart_webserver } +# Use like this: open_port 443 TCP +# or e.g. open_port 3478 UDP +open_port() { + install_if_not miniupnpc + print_text_in_color "$ICyan" "Trying to open port $1 automatically..." + if ! upnpc -a "$ADDRESS" "$1" "$1" "$2" &>/dev/null + then + msg_box "Failed to open port $1 $2 automatically. You have to do this manually." + FAIL=1 + fi +} + +cleanup_open_port() { + if [ -n "$FAIL" ] + then + apt-get purge miniupnpc -y + apt autoremove -y + fi +} + # Check if port is open # check_open_port 443 domain.example.com check_open_port() { print_text_in_color "$ICyan" "Checking if port ${1} is open with https://www.networkappers.com/tools/open-port-checker..."