CODEWITHSUNDEEP
phpbashsslssh
John
John

Reputation: 27

How to make a bash script execute via nginx/php

My goal is to make a way to automatically generate SSL certs for people who want to add their site to my CDN service (https://hostcloak.com)

Here is the script that works via SSH, but not when I try to execute it via php

exec("sudo sh /var/autossl $domain 2>&1", $output);

Here is the bash script:

#!/bin/bash

domain=$1

# Set up config file.
cat > /etc/nginx/sites/$domain.conf <<EOF
server {
    listen 80;
    server_name *.$domain;
    root         /var/www/$domain;
}
EOF

nginx -s reload

#########################################

set -o nounset
set -o errexit

mkdir -p /var/www/$domain

# Set up config file.
mkdir -p /etc/letsencrypt
cat > /etc/letsencrypt/cli.ini <<EOF
# Uncomment to use the staging/testing server - avoids rate limiting.
# server = https://acme-staging.api.letsencrypt.org/directory

# Use a 4096 bit RSA key instead of 2048.
rsa-key-size = 4096

# Set email and domains.
email = [email protected]
domains = $domain

# Text interface.
text = True
# No prompts.
non-interactive = True
# Suppress the Terms of Service agreement interaction.
agree-tos = True

# Use the webroot authenticator.
authenticator = webroot
webroot-path = /var/www/$domain
EOF

# Obtain cert.
certbot-auto certonly

# Set up daily cron job.
CRON_SCRIPT="/etc/cron.daily/certbot-renew"

cat > "${CRON_SCRIPT}" <<EOF
#!/bin/bash
#
# Renew the Let's Encrypt certificate if it is time. It won't do anything if
# not.
#
# This reads the standard /etc/letsencrypt/cli.ini.
#

# May or may not have HOME set, and this drops stuff into ~/.local.
export HOME="/root"
# PATH is never what you want it it to be in cron.
export PATH="\${PATH}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

certbot-auto --no-self-upgrade certonly

# If the cert updated, we need to update the services using it. E.g.:
if service --status-all | grep -Fq 'apache2'; then
  service apache2 reload
fi
if service --status-all | grep -Fq 'httpd'; then
  service httpd reload
fi
if service --status-all | grep -Fq 'nginx'; then
  service nginx reload
fi
EOF
chmod a+x "${CRON_SCRIPT}"

#####################################

# Set up config file.
cat > /etc/nginx/sites/$domain.conf <<EOF
        server {

        listen 80;
                server_name *.$domain;
                location / {
                        proxy_set_header x-real-IP \$remote_addr;
                        proxy_set_header x-forwarded-for \$proxy_add_x_forwarded_for;
                        proxy_set_header host \$host;
                        proxy_pass http://google.com;
                        }
                }

        server {
        listen 443;
                server_name *.$domain;
                ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem;
                ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem;
                ssl on;
                ssl_session_cache builtin:1000 shared:SSL:10m;
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
                ssl_prefer_server_ciphers on;
                location / {
                        proxy_set_header x-real_IP \$remote_addr;
                        proxy_set_header x-forwarded-for \$proxy_add_x_forwarded_for;
                        proxy_set_header host \$host;
                        proxy_pass http://google.com;
                }
        }
EOF

nginx -s reload

"autossl" works when directly used via ssh console, however when I try it via php's exec function, it says "command not found" for "nginx -s reload"

So my question is: How do I achieve this via PHP (it has to be automated by my website)

Upvotes: 1

Views: 3488

Answers (2)

miknik
miknik

Reputation: 5951

Think about what you are trying to do here. You are asking www-data (or whatever user account your webserver is running as) to issue a sudo command. It probably doesn't even have su privileges. Even if it did, what happens when you first try to use sudo? You have to enter your password...

You can disable password requirements on an individual basis, but I wouldn't recommend giving www-data sudo rights. Have your website add requests to a database or something and poll that every few minutes as a cron job from a user with su priveleges and have that account do the su stuff

Upvotes: 1

M. Galczynski
M. Galczynski

Reputation: 634

Quick answer: replace sh with bash in exec function or modify your script to work with sh

Explanation: you can find here, in this stackoverflow thread

Upvotes: 0

Related Questions