#!/bin/bash # Comprehensive diagnostic script for SSLH Multiplex Lab # This script checks configurations, services, and connectivity set -e echo "==========================================" echo "SSLH Multiplex Lab - Comprehensive Diagnostics" echo "==========================================" echo "" echo "=== 1. Domain Configuration ===" if [ -f /etc/sslh.cfg ]; then echo "SSLH Config File: /etc/sslh.cfg" echo "--- SSLH Configuration ---" cat /etc/sslh.cfg echo "" echo "--- Checking for domain references ---" grep -i "domain\|hostname\|server_name" /etc/sslh.cfg || echo "No domain references found in SSLH config" else echo "ERROR: /etc/sslh.cfg not found!" fi echo "" echo "=== 2. Nginx Configuration ===" echo "--- Nginx Sites Available ---" ls -la /etc/nginx/sites-available/ 2>/dev/null || echo "No sites-available directory" echo "" echo "--- Nginx Sites Enabled ---" ls -la /etc/nginx/sites-enabled/ 2>/dev/null || echo "No sites-enabled directory" echo "" if [ -f /etc/nginx/sites-available/sslh-proxy ]; then echo "--- sslh-proxy Configuration ---" cat /etc/nginx/sites-available/sslh-proxy echo "" echo "--- Checking for domain/server_name ---" grep -i "server_name\|domain" /etc/nginx/sites-available/sslh-proxy || echo "No server_name found" else echo "ERROR: /etc/nginx/sites-available/sslh-proxy not found!" fi echo "" if [ -f /etc/nginx/sites-available/acme-challenge ]; then echo "--- acme-challenge Configuration ---" cat /etc/nginx/sites-available/acme-challenge echo "" else echo "WARNING: /etc/nginx/sites-available/acme-challenge not found!" fi echo "" echo "--- Nginx Configuration Test ---" nginx -t 2>&1 echo "" echo "=== 3. Let's Encrypt / Certificates ===" if [ -d /etc/letsencrypt/live ]; then echo "Let's Encrypt directory exists" echo "--- Domains with certificates ---" for domain_dir in /etc/letsencrypt/live/*/; do if [ -d "$domain_dir" ]; then domain=$(basename "$domain_dir") echo " Domain: $domain" echo " Path: $domain_dir" if [ -f "$domain_dir/fullchain.pem" ]; then echo " fullchain.pem: EXISTS" echo " Size: $(stat -c%s "$domain_dir/fullchain.pem" 2>/dev/null || stat -f%z "$domain_dir/fullchain.pem" 2>/dev/null) bytes" echo " Certificate info:" openssl x509 -in "$domain_dir/fullchain.pem" -noout -subject -issuer -dates 2>/dev/null || echo " Could not read certificate" else echo " fullchain.pem: MISSING" fi if [ -f "$domain_dir/privkey.pem" ]; then echo " privkey.pem: EXISTS" echo " Permissions: $(stat -c%a "$domain_dir/privkey.pem" 2>/dev/null || stat -f%OLp "$domain_dir/privkey.pem" 2>/dev/null)" else echo " privkey.pem: MISSING" fi echo "" fi done else echo "Let's Encrypt directory NOT FOUND" echo "Checking for self-signed certificates..." if [ -f /etc/ssl/certs/ssl-cert-snakeoil.pem ]; then echo " Self-signed certificate found: /etc/ssl/certs/ssl-cert-snakeoil.pem" else echo " No self-signed certificate found either" fi fi echo "" echo "--- Certbot Status ---" if command -v certbot >/dev/null 2>&1; then echo "Certbot is installed" certbot --version 2>&1 || true echo "" echo "--- Certbot Certificates List ---" certbot certificates 2>&1 || echo "Could not list certificates" else echo "Certbot is NOT installed" fi echo "" echo "--- Checking Nginx SSL Certificate Configuration ---" if [ -f /etc/nginx/sites-available/sslh-proxy ]; then echo "SSL certificate paths in nginx config:" grep -E "ssl_certificate|ssl_certificate_key" /etc/nginx/sites-available/sslh-proxy || echo "No SSL certificate directives found" echo "" echo "Verifying certificate files exist:" cert_path=$(grep "ssl_certificate " /etc/nginx/sites-available/sslh-proxy | awk '{print $2}' | tr -d ';' | head -1) key_path=$(grep "ssl_certificate_key " /etc/nginx/sites-available/sslh-proxy | awk '{print $2}' | tr -d ';' | head -1) if [ -n "$cert_path" ]; then if [ -f "$cert_path" ]; then echo " Certificate file EXISTS: $cert_path" else echo " ERROR: Certificate file MISSING: $cert_path" fi fi if [ -n "$key_path" ]; then if [ -f "$key_path" ]; then echo " Key file EXISTS: $key_path" else echo " ERROR: Key file MISSING: $key_path" fi fi fi echo "" echo "=== 4. Service Status ===" echo "--- SSLH Service ---" systemctl status sslh --no-pager -l | head -15 || true echo "" if systemctl is-active --quiet sslh; then echo "SSLH is RUNNING" echo "SSLH process:" ps aux | grep sslh | grep -v grep || echo "No sslh process found" echo "" echo "SSLH listening ports:" ss -tlnp | grep sslh || echo "No sslh listening ports found" else echo "SSLH is NOT RUNNING" echo "Recent SSLH logs:" journalctl -u sslh -n 30 --no-pager || true fi echo "" echo "--- Nginx Service ---" systemctl status nginx --no-pager -l | head -15 || true echo "" if systemctl is-active --quiet nginx; then echo "Nginx is RUNNING" echo "Nginx listening ports:" ss -tlnp | grep nginx || echo "No nginx listening ports found" else echo "Nginx is NOT RUNNING" echo "Recent Nginx logs:" journalctl -u nginx -n 30 --no-pager || true fi echo "" echo "--- SSH Service ---" systemctl status sshd --no-pager -l | head -10 || true echo "" echo "=== 5. Connectivity Tests ===" echo "--- Testing Nginx on port 8444 (HTTPS) ---" if timeout 3 curl -k -v https://127.0.0.1:8444/ 2>&1 | head -20; then echo "Nginx HTTPS (8444): RESPONDING" else echo "Nginx HTTPS (8444): NOT RESPONDING or ERROR" fi echo "" echo "--- Testing Nginx on port 80 (HTTP) ---" if timeout 3 curl -v http://127.0.0.1:80/ 2>&1 | head -20; then echo "Nginx HTTP (80): RESPONDING" else echo "Nginx HTTP (80): NOT RESPONDING or ERROR" fi echo "" echo "--- Testing SSLH -> Nginx connection ---" if timeout 2 bash -c '/dev/null; then echo "SSLH can reach Nginx on 8444: YES" else echo "SSLH can reach Nginx on 8444: NO (connection refused)" fi echo "" echo "--- Testing SSLH on port 443 ---" if timeout 3 bash -c 'echo | openssl s_client -connect 127.0.0.1:443 -servername localhost 2>&1' | head -30; then echo "SSLH port 443: RESPONDING" else echo "SSLH port 443: NOT RESPONDING or ERROR" fi echo "" echo "=== 6. Systemd Override for SSLH ===" if [ -f /etc/systemd/system/sslh.service.d/override.conf ]; then echo "SSLH systemd override EXISTS:" cat /etc/systemd/system/sslh.service.d/override.conf else echo "SSLH systemd override: NOT FOUND" fi echo "" echo "=== 7. Cloud-init Logs (Last 50 lines) ===" if [ -f /var/log/cloud-init.log ]; then tail -50 /var/log/cloud-init.log else echo "Cloud-init log not found" fi echo "" echo "=== 8. All Listening Ports ===" ss -tlnp | grep LISTEN echo "" echo "==========================================" echo "Diagnostics Complete" echo "=========================================="