225 lines
7.1 KiB
Bash
Executable File
225 lines
7.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# Comprehensive diagnostic script for SSLH Multiplex Lab
|
|
# This script checks configurations, services, and connectivity
|
|
|
|
set -e
|
|
|
|
echo "=========================================="
|
|
echo "SSLH Multiplex Lab - Comprehensive Diagnostics"
|
|
echo "=========================================="
|
|
echo ""
|
|
|
|
echo "=== 1. Domain Configuration ==="
|
|
if [ -f /etc/sslh.cfg ]; then
|
|
echo "SSLH Config File: /etc/sslh.cfg"
|
|
echo "--- SSLH Configuration ---"
|
|
cat /etc/sslh.cfg
|
|
echo ""
|
|
echo "--- Checking for domain references ---"
|
|
grep -i "domain\|hostname\|server_name" /etc/sslh.cfg || echo "No domain references found in SSLH config"
|
|
else
|
|
echo "ERROR: /etc/sslh.cfg not found!"
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== 2. Nginx Configuration ==="
|
|
echo "--- Nginx Sites Available ---"
|
|
ls -la /etc/nginx/sites-available/ 2>/dev/null || echo "No sites-available directory"
|
|
echo ""
|
|
|
|
echo "--- Nginx Sites Enabled ---"
|
|
ls -la /etc/nginx/sites-enabled/ 2>/dev/null || echo "No sites-enabled directory"
|
|
echo ""
|
|
|
|
if [ -f /etc/nginx/sites-available/sslh-proxy ]; then
|
|
echo "--- sslh-proxy Configuration ---"
|
|
cat /etc/nginx/sites-available/sslh-proxy
|
|
echo ""
|
|
echo "--- Checking for domain/server_name ---"
|
|
grep -i "server_name\|domain" /etc/nginx/sites-available/sslh-proxy || echo "No server_name found"
|
|
else
|
|
echo "ERROR: /etc/nginx/sites-available/sslh-proxy not found!"
|
|
fi
|
|
echo ""
|
|
|
|
if [ -f /etc/nginx/sites-available/acme-challenge ]; then
|
|
echo "--- acme-challenge Configuration ---"
|
|
cat /etc/nginx/sites-available/acme-challenge
|
|
echo ""
|
|
else
|
|
echo "WARNING: /etc/nginx/sites-available/acme-challenge not found!"
|
|
fi
|
|
echo ""
|
|
|
|
echo "--- Nginx Configuration Test ---"
|
|
nginx -t 2>&1
|
|
echo ""
|
|
|
|
echo "=== 3. Let's Encrypt / Certificates ==="
|
|
if [ -d /etc/letsencrypt/live ]; then
|
|
echo "Let's Encrypt directory exists"
|
|
echo "--- Domains with certificates ---"
|
|
for domain_dir in /etc/letsencrypt/live/*/; do
|
|
if [ -d "$domain_dir" ]; then
|
|
domain=$(basename "$domain_dir")
|
|
echo " Domain: $domain"
|
|
echo " Path: $domain_dir"
|
|
if [ -f "$domain_dir/fullchain.pem" ]; then
|
|
echo " fullchain.pem: EXISTS"
|
|
echo " Size: $(stat -c%s "$domain_dir/fullchain.pem" 2>/dev/null || stat -f%z "$domain_dir/fullchain.pem" 2>/dev/null) bytes"
|
|
echo " Certificate info:"
|
|
openssl x509 -in "$domain_dir/fullchain.pem" -noout -subject -issuer -dates 2>/dev/null || echo " Could not read certificate"
|
|
else
|
|
echo " fullchain.pem: MISSING"
|
|
fi
|
|
if [ -f "$domain_dir/privkey.pem" ]; then
|
|
echo " privkey.pem: EXISTS"
|
|
echo " Permissions: $(stat -c%a "$domain_dir/privkey.pem" 2>/dev/null || stat -f%OLp "$domain_dir/privkey.pem" 2>/dev/null)"
|
|
else
|
|
echo " privkey.pem: MISSING"
|
|
fi
|
|
echo ""
|
|
fi
|
|
done
|
|
else
|
|
echo "Let's Encrypt directory NOT FOUND"
|
|
echo "Checking for self-signed certificates..."
|
|
if [ -f /etc/ssl/certs/ssl-cert-snakeoil.pem ]; then
|
|
echo " Self-signed certificate found: /etc/ssl/certs/ssl-cert-snakeoil.pem"
|
|
else
|
|
echo " No self-signed certificate found either"
|
|
fi
|
|
fi
|
|
echo ""
|
|
|
|
echo "--- Certbot Status ---"
|
|
if command -v certbot >/dev/null 2>&1; then
|
|
echo "Certbot is installed"
|
|
certbot --version 2>&1 || true
|
|
echo ""
|
|
echo "--- Certbot Certificates List ---"
|
|
certbot certificates 2>&1 || echo "Could not list certificates"
|
|
else
|
|
echo "Certbot is NOT installed"
|
|
fi
|
|
echo ""
|
|
|
|
echo "--- Checking Nginx SSL Certificate Configuration ---"
|
|
if [ -f /etc/nginx/sites-available/sslh-proxy ]; then
|
|
echo "SSL certificate paths in nginx config:"
|
|
grep -E "ssl_certificate|ssl_certificate_key" /etc/nginx/sites-available/sslh-proxy || echo "No SSL certificate directives found"
|
|
echo ""
|
|
echo "Verifying certificate files exist:"
|
|
cert_path=$(grep "ssl_certificate " /etc/nginx/sites-available/sslh-proxy | awk '{print $2}' | tr -d ';' | head -1)
|
|
key_path=$(grep "ssl_certificate_key " /etc/nginx/sites-available/sslh-proxy | awk '{print $2}' | tr -d ';' | head -1)
|
|
if [ -n "$cert_path" ]; then
|
|
if [ -f "$cert_path" ]; then
|
|
echo " Certificate file EXISTS: $cert_path"
|
|
else
|
|
echo " ERROR: Certificate file MISSING: $cert_path"
|
|
fi
|
|
fi
|
|
if [ -n "$key_path" ]; then
|
|
if [ -f "$key_path" ]; then
|
|
echo " Key file EXISTS: $key_path"
|
|
else
|
|
echo " ERROR: Key file MISSING: $key_path"
|
|
fi
|
|
fi
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== 4. Service Status ==="
|
|
echo "--- SSLH Service ---"
|
|
systemctl status sslh --no-pager -l | head -15 || true
|
|
echo ""
|
|
if systemctl is-active --quiet sslh; then
|
|
echo "SSLH is RUNNING"
|
|
echo "SSLH process:"
|
|
ps aux | grep sslh | grep -v grep || echo "No sslh process found"
|
|
echo ""
|
|
echo "SSLH listening ports:"
|
|
ss -tlnp | grep sslh || echo "No sslh listening ports found"
|
|
else
|
|
echo "SSLH is NOT RUNNING"
|
|
echo "Recent SSLH logs:"
|
|
journalctl -u sslh -n 30 --no-pager || true
|
|
fi
|
|
echo ""
|
|
|
|
echo "--- Nginx Service ---"
|
|
systemctl status nginx --no-pager -l | head -15 || true
|
|
echo ""
|
|
if systemctl is-active --quiet nginx; then
|
|
echo "Nginx is RUNNING"
|
|
echo "Nginx listening ports:"
|
|
ss -tlnp | grep nginx || echo "No nginx listening ports found"
|
|
else
|
|
echo "Nginx is NOT RUNNING"
|
|
echo "Recent Nginx logs:"
|
|
journalctl -u nginx -n 30 --no-pager || true
|
|
fi
|
|
echo ""
|
|
|
|
echo "--- SSH Service ---"
|
|
systemctl status sshd --no-pager -l | head -10 || true
|
|
echo ""
|
|
|
|
echo "=== 5. Connectivity Tests ==="
|
|
echo "--- Testing Nginx on port 8444 (HTTPS) ---"
|
|
if timeout 3 curl -k -v https://127.0.0.1:8444/ 2>&1 | head -20; then
|
|
echo "Nginx HTTPS (8444): RESPONDING"
|
|
else
|
|
echo "Nginx HTTPS (8444): NOT RESPONDING or ERROR"
|
|
fi
|
|
echo ""
|
|
|
|
echo "--- Testing Nginx on port 80 (HTTP) ---"
|
|
if timeout 3 curl -v http://127.0.0.1:80/ 2>&1 | head -20; then
|
|
echo "Nginx HTTP (80): RESPONDING"
|
|
else
|
|
echo "Nginx HTTP (80): NOT RESPONDING or ERROR"
|
|
fi
|
|
echo ""
|
|
|
|
echo "--- Testing SSLH -> Nginx connection ---"
|
|
if timeout 2 bash -c '</dev/tcp/127.0.0.1/8444' 2>/dev/null; then
|
|
echo "SSLH can reach Nginx on 8444: YES"
|
|
else
|
|
echo "SSLH can reach Nginx on 8444: NO (connection refused)"
|
|
fi
|
|
echo ""
|
|
|
|
echo "--- Testing SSLH on port 443 ---"
|
|
if timeout 3 bash -c 'echo | openssl s_client -connect 127.0.0.1:443 -servername localhost 2>&1' | head -30; then
|
|
echo "SSLH port 443: RESPONDING"
|
|
else
|
|
echo "SSLH port 443: NOT RESPONDING or ERROR"
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== 6. Systemd Override for SSLH ==="
|
|
if [ -f /etc/systemd/system/sslh.service.d/override.conf ]; then
|
|
echo "SSLH systemd override EXISTS:"
|
|
cat /etc/systemd/system/sslh.service.d/override.conf
|
|
else
|
|
echo "SSLH systemd override: NOT FOUND"
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== 7. Cloud-init Logs (Last 50 lines) ==="
|
|
if [ -f /var/log/cloud-init.log ]; then
|
|
tail -50 /var/log/cloud-init.log
|
|
else
|
|
echo "Cloud-init log not found"
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== 8. All Listening Ports ==="
|
|
ss -tlnp | grep LISTEN
|
|
echo ""
|
|
|
|
echo "=========================================="
|
|
echo "Diagnostics Complete"
|
|
echo "=========================================="
|