add script to generate ech files and support running a hourly user cron script

Zoey2936 · Zoey2936 · commit 3aeb80293f61 · 2026-03-26T11:40:56.000+01:00
Signed-off-by: Zoey &lt;zoey@z0ey.de&gt;
diff --git a/rootfs/usr/local/bin/ech.sh b/rootfs/usr/local/bin/ech.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env sh
+
+set -e
+umask 077
+
+if [ "$#" -lt 2 ] || [ "$#" -gt 3 ]; then
+  echo "Usage: $0 <public-name> <filename> [max-name-length (default 64)]" >&2
+  exit 1
+fi
+
+if [ -s "/data/tls/ech/${2%.ech}-current.ech" ]; then mv "/data/tls/ech/${2%.ech}-current.ech" "/data/tls/ech/${2%.ech}-previous.ech"; fi
+
+ECHPK=/tmp/private-key-${2%.ech}.bin
+ECHCL=/tmp/config-list-${2%.ech}.bin
+
+bssl generate-ech \
+  -public-name "$1" \
+  -max-name-length "${3:-64}" \
+  -config-id "$(hexdump -n 1 -e '"%u"' /dev/urandom)" \
+  -out-ech-config /dev/null \
+  -out-ech-config-list "$ECHCL" \
+  -out-private-key "$ECHPK"
+
+{
+  echo "-----BEGIN PRIVATE KEY-----"
+  ( printf '\060\056\002\001\000\060\005\006\003\053\145\156\004\042\004\040'; cat "$ECHPK" ) | openssl base64
+  echo "-----END PRIVATE KEY-----"
+  echo "-----BEGIN ECHCONFIG-----"
+  openssl base64 -in "$ECHCL"
+  echo "-----END ECHCONFIG-----"
+} > "/data/tls/ech/${2%.ech}-current.ech"
+
+openssl base64 -A -in "$ECHCL"
+echo
+
+rm "$ECHPK" "$ECHCL"
diff --git a/rootfs/usr/local/bin/launch.sh b/rootfs/usr/local/bin/launch.sh
@@ -84,5 +84,17 @@ if [ "$GOA" = "true" ]; then set -f; while true; do if [ -s /data/nginx/logs/acc
                     --date-format="%d/%b/%Y" --log-format='[%d:%t %^] %v %h %T "%r" %s %b %b %R %u' --unix-socket=/run/goaccess.sock --log-file=/data/nginx/logs/access.log \
                     --real-time-html --output=/tmp/goa/index.html --db-path=/data/goaccess/data --restore --persist \
                     --browsers-file=/etc/goaccess/browsers.list --browsers-file=/etc/goaccess/podcast.list $GOACLA; else sleep 10s; fi; done; fi &
+while true; do
+  if [ -s "/data/tls/ech/cron.sh" ]; then
+    chmod +x /data/tls/ech/cron.sh
+    /data/tls/ech/cron.sh
+    sed -i "s|#ssl_ech_file|ssl_ech_file|g" /usr/local/nginx/conf/nginx.conf
+    nginx -s reload
+  elif grep -q '^[^#]*ssl_ech_file' /usr/local/nginx/conf/nginx.conf; then
+    sed -i "s|ssl_ech_file|#ssl_ech_file|g" /usr/local/nginx/conf/nginx.conf
+    nginx -s reload
+  fi
+  sleep 1h
+done &
 while true; do nginx -e stderr; done &
 while true; do index.js; done
diff --git a/rootfs/usr/local/bin/start.sh b/rootfs/usr/local/bin/start.sh
@@ -114,6 +114,7 @@ mkdir -vp /data/npmplus/gravatar \
           /data/tls/certbot/renewal \
           /data/tls/certbot/acme-challenge \
           /data/tls/custom \
+          /data/tls/ech \
           /data/html \
           /data/access \
           /data/anubis \
@@ -229,7 +230,8 @@ rm -vrf /data/letsencrypt-acme-challenge \
         /data/nginx/temp \
         /data/logs
 
-touch /data/html/index.html \
+touch /data/tls/ech/cron.sh \
+      /data/html/index.html \
       /data/anubis/happy.webp \
       /data/anubis/reject.webp \
       /data/anubis/pensive.webp \
@@ -463,8 +465,9 @@ fi
 find /data/tls \
      /data/access \
      /data/npmplus \
-     -not -perm 770 \
-     -exec chmod 770 {} \;
+     /data/nginx/logs \
+     -not -perm 600 \
+     -exec chmod 600 {} \;
 
 rm -vf /usr/local/nginx/logs/nginx.pid
 rm -vf /run/*.sock
