Explorer + Snap: nginx /snap 200, runbook, apply-nginx script, verify docs

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-11 12:44:05 -08:00
parent b1415f15fc
commit 01e126a868
6 changed files with 220 additions and 7 deletions
--- a/scripts/apply-nginx-snap-vmid5000.sh
+++ b/scripts/apply-nginx-snap-vmid5000.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Apply nginx config for explorer + /snap/ on VMID 5000 from the Proxmox host (or via SSH).
+# Runs fix-nginx-serve-custom-frontend.sh inside the VM so /snap and /snap/ return 200.
+# Usage: ./apply-nginx-snap-vmid5000.sh
+
+set -euo pipefail
+
+VMID=5000
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+FIX_SCRIPT="$SCRIPT_DIR/fix-nginx-serve-custom-frontend.sh"
+PROXMOX_HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+
+if [ ! -f "$FIX_SCRIPT" ]; then
+  echo "❌ Fix script not found: $FIX_SCRIPT"
+  exit 1
+fi
+
+echo "=========================================="
+echo "Apply nginx (explorer + /snap/) on VMID $VMID"
+echo "=========================================="
+echo ""
+
+if [ -f "/proc/1/cgroup" ] && grep -q "lxc" /proc/1/cgroup 2>/dev/null; then
+  echo "Running inside VMID $VMID – executing fix script directly"
+  bash "$FIX_SCRIPT"
+elif command -v pct &>/dev/null; then
+  echo "Running from Proxmox host – executing fix script inside VM via pct"
+  pct exec $VMID -- bash -s < "$FIX_SCRIPT"
+else
+  echo "Running from remote – pushing script and executing via SSH + pct"
+  TMP_SCRIPT="/tmp/fix-nginx-snap-$$.sh"
+  scp -o ConnectTimeout=10 -o StrictHostKeyChecking=no "$FIX_SCRIPT" root@"${PROXMOX_HOST}:$TMP_SCRIPT"
+  ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no root@"${PROXMOX_HOST}" "pct exec $VMID -- bash -s < $TMP_SCRIPT; rm -f $TMP_SCRIPT"
+fi
+
+echo ""
+echo "✅ Nginx config applied. /snap and /snap/ should return 200."
+echo "Verify: curl -sS -o /dev/null -w '%{http_code}' https://explorer.d-bis.org/snap/"
+echo ""
--- a/scripts/fix-nginx-serve-custom-frontend.sh
+++ b/scripts/fix-nginx-serve-custom-frontend.sh
@@ -55,12 +55,25 @@ server {
    }

    # Serve custom frontend for root path (no-cache so fixes show after refresh)
+    # CSP with unsafe-eval required by ethers.js v5 (NPM proxies to port 80)
    location = / {
        root /var/www/html;
        add_header Cache-Control "no-store, no-cache, must-revalidate";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com; connect-src 'self' https://explorer.d-bis.org wss://explorer.d-bis.org https://rpc-http-pub.d-bis.org wss://rpc-ws-pub.d-bis.org http://192.168.11.221:8545 ws://192.168.11.221:8546;" always;
        try_files /index.html =404;
    }

+    location = /favicon.ico {
+        root /var/www/html;
+        try_files /favicon.ico =404;
+        add_header Cache-Control "public, max-age=86400";
+    }
+    location = /apple-touch-icon.png {
+        root /var/www/html;
+        try_files /apple-touch-icon.png =404;
+        add_header Cache-Control "public, max-age=86400";
+    }
+
    # Serve static assets
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        root /var/www/html;
@@ -105,6 +118,29 @@ server {
        try_files /index.html =404;
    }

+    # Chain 138 MetaMask Snap companion site (SPA at /snap/)
+    # /snap (no trailing slash) -> internal redirect so client gets 200 with content
+    location = /snap {
+        rewrite ^ /snap/ last;
+    }
+    location /snap/ {
+        alias /var/www/html/snap/;
+        try_files $uri $uri/ /snap/index.html;
+        add_header Cache-Control "no-store, no-cache, must-revalidate";
+    }
+
+    # Icons (exact match to avoid 404s)
+    location = /favicon.ico {
+        root /var/www/html;
+        try_files /favicon.ico =404;
+        add_header Cache-Control "public, max-age=86400";
+    }
+    location = /apple-touch-icon.png {
+        root /var/www/html;
+        try_files /apple-touch-icon.png =404;
+        add_header Cache-Control "public, max-age=86400";
+    }
+
    # Serve static assets
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        root /var/www/html;
@@ -146,7 +182,7 @@ server {
        proxy_connect_timeout 75s;
    }

-    # All other paths serve custom frontend
+    # All other paths serve custom frontend (SPA fallback via try_files)
    location / {
        root /var/www/html;
        try_files $uri $uri/ /index.html;
@@ -221,10 +257,10 @@ else
    echo "   ./scripts/deploy-frontend-to-vmid5000.sh"
 fi

-# Test HTTP endpoint
+# Test HTTP endpoint (non-fatal: do not exit on curl/grep failure)
 echo ""
 echo "Testing HTTP endpoint:"
-HTTP_RESPONSE=$(curl -s http://localhost/ 2>/dev/null | head -5)
+HTTP_RESPONSE=$(curl -s --max-time 5 http://localhost/ 2>/dev/null | head -5) || true
 if echo "$HTTP_RESPONSE" | grep -q "SolaceScanScout\|<!DOCTYPE html"; then
    echo "✅ Custom frontend is accessible via HTTP"
 else
--- a/scripts/verify-explorer-api-access.sh
+++ b/scripts/verify-explorer-api-access.sh
@@ -110,6 +110,52 @@ else
    ((FAIL++)) || true
 fi

+# 6) Explorer root returns 200
+HTTP_CODE="$(curl -sS -o /dev/null -w "%{http_code}" --connect-timeout 10 "$BASE_URL/" 2>/dev/null || echo 000)"
+if [ "$HTTP_CODE" = "200" ]; then
+    echo "✅ $BASE_URL/ (explorer frontend) returns 200"
+    ((PASS++)) || true
+else
+    echo "❌ $BASE_URL/ returned $HTTP_CODE (expected 200)"
+    ((FAIL++)) || true
+fi
+
+# 7) Snap companion site /snap/ returns 200 or 301 (follow redirects for content)
+SNAP_OUT="$(curl -sS -L -w '\n%{http_code}' --connect-timeout 10 "$BASE_URL/snap/" 2>/dev/null)" || true
+SNAP_BODY="$(echo "$SNAP_OUT" | head -n -1)"
+SNAP_CODE="$(echo "$SNAP_OUT" | tail -n 1)"
+if [ "$SNAP_CODE" = "200" ] || [ "$SNAP_CODE" = "301" ]; then
+    echo "✅ $BASE_URL/snap/ (Chain 138 Snap site) returns $SNAP_CODE"
+    ((PASS++)) || true
+else
+    echo "❌ $BASE_URL/snap/ returned $SNAP_CODE (expected 200 or 301)"
+    ((FAIL++)) || true
+fi
+
+# 8) /snap/ response contains Snap app content (skip if 301 — redirect may not include body)
+if echo "$SNAP_BODY" | head -c 8192 | grep -qE 'Connect|template-snap|Snap|MetaMask'; then
+    echo "✅ $BASE_URL/snap/ contains Snap app content"
+    ((PASS++)) || true
+elif [ "$SNAP_CODE" = "301" ]; then
+    echo "⏭ $BASE_URL/snap/ returned 301 (redirect); content check skipped"
+else
+    echo "❌ $BASE_URL/snap/ response missing expected content (Connect|Snap|MetaMask)"
+    ((FAIL++)) || true
+fi
+
+# 9) Nginx has location /snap/ (when we can run inside VM)
+if [ -n "$EXEC_PREFIX" ] || [ "$RUN_LOCAL" = true ]; then
+    if $EXEC_PREFIX bash -c 'grep -q "location /snap/" /etc/nginx/sites-available/blockscout 2>/dev/null'; then
+        echo "✅ Nginx has location /snap/"
+        ((PASS++)) || true
+    else
+        echo "❌ Nginx config has no location /snap/"
+        ((FAIL++)) || true
+    fi
+else
+    echo "⏭ Skipping nginx /snap/ check (not inside VM and pct not used)"
+fi
+
 echo ""
 echo "=============================================="
 echo "Result: $PASS passed, $FAIL failed"
--- a/scripts/verify-vmid5000-all.sh
+++ b/scripts/verify-vmid5000-all.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Run all VMID 5000 deployment checks: explorer frontend, Blockscout API, Snap site.
+# Usage: ./verify-vmid5000-all.sh [BASE_URL]
+#   BASE_URL defaults to https://explorer.d-bis.org
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+BASE_URL="${1:-https://explorer.d-bis.org}"
+
+echo "=============================================="
+echo "VMID 5000 – full verification"
+echo "BASE_URL=$BASE_URL"
+echo "=============================================="
+echo ""
+
+bash "$SCRIPT_DIR/verify-explorer-api-access.sh" "$BASE_URL"