f46bd213ba
- Updated branding from "SolaceScanScout" to "Solace" across various files including deployment scripts, API responses, and documentation. - Changed default base URL for Playwright tests and updated security headers to reflect the new branding. - Enhanced README and API documentation to include new authentication endpoints and product access details. This refactor aligns the project branding and improves clarity in the API documentation.
164 lines
4.5 KiB
Bash
Executable File
164 lines
4.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -euo pipefail
|
|
|
|
PRODUCT_SLUG=""
|
|
SERVER_NAME=""
|
|
OUTPUT_PATH=""
|
|
INTERNAL_SECRET="${ACCESS_INTERNAL_SECRET:-}"
|
|
VALIDATOR_URL="http://127.0.0.1:8081/api/v1/access/internal/validate-key"
|
|
UPSTREAM_URL=""
|
|
|
|
usage() {
|
|
cat <<'EOF'
|
|
Render a lane-specific nginx auth_request gate for explorer-managed RPC access.
|
|
|
|
Usage:
|
|
bash explorer-monorepo/scripts/render-rpc-access-gate-nginx.sh \
|
|
--product thirdweb-rpc \
|
|
--server-name thirdweb-rpc.example.org \
|
|
--internal-secret "$ACCESS_INTERNAL_SECRET" \
|
|
[--output /etc/nginx/conf.d/thirdweb-rpc-gated.conf] \
|
|
[--validator-url http://127.0.0.1:8081/api/v1/access/internal/validate-key] \
|
|
[--upstream http://192.168.11.217:8545]
|
|
|
|
Supported products:
|
|
- core-rpc
|
|
- alltra-rpc
|
|
- thirdweb-rpc
|
|
|
|
Notes:
|
|
- --server-name is required because public/internal hostnames vary by deployment.
|
|
- --internal-secret is required so nginx can authenticate to the explorer validator.
|
|
- --output writes the rendered config to disk; otherwise the config is printed to stdout.
|
|
EOF
|
|
}
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--product)
|
|
PRODUCT_SLUG="$2"
|
|
shift 2
|
|
;;
|
|
--server-name)
|
|
SERVER_NAME="$2"
|
|
shift 2
|
|
;;
|
|
--output)
|
|
OUTPUT_PATH="$2"
|
|
shift 2
|
|
;;
|
|
--internal-secret)
|
|
INTERNAL_SECRET="$2"
|
|
shift 2
|
|
;;
|
|
--validator-url)
|
|
VALIDATOR_URL="$2"
|
|
shift 2
|
|
;;
|
|
--upstream)
|
|
UPSTREAM_URL="$2"
|
|
shift 2
|
|
;;
|
|
-h|--help)
|
|
usage
|
|
exit 0
|
|
;;
|
|
*)
|
|
echo "Unknown argument: $1" >&2
|
|
usage >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [[ -z "$PRODUCT_SLUG" ]]; then
|
|
echo "ERROR: --product is required." >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "$SERVER_NAME" ]]; then
|
|
echo "ERROR: --server-name is required." >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "$INTERNAL_SECRET" ]]; then
|
|
echo "ERROR: --internal-secret is required. Set ACCESS_INTERNAL_SECRET or pass --internal-secret." >&2
|
|
exit 1
|
|
fi
|
|
|
|
case "$PRODUCT_SLUG" in
|
|
core-rpc)
|
|
DEFAULT_UPSTREAM_URL="http://192.168.11.211:8545"
|
|
PRODUCT_COMMENT="Private Chain 138 Core RPC lane with approval-oriented access controls."
|
|
;;
|
|
alltra-rpc)
|
|
DEFAULT_UPSTREAM_URL="http://192.168.11.212:8545"
|
|
PRODUCT_COMMENT="Alltra-managed RPC lane for partner and subscription traffic."
|
|
;;
|
|
thirdweb-rpc)
|
|
DEFAULT_UPSTREAM_URL="http://192.168.11.217:8545"
|
|
PRODUCT_COMMENT="Thirdweb-managed RPC lane for SaaS and metered API-key traffic."
|
|
;;
|
|
*)
|
|
echo "ERROR: unsupported product slug '$PRODUCT_SLUG'." >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
UPSTREAM_URL="${UPSTREAM_URL:-$DEFAULT_UPSTREAM_URL}"
|
|
|
|
rendered_config="$(
|
|
cat <<EOF
|
|
# Rendered by scripts/render-rpc-access-gate-nginx.sh
|
|
# Product: ${PRODUCT_SLUG}
|
|
# ${PRODUCT_COMMENT}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name ${SERVER_NAME};
|
|
|
|
location = /__access_validate_rpc {
|
|
internal;
|
|
proxy_pass ${VALIDATOR_URL};
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header X-Access-Internal-Secret "${INTERNAL_SECRET}";
|
|
proxy_set_header X-API-Key \$http_x_api_key;
|
|
proxy_set_header Authorization \$http_authorization;
|
|
proxy_set_header X-Access-Method \$request_method;
|
|
proxy_set_header X-Access-Request-Count "1";
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
}
|
|
|
|
location / {
|
|
auth_request /__access_validate_rpc;
|
|
auth_request_set \$validated_product \$upstream_http_x_validated_product;
|
|
auth_request_set \$validated_tier \$upstream_http_x_validated_tier;
|
|
auth_request_set \$validated_scopes \$upstream_http_x_validated_scopes;
|
|
auth_request_set \$quota_remaining \$upstream_http_x_quota_remaining;
|
|
|
|
proxy_pass ${UPSTREAM_URL};
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_set_header X-Validated-Product \$validated_product;
|
|
proxy_set_header X-Validated-Tier \$validated_tier;
|
|
proxy_set_header X-Validated-Scopes \$validated_scopes;
|
|
proxy_set_header X-Quota-Remaining \$quota_remaining;
|
|
}
|
|
}
|
|
EOF
|
|
)"
|
|
|
|
if [[ -n "$OUTPUT_PATH" ]]; then
|
|
mkdir -p "$(dirname "$OUTPUT_PATH")"
|
|
printf '%s\n' "$rendered_config" > "$OUTPUT_PATH"
|
|
echo "Wrote rendered nginx gate config to: $OUTPUT_PATH"
|
|
else
|
|
printf '%s\n' "$rendered_config"
|
|
fi
|