#!/usr/bin/env bash # Add security headers (HSTS, X-Frame-Options, X-Content-Type-Options) to explorer VMID 5000 nginx. # Run via SSH to the Proxmox host that has VMID 5000 (r630-02). Fixes explorer E2E warnings. # # Usage: ./scripts/maintenance/add-explorer-security-headers-via-ssh.sh [--dry-run] # Env: PROXMOX_HOST_R630_02 (default 192.168.11.12) — host where VMID 5000 runs. set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" [[ -f "${PROJECT_ROOT}/scripts/lib/load-project-env.sh" ]] && source "${PROJECT_ROOT}/scripts/lib/load-project-env.sh" 2>/dev/null || true DRY_RUN=false [[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true VMID=5000 PROXMOX_HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}" log_info() { echo -e "\033[0;34m[INFO]\033[0m $1"; } log_ok() { echo -e "\033[0;32m[✓]\033[0m $1"; } log_warn() { echo -e "\033[0;33m[⚠]\033[0m $1"; } run_ssh() { ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no root@"$PROXMOX_HOST" "$@"; } echo "" echo "=== Add explorer (VMID 5000) security headers via SSH ===" echo " Host: $PROXMOX_HOST VMID: $VMID dry-run=$DRY_RUN" echo "" if ! run_ssh "echo OK" &>/dev/null; then log_warn "Cannot SSH to $PROXMOX_HOST. Run from LAN or set PROXMOX_HOST_R630_02." exit 0 fi # Ensure nginx in 5000 has security headers. Add to first server block (listen 80) if missing. if [[ "$DRY_RUN" == true ]]; then log_info "Would run in VMID $VMID: check/add security headers and reload nginx" exit 0 fi ADDED=0 for conf in /etc/nginx/sites-enabled/default /etc/nginx/sites-enabled/blockscout; do run_ssh "pct exec $VMID -- test -f $conf" 2>/dev/null || continue HAS_HEADER=$(run_ssh "pct exec $VMID -- grep -q 'X-Frame-Options' $conf 2>/dev/null" && echo "yes" || true) if [[ "$HAS_HEADER" == "yes" ]]; then log_ok "Security headers already present in VMID $VMID ($conf)" ADDED=2 break fi run_ssh "pct exec $VMID -- sed -i '/listen 80;/a\ add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;' $conf" 2>/dev/null && true run_ssh "pct exec $VMID -- sed -i '/listen 80;/a\ add_header X-Frame-Options \"SAMEORIGIN\" always;' $conf" 2>/dev/null && true run_ssh "pct exec $VMID -- sed -i '/listen 80;/a\ add_header X-Content-Type-Options \"nosniff\" always;' $conf" 2>/dev/null && true run_ssh "pct exec $VMID -- nginx -t 2>/dev/null && nginx -s reload 2>/dev/null || systemctl reload nginx 2>/dev/null" || true log_ok "Security headers added to $conf in VMID $VMID" ADDED=1 break done [[ $ADDED -eq 0 ]] && log_warn "No nginx config updated; run explorer-monorepo/scripts/check-and-fix-nginx-vmid5000.sh from Proxmox host" echo ""