d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/scripts/maintenance/add-explorer-security-headers-via-ssh.sh
defiQUG bea1903ac9
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
Sync all local changes: docs, config, scripts, submodule refs, verification evidence 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-21 15:46:06 -08:00

60 lines
2.7 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# Add security headers (HSTS, X-Frame-Options, X-Content-Type-Options) to explorer VMID 5000 nginx.
# Run via SSH to the Proxmox host that has VMID 5000 (r630-02). Fixes explorer E2E warnings.
#
# Usage: ./scripts/maintenance/add-explorer-security-headers-via-ssh.sh [--dry-run]
# Env: PROXMOX_HOST_R630_02 (default 192.168.11.12) — host where VMID 5000 runs.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
[[ -f "${PROJECT_ROOT}/scripts/lib/load-project-env.sh" ]] && source "${PROJECT_ROOT}/scripts/lib/load-project-env.sh" 2>/dev/null || true
DRY_RUN=false
[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true
VMID=5000
PROXMOX_HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
log_info() { echo -e "\033[0;34m[INFO]\033[0m $1"; }
log_ok() { echo -e "\033[0;32m[✓]\033[0m $1"; }
log_warn() { echo -e "\033[0;33m[⚠]\033[0m $1"; }
run_ssh() { ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no root@"$PROXMOX_HOST" "$@"; }
echo ""
echo "=== Add explorer (VMID 5000) security headers via SSH ==="
echo " Host: $PROXMOX_HOST VMID: $VMID dry-run=$DRY_RUN"
echo ""
if ! run_ssh "echo OK" &>/dev/null; then
log_warn "Cannot SSH to $PROXMOX_HOST. Run from LAN or set PROXMOX_HOST_R630_02."
exit 0
fi
# Ensure nginx in 5000 has security headers. Add to first server block (listen 80) if missing.
if [[ "$DRY_RUN" == true ]]; then
log_info "Would run in VMID $VMID: check/add security headers and reload nginx"
exit 0
fi
ADDED=0
for conf in /etc/nginx/sites-enabled/default /etc/nginx/sites-enabled/blockscout; do
run_ssh "pct exec $VMID -- test -f $conf" 2>/dev/null || continue
HAS_HEADER=$(run_ssh "pct exec $VMID -- grep -q 'X-Frame-Options' $conf 2>/dev/null" && echo "yes" || true)
if [[ "$HAS_HEADER" == "yes" ]]; then
log_ok "Security headers already present in VMID $VMID ($conf)"
ADDED=2
break
fi
run_ssh "pct exec $VMID -- sed -i '/listen 80;/a\ add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;' $conf" 2>/dev/null && true
run_ssh "pct exec $VMID -- sed -i '/listen 80;/a\ add_header X-Frame-Options \"SAMEORIGIN\" always;' $conf" 2>/dev/null && true
run_ssh "pct exec $VMID -- sed -i '/listen 80;/a\ add_header X-Content-Type-Options \"nosniff\" always;' $conf" 2>/dev/null && true
run_ssh "pct exec $VMID -- nginx -t 2>/dev/null && nginx -s reload 2>/dev/null || systemctl reload nginx 2>/dev/null" || true
log_ok "Security headers added to $conf in VMID $VMID"
ADDED=1
break
done
[[ $ADDED -eq 0 ]] && log_warn "No nginx config updated; run explorer-monorepo/scripts/check-and-fix-nginx-vmid5000.sh from Proxmox host"
echo ""
Reference in New Issue View Git Blame Copy Permalink