d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
08c074ce101fc8fe6699a6de65799fb2bbf9d9fb
proxmox/scripts/configure-nginx-jwt-auth-simple.sh
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

360 lines
11 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Configure Nginx with JWT authentication using auth_request (no Lua required)
# This script configures VMID 2501 (Permissioned RPC) with JWT token authentication
# for rpc-http-prv.d-bis.org and rpc-ws-prv.d-bis.org
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}"
VMID=2501
HTTP_DOMAIN="rpc-http-prv.d-bis.org"
WS_DOMAIN="rpc-ws-prv.d-bis.org"
IP="192.168.11.251"
HOSTNAME="besu-rpc-2"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
info() { echo -e "${GREEN}[INFO]${NC} $1"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
error() { echo -e "${RED}[ERROR]${NC} $1"; }
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
info "Configuring JWT authentication for Permissioned RPC (VMID $VMID)"
info "HTTP Domain: $HTTP_DOMAIN"
info "WS Domain: $WS_DOMAIN"
echo ""
# Check if container is running
STATUS=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct status $VMID 2>/dev/null | awk '{print \$2}'" 2>/dev/null || echo "unknown")
if [[ "$STATUS" != "running" ]]; then
error "Container $VMID is not running (status: $STATUS)"
exit 1
fi
# Install required packages
info "Installing required packages (nginx, python3, openssl)..."
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- bash -c '
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get install -y -qq nginx openssl python3 python3-pip || true
pip3 install PyJWT cryptography 2>/dev/null || {
# Fallback: install via apt if available
apt-get install -y -qq python3-jwt python3-cryptography || true
}
'" || {
warn "Some packages may not be available, continuing..."
}
# Generate JWT secret key if it doesn't exist
info "Generating JWT secret key..."
JWT_SECRET=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- bash -c '
if [ ! -f /etc/nginx/jwt_secret ]; then
openssl rand -base64 32 > /etc/nginx/jwt_secret
chmod 600 /etc/nginx/jwt_secret
fi
cat /etc/nginx/jwt_secret
'")
if [ -z "$JWT_SECRET" ]; then
error "Failed to generate JWT secret"
exit 1
fi
info "✓ JWT secret generated: ${JWT_SECRET:0:20}..."
# Create Python JWT validation script
info "Creating JWT validation script..."
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- bash" <<'PYTHON_SCRIPT_EOF'
cat > /usr/local/bin/jwt-validate.py <<'PYTHON_EOF'
#!/usr/bin/env python3
import sys
import os
import hmac
import hashlib
import base64
import json
import time
def base64url_decode(data):
# Add padding if needed
padding = 4 - len(data) % 4
if padding != 4:
data += '=' * padding
return base64.urlsafe_b64decode(data)
def verify_jwt(token, secret):
try:
parts = token.split('.')
if len(parts) != 3:
return False, "Invalid token format"
header_data = base64url_decode(parts[0])
payload_data = base64url_decode(parts[1])
signature = parts[2]
# Verify signature
message = f"{parts[0]}.{parts[1]}"
expected_sig = hmac.new(
secret.encode('utf-8'),
message.encode('utf-8'),
hashlib.sha256
).digest()
expected_sig_b64 = base64.urlsafe_b64encode(expected_sig).decode('utf-8').rstrip('=')
if signature != expected_sig_b64:
return False, "Invalid signature"
# Check expiration
payload = json.loads(payload_data)
if 'exp' in payload:
if time.time() > payload['exp']:
return False, "Token expired"
return True, payload
except Exception as e:
return False, str(e)
if __name__ == '__main__':
# Read secret
with open('/etc/nginx/jwt_secret', 'r') as f:
secret = f.read().strip()
# Get token from Authorization header
auth_header = os.environ.get('HTTP_AUTHORIZATION', '')
if not auth_header.startswith('Bearer '):
print('Status: 401 Unauthorized')
print('Content-Type: application/json')
print('')
print('{"error": "Missing or invalid Authorization header"}')
sys.exit(0)
token = auth_header[7:] # Remove "Bearer "
valid, result = verify_jwt(token, secret)
if valid:
print('Status: 200 OK')
print('Content-Type: application/json')
print('')
print('{"valid": true}')
sys.exit(0)
else:
print('Status: 401 Unauthorized')
print('Content-Type: application/json')
print('')
print(f'{{"error": "Invalid token", "reason": "{result}"}}')
sys.exit(0)
PYTHON_EOF
chmod +x /usr/local/bin/jwt-validate.py
PYTHON_SCRIPT_EOF
# Create Nginx configuration with JWT authentication using auth_request
info "Creating Nginx configuration with JWT authentication..."
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- bash" <<NGINX_CONFIG_EOF
cat > /etc/nginx/sites-available/rpc-perm <<'EOF'
# HTTP to HTTPS redirect
server {
listen 80;
listen [::]:80;
server_name ${HTTP_DOMAIN} ${WS_DOMAIN} ${HOSTNAME} ${IP};
return 301 https://\$host\$request_uri;
}
# Internal server for JWT validation
server {
listen 127.0.0.1:8888;
server_name _;
location /validate {
fastcgi_pass unix:/var/run/fcgiwrap.socket;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/local/bin/jwt-validate.py;
fastcgi_param HTTP_AUTHORIZATION \$http_authorization;
}
}
# HTTPS server - HTTP RPC API (Permissioned with JWT)
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${HTTP_DOMAIN} ${HOSTNAME} ${IP};
ssl_certificate /etc/nginx/ssl/rpc.crt;
ssl_certificate_key /etc/nginx/ssl/rpc.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log /var/log/nginx/rpc-http-prv-access.log;
error_log /var/log/nginx/rpc-http-prv-error.log;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
send_timeout 300s;
# JWT authentication using auth_request
location = /auth {
internal;
proxy_pass http://127.0.0.1:8888/validate;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI \$request_uri;
proxy_set_header Authorization \$http_authorization;
}
# HTTP RPC endpoint
location / {
auth_request /auth;
auth_request_set \$auth_status \$upstream_status;
# Return 401 if auth failed
error_page 401 = @auth_failed;
proxy_pass http://127.0.0.1:8545;
proxy_http_version 1.1;
proxy_set_header Host localhost;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header Connection "";
proxy_buffering off;
proxy_request_buffering off;
}
# Handle auth failures
location @auth_failed {
return 401 '{"jsonrpc":"2.0","error":{"code":-32000,"message":"Unauthorized. Missing or invalid JWT token. Use: Authorization: Bearer <token>"},"id":null}';
add_header Content-Type application/json;
}
# Health check endpoint (no JWT required)
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
}
# HTTPS server - WebSocket RPC API (Permissioned with JWT)
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${WS_DOMAIN};
ssl_certificate /etc/nginx/ssl/rpc.crt;
ssl_certificate_key /etc/nginx/ssl/rpc.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log /var/log/nginx/rpc-ws-prv-access.log;
error_log /var/log/nginx/rpc-ws-prv-error.log;
# JWT authentication for WebSocket connections
location = /auth {
internal;
proxy_pass http://127.0.0.1:8888/validate;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI \$request_uri;
proxy_set_header Authorization \$http_authorization;
}
location / {
auth_request /auth;
auth_request_set \$auth_status \$upstream_status;
error_page 401 = @auth_failed;
proxy_pass http://127.0.0.1:8546;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host localhost;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
location @auth_failed {
return 401 '{"error": "Unauthorized. Missing or invalid JWT token. Use: Authorization: Bearer <token>"}';
add_header Content-Type application/json;
}
# Health check endpoint (no JWT required)
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
}
EOF
# Disable old config if it exists
if [ -L /etc/nginx/sites-enabled/rpc ]; then
rm -f /etc/nginx/sites-enabled/rpc
echo "⚠ Disabled old rpc config"
fi
# Enable the new permissioned config
ln -sf /etc/nginx/sites-available/rpc-perm /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default
# Install fcgiwrap for FastCGI support
apt-get install -y -qq fcgiwrap || {
# If fcgiwrap not available, use a simpler HTTP-based validation
echo "⚠ fcgiwrap not available, using alternative validation method"
}
# Test configuration
nginx -t
# Reload Nginx
systemctl enable nginx
systemctl restart nginx
NGINX_CONFIG_EOF
if [ $? -eq 0 ]; then
info "✓ Nginx configured with JWT authentication"
else
error "Failed to configure Nginx"
exit 1
fi
# Display JWT secret for token generation
echo ""
info "JWT Authentication configured successfully!"
echo ""
warn "IMPORTANT: Save this JWT secret for token generation:"
echo " ${JWT_SECRET}"
echo ""
info "Next steps:"
echo " 1. Use the generate-jwt-token.sh script to create JWT tokens"
echo " 2. Test with: curl -k -H 'Authorization: Bearer <token>' https://${HTTP_DOMAIN}"
echo " 3. Update DNS records to point rpc-http-prv.d-bis.org and rpc-ws-prv.d-bis.org to ${IP}"
Reference in New Issue View Git Blame Copy Permalink