321 lines
9.3 KiB
Bash
Executable File
321 lines
9.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Install and configure Nginx on RPC containers (2500-2502) with SSL on port 443
|
|
# Usage: ./install-nginx-rpc.sh [vmid1] [vmid2] [vmid3]
|
|
# If no VMIDs provided, defaults to 2500, 2501, 2502
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}"
|
|
|
|
# Colors for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
NC='\033[0m' # No Color
|
|
|
|
info() { echo -e "${GREEN}[INFO]${NC} $1"; }
|
|
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
|
|
error() { echo -e "${RED}[ERROR]${NC} $1"; }
|
|
|
|
# Get VMIDs (default to 2500-2502)
|
|
if [[ $# -eq 0 ]]; then
|
|
VMIDS=(2500 2501 2502)
|
|
else
|
|
VMIDS=("$@")
|
|
fi
|
|
|
|
# RPC container mapping
|
|
declare -A RPC_IPS=(
|
|
[2500]="192.168.11.250"
|
|
[2501]="192.168.11.251"
|
|
[2502]="192.168.11.252"
|
|
)
|
|
|
|
declare -A RPC_HOSTNAMES=(
|
|
[2500]="besu-rpc-1"
|
|
[2501]="besu-rpc-2"
|
|
[2502]="besu-rpc-3"
|
|
)
|
|
|
|
# Domain mappings for each container
|
|
declare -A RPC_HTTP_DOMAINS=(
|
|
[2501]="rpc-http-pub.d-bis.org"
|
|
[2502]="rpc-http-prv.d-bis.org"
|
|
)
|
|
|
|
declare -A RPC_WS_DOMAINS=(
|
|
[2501]="rpc-ws-pub.d-bis.org"
|
|
[2502]="rpc-ws-prv.d-bis.org"
|
|
)
|
|
|
|
info "Installing Nginx on RPC containers..."
|
|
info "Proxmox Host: $PROXMOX_HOST"
|
|
info "Containers: ${VMIDS[*]}"
|
|
echo ""
|
|
|
|
# Function to install Nginx on a container
|
|
install_nginx_on_container() {
|
|
local vmid=$1
|
|
local ip="${RPC_IPS[$vmid]}"
|
|
local hostname="${RPC_HOSTNAMES[$vmid]}"
|
|
local http_domain="${RPC_HTTP_DOMAINS[$vmid]:-}"
|
|
local ws_domain="${RPC_WS_DOMAINS[$vmid]:-}"
|
|
|
|
echo "=========================================="
|
|
info "Processing VMID $vmid ($hostname - $ip)"
|
|
echo "=========================================="
|
|
|
|
# Check if container is running
|
|
STATUS=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct status $vmid 2>/dev/null | awk '{print \$2}'" 2>/dev/null || echo "unknown")
|
|
|
|
if [[ "$STATUS" != "running" ]]; then
|
|
warn "Container $vmid is not running (status: $STATUS), skipping..."
|
|
return 1
|
|
fi
|
|
|
|
# Check if Nginx is already installed
|
|
if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $vmid -- which nginx >/dev/null 2>&1"; then
|
|
warn "Nginx is already installed on VMID $vmid"
|
|
read -p "Reinstall/update configuration? (y/N): " -n 1 -r
|
|
echo
|
|
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
|
info "Skipping VMID $vmid"
|
|
return 0
|
|
fi
|
|
fi
|
|
|
|
# Install Nginx
|
|
info "Installing Nginx on VMID $vmid..."
|
|
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $vmid -- bash -c '
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get update -qq
|
|
apt-get install -y -qq nginx openssl
|
|
'" || {
|
|
error "Failed to install Nginx on VMID $vmid"
|
|
return 1
|
|
}
|
|
info "✓ Nginx installed"
|
|
|
|
# Generate self-signed SSL certificate (or use Let's Encrypt later)
|
|
info "Generating SSL certificate..."
|
|
# Use first domain if available, otherwise use hostname
|
|
local cert_cn="${http_domain:-$hostname}"
|
|
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $vmid -- bash -c '
|
|
mkdir -p /etc/nginx/ssl
|
|
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \\
|
|
-keyout /etc/nginx/ssl/rpc.key \\
|
|
-out /etc/nginx/ssl/rpc.crt \\
|
|
-subj \"/CN=$cert_cn/O=RPC Node/C=US\" 2>/dev/null
|
|
chmod 600 /etc/nginx/ssl/rpc.key
|
|
chmod 644 /etc/nginx/ssl/rpc.crt
|
|
'" || {
|
|
error "Failed to generate SSL certificate"
|
|
return 1
|
|
}
|
|
info "✓ SSL certificate generated for $cert_cn"
|
|
|
|
# Create Nginx configuration
|
|
info "Creating Nginx configuration..."
|
|
|
|
# Build server_name list
|
|
local server_names="$hostname $ip"
|
|
if [[ -n "$http_domain" ]]; then
|
|
server_names="$server_names $http_domain"
|
|
fi
|
|
if [[ -n "$ws_domain" ]]; then
|
|
server_names="$server_names $ws_domain"
|
|
fi
|
|
|
|
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $vmid -- bash" <<EOF
|
|
cat > /etc/nginx/sites-available/rpc <<NGINX_CONFIG
|
|
# HTTP to HTTPS redirect
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name $server_names;
|
|
|
|
# Redirect all HTTP to HTTPS
|
|
return 301 https://\$host\$request_uri;
|
|
}
|
|
|
|
# HTTPS server - HTTP RPC API (for rpc-http-*.d-bis.org)
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name ${http_domain:-$hostname} $hostname $ip;
|
|
|
|
# SSL configuration
|
|
ssl_certificate /etc/nginx/ssl/rpc.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/rpc.key;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Security headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/rpc-http-access.log;
|
|
error_log /var/log/nginx/rpc-http-error.log;
|
|
|
|
# Increase timeouts for RPC calls
|
|
proxy_connect_timeout 300s;
|
|
proxy_send_timeout 300s;
|
|
proxy_read_timeout 300s;
|
|
send_timeout 300s;
|
|
|
|
# HTTP RPC endpoint
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8545;
|
|
proxy_http_version 1.1;
|
|
|
|
# Headers
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_set_header Connection "";
|
|
|
|
# Buffer settings
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
# Health check endpoint
|
|
location /health {
|
|
access_log off;
|
|
return 200 "healthy\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
}
|
|
|
|
# HTTPS server - WebSocket RPC API (for rpc-ws-*.d-bis.org)
|
|
$(if [[ -n "$ws_domain" ]]; then echo "server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name $ws_domain;"; fi)
|
|
|
|
# SSL configuration
|
|
ssl_certificate /etc/nginx/ssl/rpc.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/rpc.key;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Security headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/rpc-ws-access.log;
|
|
error_log /var/log/nginx/rpc-ws-error.log;
|
|
|
|
# WebSocket RPC endpoint
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8546;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade \$http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_read_timeout 86400;
|
|
proxy_send_timeout 86400;
|
|
}
|
|
|
|
# Health check endpoint
|
|
location /health {
|
|
access_log off;
|
|
return 200 "healthy\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
}
|
|
$(if [[ -n "$ws_domain" ]]; then echo ""; fi)
|
|
NGINX_CONFIG
|
|
|
|
# Enable the site
|
|
ln -sf /etc/nginx/sites-available/rpc /etc/nginx/sites-enabled/
|
|
rm -f /etc/nginx/sites-enabled/default
|
|
|
|
# Test configuration
|
|
nginx -t
|
|
|
|
# Reload Nginx
|
|
systemctl enable nginx
|
|
systemctl restart nginx
|
|
EOF
|
|
|
|
if [[ $? -eq 0 ]]; then
|
|
info "✓ Nginx configured and started"
|
|
else
|
|
error "Failed to configure Nginx"
|
|
return 1
|
|
fi
|
|
|
|
# Verify Nginx is running
|
|
if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $vmid -- systemctl is-active nginx >/dev/null 2>&1"; then
|
|
info "✓ Nginx service is active"
|
|
else
|
|
error "Nginx service is not active"
|
|
return 1
|
|
fi
|
|
|
|
# Check if port 443 is listening
|
|
if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $vmid -- ss -tuln | grep -q ':443'"; then
|
|
info "✓ Port 443 is listening"
|
|
else
|
|
warn "Port 443 may not be listening"
|
|
fi
|
|
|
|
echo ""
|
|
return 0
|
|
}
|
|
|
|
# Install on each container
|
|
SUCCESS=0
|
|
FAILED=0
|
|
|
|
for vmid in "${VMIDS[@]}"; do
|
|
if install_nginx_on_container "$vmid"; then
|
|
((SUCCESS++))
|
|
else
|
|
((FAILED++))
|
|
fi
|
|
echo ""
|
|
done
|
|
|
|
# Summary
|
|
echo "=========================================="
|
|
info "Installation Summary:"
|
|
echo " Success: $SUCCESS"
|
|
echo " Failed: $FAILED"
|
|
echo " Total: ${#VMIDS[@]}"
|
|
echo "=========================================="
|
|
|
|
if [[ $FAILED -gt 0 ]]; then
|
|
exit 1
|
|
fi
|
|
|
|
info "Nginx installation complete!"
|
|
echo ""
|
|
info "Next steps:"
|
|
echo " 1. Test HTTPS: curl -k https://<container-ip>:443"
|
|
echo " 2. Test RPC: curl -k -X POST https://<container-ip>:443 -H 'Content-Type: application/json' -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_blockNumber\",\"params\":[],\"id\":1}'"
|
|
echo " 3. Replace self-signed certificate with Let's Encrypt if needed"
|
|
echo " 4. Configure DNS records to point to container IPs"
|
|
|