cb47cce074
- Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards.
435 lines
15 KiB
Bash
Executable File
435 lines
15 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Configure Nginx with JWT authentication for Permissioned RPC endpoints
|
|
# This script configures VMID 2501 (Permissioned RPC) with JWT token authentication
|
|
# for rpc-http-prv.d-bis.org and rpc-ws-prv.d-bis.org
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}"
|
|
VMID=2501
|
|
HTTP_DOMAIN="rpc-http-prv.d-bis.org"
|
|
WS_DOMAIN="rpc-ws-prv.d-bis.org"
|
|
IP="192.168.11.251"
|
|
HOSTNAME="besu-rpc-2"
|
|
|
|
# Colors for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
info() { echo -e "${GREEN}[INFO]${NC} $1"; }
|
|
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
|
|
error() { echo -e "${RED}[ERROR]${NC} $1"; }
|
|
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
|
|
|
|
info "Configuring JWT authentication for Permissioned RPC (VMID $VMID)"
|
|
info "HTTP Domain: $HTTP_DOMAIN"
|
|
info "WS Domain: $WS_DOMAIN"
|
|
echo ""
|
|
|
|
# Check if container is running
|
|
STATUS=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct status $VMID 2>/dev/null | awk '{print \$2}'" 2>/dev/null || echo "unknown")
|
|
|
|
if [[ "$STATUS" != "running" ]]; then
|
|
error "Container $VMID is not running (status: $STATUS)"
|
|
exit 1
|
|
fi
|
|
|
|
# Install required packages
|
|
info "Installing required packages (nginx-extras for lua support, openssl)..."
|
|
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash -c '
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
export LC_ALL=C
|
|
export LANG=C
|
|
apt-get update -qq 2>&1 | grep -vE \"(perl: warning|locale:)\" || true
|
|
|
|
# Check if nginx is installed and what version
|
|
if command -v nginx >/dev/null 2>&1; then
|
|
# Remove nginx-core if present and install nginx-extras which includes lua support
|
|
apt-get remove -y -qq nginx-core 2>&1 | grep -vE \"(perl: warning|locale:)\" || true
|
|
apt-get install -y -qq nginx-extras 2>&1 | grep -vE \"(perl: warning|locale:)\" || {
|
|
echo \"Warning: nginx-extras installation had issues\" >&2
|
|
exit 1
|
|
}
|
|
else
|
|
# Fresh install - use nginx-extras
|
|
apt-get install -y -qq nginx-extras openssl 2>&1 | grep -vE \"(perl: warning|locale:)\" || {
|
|
echo \"Error: nginx-extras installation failed\" >&2
|
|
exit 1
|
|
}
|
|
fi
|
|
|
|
# Verify nginx-extras was installed and has Lua support
|
|
if nginx -V 2>&1 | grep -q \"http_lua_module\"; then
|
|
echo \"✓ nginx-extras with Lua module installed successfully\"
|
|
else
|
|
echo \"Error: nginx Lua module not detected after installation\" >&2
|
|
echo \"nginx -V output:\" >&2
|
|
nginx -V 2>&1 | head -5 >&2
|
|
exit 1
|
|
fi
|
|
'" 2>&1 | grep -vE "(perl: warning|locale:|dpkg-preconfigure)" || {
|
|
warn "Some packages may not be available, continuing with basic setup..."
|
|
}
|
|
|
|
# Generate JWT secret key if it doesn't exist
|
|
info "Generating JWT secret key..."
|
|
JWT_SECRET=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash -c '
|
|
if [ ! -f /etc/nginx/jwt_secret ]; then
|
|
openssl rand -base64 32 > /etc/nginx/jwt_secret
|
|
chmod 600 /etc/nginx/jwt_secret
|
|
fi
|
|
cat /etc/nginx/jwt_secret
|
|
'")
|
|
|
|
if [ -z "$JWT_SECRET" ]; then
|
|
error "Failed to generate JWT secret"
|
|
exit 1
|
|
fi
|
|
|
|
info "✓ JWT secret generated: ${JWT_SECRET:0:20}..."
|
|
|
|
# Create Lua script for JWT validation
|
|
info "Creating JWT validation Lua script..."
|
|
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash" <<'LUA_SCRIPT_EOF'
|
|
export LC_ALL=C
|
|
export LANG=C
|
|
cat > /etc/nginx/jwt-validate.lua <<'LUA_EOF'
|
|
local jwt = require "resty.jwt"
|
|
local secret = io.open("/etc/nginx/jwt_secret", "r")
|
|
if not secret then
|
|
ngx.log(ngx.ERR, "Failed to read JWT secret")
|
|
ngx.status = 500
|
|
ngx.say('{"error": "Internal server error"}')
|
|
ngx.exit(500)
|
|
end
|
|
local jwt_secret = secret:read("*all")
|
|
secret:close()
|
|
jwt_secret = jwt_secret:gsub("%s+", "")
|
|
|
|
-- Get JWT token from Authorization header
|
|
local auth_header = ngx.var.http_authorization
|
|
if not auth_header then
|
|
ngx.status = 401
|
|
ngx.header["Content-Type"] = "application/json"
|
|
ngx.say('{"error": "Missing Authorization header"}')
|
|
ngx.exit(401)
|
|
end
|
|
|
|
-- Extract Bearer token
|
|
local token = auth_header:match("Bearer%s+(.+)")
|
|
if not token then
|
|
ngx.status = 401
|
|
ngx.header["Content-Type"] = "application/json"
|
|
ngx.say('{"error": "Invalid Authorization header format. Use: Bearer <token>"}')
|
|
ngx.exit(401)
|
|
end
|
|
|
|
-- Validate JWT
|
|
local jwt_obj = jwt:verify(jwt_secret, token)
|
|
if not jwt_obj.valid then
|
|
ngx.status = 401
|
|
ngx.header["Content-Type"] = "application/json"
|
|
ngx.say('{"error": "Invalid or expired token", "reason": "' .. (jwt_obj.reason or "unknown") .. '"}')
|
|
ngx.exit(401)
|
|
end
|
|
|
|
-- Token is valid, continue
|
|
ngx.log(ngx.INFO, "JWT validated successfully for user: " .. (jwt_obj.payload.sub or "unknown"))
|
|
LUA_EOF
|
|
chmod 644 /etc/nginx/jwt-validate.lua
|
|
LUA_SCRIPT_EOF
|
|
|
|
# Install lua-resty-jwt library
|
|
info "Installing lua-resty-jwt library..."
|
|
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash" <<'INSTALL_LUA_JWT_EOF'
|
|
export LC_ALL=C
|
|
export LANG=C
|
|
# Install dependencies
|
|
apt-get install -y -qq git curl unzip 2>&1 | grep -vE "(perl: warning|locale:|dpkg-preconfigure)" || true
|
|
|
|
# Install lua-resty-jwt
|
|
mkdir -p /usr/share/lua/5.1/resty
|
|
cd /tmp
|
|
rm -rf lua-resty-jwt*
|
|
|
|
# Try to clone or download
|
|
if command -v git &> /dev/null; then
|
|
git clone --depth 1 https://github.com/cdbattags/lua-resty-jwt.git 2>/dev/null || {
|
|
curl -L https://github.com/cdbattags/lua-resty-jwt/archive/refs/heads/master.zip -o lua-resty-jwt.zip
|
|
unzip -q lua-resty-jwt.zip
|
|
mv lua-resty-jwt-master lua-resty-jwt
|
|
}
|
|
else
|
|
curl -L https://github.com/cdbattags/lua-resty-jwt/archive/refs/heads/master.zip -o lua-resty-jwt.zip 2>/dev/null || {
|
|
curl -L https://github.com/cdbattags/lua-resty-jwt/archive/refs/heads/master.tar.gz | tar -xz
|
|
mv lua-resty-jwt-master lua-resty-jwt
|
|
}
|
|
unzip -q lua-resty-jwt.zip 2>/dev/null || true
|
|
fi
|
|
|
|
if [ -d lua-resty-jwt/lib/resty ]; then
|
|
cp -r lua-resty-jwt/lib/resty/* /usr/share/lua/5.1/resty/
|
|
echo "✓ lua-resty-jwt installed"
|
|
else
|
|
echo "⚠ Failed to install lua-resty-jwt, will use Python fallback"
|
|
fi
|
|
INSTALL_LUA_JWT_EOF
|
|
|
|
# Check if Lua module is available before creating config
|
|
info "Verifying nginx Lua module availability..."
|
|
LUA_AVAILABLE=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash -c 'nginx -V 2>&1 | grep -q \"http_lua_module\" && echo \"yes\" || echo \"no\"'" 2>/dev/null || echo "no")
|
|
|
|
if [[ "$LUA_AVAILABLE" != "yes" ]]; then
|
|
error "Nginx Lua module is not available. nginx-extras may not be properly installed."
|
|
error "Please run: pct exec $VMID -- apt-get install -y nginx-extras"
|
|
error "Or use the Python-based script: ./scripts/configure-nginx-jwt-auth-simple.sh"
|
|
exit 1
|
|
fi
|
|
|
|
info "✓ Lua module confirmed available"
|
|
|
|
# Create Nginx configuration with JWT authentication
|
|
info "Creating Nginx configuration with JWT authentication..."
|
|
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash" <<NGINX_CONFIG_EOF
|
|
export LC_ALL=C
|
|
export LANG=C
|
|
cat > /etc/nginx/sites-available/rpc-perm <<'EOF'
|
|
# HTTP to HTTPS redirect
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name ${HTTP_DOMAIN} ${WS_DOMAIN} ${HOSTNAME} ${IP};
|
|
return 301 https://\$host\$request_uri;
|
|
}
|
|
|
|
# HTTPS server - HTTP RPC API (Permissioned with JWT)
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name ${HTTP_DOMAIN} ${HOSTNAME} ${IP};
|
|
|
|
ssl_certificate /etc/nginx/ssl/rpc.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/rpc.key;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
access_log /var/log/nginx/rpc-http-prv-access.log;
|
|
error_log /var/log/nginx/rpc-http-prv-error.log;
|
|
|
|
proxy_connect_timeout 300s;
|
|
proxy_send_timeout 300s;
|
|
proxy_read_timeout 300s;
|
|
send_timeout 300s;
|
|
|
|
# JWT authentication for all requests except health check
|
|
location / {
|
|
# Validate JWT token
|
|
access_by_lua_block {
|
|
local jwt = require "resty.jwt"
|
|
local secret_file = io.open("/etc/nginx/jwt_secret", "r")
|
|
if not secret_file then
|
|
ngx.log(ngx.ERR, "Failed to read JWT secret")
|
|
ngx.status = 500
|
|
ngx.exit(500)
|
|
end
|
|
local jwt_secret = secret_file:read("*all")
|
|
secret_file:close()
|
|
jwt_secret = jwt_secret:gsub("%s+", "")
|
|
|
|
local auth_header = ngx.var.http_authorization
|
|
if not auth_header then
|
|
ngx.status = 401
|
|
ngx.header["Content-Type"] = "application/json"
|
|
ngx.say('{"jsonrpc":"2.0","error":{"code":-32000,"message":"Missing Authorization header. Use: Authorization: Bearer <token>"},"id":null}')
|
|
ngx.exit(401)
|
|
end
|
|
|
|
local token = auth_header:match("Bearer%s+(.+)")
|
|
if not token then
|
|
ngx.status = 401
|
|
ngx.header["Content-Type"] = "application/json"
|
|
ngx.say('{"jsonrpc":"2.0","error":{"code":-32000,"message":"Invalid Authorization header format. Use: Bearer <token>"},"id":null}')
|
|
ngx.exit(401)
|
|
end
|
|
|
|
local jwt_obj = jwt:verify(jwt_secret, token)
|
|
if not jwt_obj.valid then
|
|
ngx.status = 401
|
|
ngx.header["Content-Type"] = "application/json"
|
|
ngx.say('{"jsonrpc":"2.0","error":{"code":-32000,"message":"Invalid or expired token","data":"' .. (jwt_obj.reason or "unknown") .. '"},"id":null}')
|
|
ngx.exit(401)
|
|
end
|
|
}
|
|
|
|
proxy_pass http://127.0.0.1:8545;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host localhost;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_set_header Connection "";
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
# Health check endpoint (no JWT required)
|
|
location /health {
|
|
access_log off;
|
|
return 200 "healthy\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
}
|
|
|
|
# HTTPS server - WebSocket RPC API (Permissioned with JWT)
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name ${WS_DOMAIN};
|
|
|
|
ssl_certificate /etc/nginx/ssl/rpc.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/rpc.key;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
access_log /var/log/nginx/rpc-ws-prv-access.log;
|
|
error_log /var/log/nginx/rpc-ws-prv-error.log;
|
|
|
|
# JWT authentication for WebSocket connections
|
|
location / {
|
|
# Validate JWT token before upgrading to WebSocket
|
|
access_by_lua_block {
|
|
local jwt = require "resty.jwt"
|
|
local secret_file = io.open("/etc/nginx/jwt_secret", "r")
|
|
if not secret_file then
|
|
ngx.log(ngx.ERR, "Failed to read JWT secret")
|
|
ngx.status = 500
|
|
ngx.exit(500)
|
|
end
|
|
local jwt_secret = secret_file:read("*all")
|
|
secret_file:close()
|
|
jwt_secret = jwt_secret:gsub("%s+", "")
|
|
|
|
local auth_header = ngx.var.http_authorization
|
|
if not auth_header then
|
|
ngx.status = 401
|
|
ngx.header["Content-Type"] = "application/json"
|
|
ngx.say('{"error": "Missing Authorization header. Use: Authorization: Bearer <token>"}')
|
|
ngx.exit(401)
|
|
end
|
|
|
|
local token = auth_header:match("Bearer%s+(.+)")
|
|
if not token then
|
|
ngx.status = 401
|
|
ngx.header["Content-Type"] = "application/json"
|
|
ngx.say('{"error": "Invalid Authorization header format. Use: Bearer <token>"}')
|
|
ngx.exit(401)
|
|
end
|
|
|
|
local jwt_obj = jwt:verify(jwt_secret, token)
|
|
if not jwt_obj.valid then
|
|
ngx.status = 401
|
|
ngx.header["Content-Type"] = "application/json"
|
|
ngx.say('{"error": "Invalid or expired token", "reason": "' .. (jwt_obj.reason or "unknown") .. '"}')
|
|
ngx.exit(401)
|
|
end
|
|
}
|
|
|
|
proxy_pass http://127.0.0.1:8546;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade \$http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host localhost;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_read_timeout 86400;
|
|
proxy_send_timeout 86400;
|
|
}
|
|
|
|
# Health check endpoint (no JWT required)
|
|
location /health {
|
|
access_log off;
|
|
return 200 "healthy\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
}
|
|
EOF
|
|
|
|
# Disable old config if it exists (rpc-http-pub/rpc-ws-pub on this VMID)
|
|
if [ -L /etc/nginx/sites-enabled/rpc ]; then
|
|
rm -f /etc/nginx/sites-enabled/rpc
|
|
echo "⚠ Disabled old rpc config (rpc-http-pub/rpc-ws-pub should be on VMID 2502)"
|
|
fi
|
|
|
|
# Enable the new permissioned config
|
|
ln -sf /etc/nginx/sites-available/rpc-perm /etc/nginx/sites-enabled/
|
|
rm -f /etc/nginx/sites-enabled/default
|
|
|
|
# Update nginx.conf to include lua_package_path if lua module is available
|
|
if nginx -V 2>&1 | grep -q "http_lua_module"; then
|
|
if ! grep -q "lua_package_path" /etc/nginx/nginx.conf; then
|
|
# Use a more reliable method to add lua_package_path
|
|
# Create a temporary file with the addition
|
|
cat > /tmp/nginx_lua_add.conf <<'LUA_ADD_EOF'
|
|
# Lua package path
|
|
lua_package_path "/usr/share/lua/5.1/?.lua;/usr/share/lua/5.1/?/init.lua;;";
|
|
LUA_ADD_EOF
|
|
# Insert after "http {" line
|
|
sed -i '/^http {/r /tmp/nginx_lua_add.conf' /etc/nginx/nginx.conf
|
|
rm -f /tmp/nginx_lua_add.conf
|
|
fi
|
|
else
|
|
warn "Nginx Lua module not available - JWT validation will use alternative method"
|
|
fi
|
|
|
|
# Test configuration
|
|
nginx -t
|
|
|
|
# Reload Nginx
|
|
systemctl enable nginx
|
|
systemctl restart nginx
|
|
NGINX_CONFIG_EOF
|
|
|
|
if [ $? -eq 0 ]; then
|
|
info "✓ Nginx configured with JWT authentication"
|
|
else
|
|
error "Failed to configure Nginx"
|
|
exit 1
|
|
fi
|
|
|
|
# Display JWT secret for token generation
|
|
echo ""
|
|
info "JWT Authentication configured successfully!"
|
|
echo ""
|
|
warn "IMPORTANT: Save this JWT secret for token generation:"
|
|
echo " ${JWT_SECRET}"
|
|
echo ""
|
|
info "Next steps:"
|
|
echo " 1. Use the generate-jwt-token.sh script to create JWT tokens"
|
|
echo " 2. Test with: curl -k -H 'Authorization: Bearer <token>' https://${HTTP_DOMAIN}"
|
|
echo " 3. Update DNS records to point rpc-http-prv.d-bis.org and rpc-ws-prv.d-bis.org to ${IP}"
|
|
|