proxmox/scripts/configure-nginx-rpc-2500.sh

#!/usr/bin/env bash
# Configure Nginx for Core RPC Node (VMID 2500)
# This configures Nginx as a reverse proxy for Besu RPC endpoints

set -e

VMID=2500
HOSTNAME="besu-rpc-1"
IP="192.168.11.250"
PROXMOX_HOST="192.168.11.10"

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }

log_info "Configuring Nginx for Core RPC Node (VMID $VMID)"
log_info "Hostname: $HOSTNAME"
log_info "IP: $IP"
echo ""

# Create Nginx configuration
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
    "pct exec $VMID -- bash" <<'NGINX_CONFIG_EOF'
cat > /etc/nginx/sites-available/rpc-core <<'EOF'
# HTTP to HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name besu-rpc-1 192.168.11.250 rpc-core.besu.local rpc-core.chainid138.local;
    
    # Redirect all HTTP to HTTPS
    return 301 https://$host$request_uri;
}

# HTTPS server - HTTP RPC API (port 8545)
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name besu-rpc-1 192.168.11.250 rpc-core.besu.local rpc-core.chainid138.local;

    # SSL configuration
    ssl_certificate /etc/nginx/ssl/rpc.crt;
    ssl_certificate_key /etc/nginx/ssl/rpc.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Logging
    access_log /var/log/nginx/rpc-core-http-access.log;
    error_log /var/log/nginx/rpc-core-http-error.log;

    # Increase timeouts for RPC calls
    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;
    send_timeout 300s;
    client_max_body_size 10M;

    # HTTP RPC endpoint (port 8545)
    location / {
        proxy_pass http://127.0.0.1:8545;
        proxy_http_version 1.1;
        
        # Headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Connection "";
        
        # Buffer settings (disable for RPC)
        proxy_buffering off;
        proxy_request_buffering off;
        
        # CORS headers (if needed for web apps)
        add_header Access-Control-Allow-Origin * always;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
        add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
        
        # Handle OPTIONS requests
        if ($request_method = OPTIONS) {
            return 204;
        }
    }

    # Health check endpoint
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }

    # Metrics endpoint (if exposed)
    location /metrics {
        proxy_pass http://127.0.0.1:9545;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

# HTTPS server - WebSocket RPC API (port 8546)
server {
    listen 8443 ssl http2;
    listen [::]:8443 ssl http2;
    server_name besu-rpc-1 192.168.11.250 rpc-core-ws.besu.local rpc-core-ws.chainid138.local;

    # SSL configuration
    ssl_certificate /etc/nginx/ssl/rpc.crt;
    ssl_certificate_key /etc/nginx/ssl/rpc.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Logging
    access_log /var/log/nginx/rpc-core-ws-access.log;
    error_log /var/log/nginx/rpc-core-ws-error.log;

    # WebSocket RPC endpoint (port 8546)
    location / {
        proxy_pass http://127.0.0.1:8546;
        proxy_http_version 1.1;
        
        # WebSocket headers
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Long timeouts for WebSocket connections
        proxy_read_timeout 86400;
        proxy_send_timeout 86400;
        proxy_connect_timeout 300s;
    }

    # Health check endpoint
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }
}
EOF

# Enable the site
ln -sf /etc/nginx/sites-available/rpc-core /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default

# Test configuration
nginx -t

# Reload Nginx
systemctl enable nginx
systemctl restart nginx
NGINX_CONFIG_EOF

if [ $? -eq 0 ]; then
    log_success "Nginx configuration created"
else
    log_error "Failed to create Nginx configuration"
    exit 1
fi

# Verify Nginx is running
log_info "Verifying Nginx status..."
if sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
    "pct exec $VMID -- systemctl is-active nginx >/dev/null 2>&1"; then
    log_success "Nginx service is active"
else
    log_error "Nginx service is not active"
    exit 1
fi

# Check if ports are listening
log_info "Checking listening ports..."
PORTS=$(sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
    "pct exec $VMID -- ss -tlnp 2>&1 | grep -E ':80|:443|:8443' || echo ''")

if echo "$PORTS" | grep -q ':80'; then
    log_success "Port 80 is listening"
else
    log_warn "Port 80 may not be listening"
fi

if echo "$PORTS" | grep -q ':443'; then
    log_success "Port 443 is listening"
else
    log_warn "Port 443 may not be listening"
fi

if echo "$PORTS" | grep -q ':8443'; then
    log_success "Port 8443 is listening"
else
    log_warn "Port 8443 may not be listening"
fi

# Test RPC endpoint through Nginx
log_info "Testing RPC endpoint through Nginx..."
RPC_TEST=$(sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
    "pct exec $VMID -- timeout 5 curl -k -s -X POST https://localhost:443 \
    -H 'Content-Type: application/json' \
    -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_blockNumber\",\"params\":[],\"id\":1}' 2>&1 || echo 'FAILED'")

if echo "$RPC_TEST" | grep -q "result"; then
    BLOCK_NUM=$(echo "$RPC_TEST" | grep -oP '"result":"\K[^"]+' | head -1)
    log_success "RPC endpoint is responding through Nginx!"
    log_info "Current block: $BLOCK_NUM"
else
    log_warn "RPC endpoint test failed or needs more time"
    log_info "Response: $RPC_TEST"
fi

echo ""
log_success "Nginx configuration complete!"
echo ""
log_info "Configuration Summary:"
log_info "  - HTTP RPC: https://$IP:443 (proxies to localhost:8545)"
log_info "  - WebSocket RPC: https://$IP:8443 (proxies to localhost:8546)"
log_info "  - HTTP redirect: http://$IP:80 → https://$IP:443"
log_info "  - Health check: https://$IP:443/health"
echo ""
log_info "Next steps:"
log_info "  1. Test from external: curl -k https://$IP:443/health"
log_info "  2. Test RPC: curl -k -X POST https://$IP:443 -H 'Content-Type: application/json' -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_blockNumber\",\"params\":[],\"id\":1}'"
log_info "  3. Replace self-signed certificate with Let's Encrypt if needed"
log_info "  4. Configure firewall rules if needed"