d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
8b67fcbda1f1ae7940bd8863772be93bc4b3ab45
proxmox/scripts/configure-nginx-security-2500.sh

166 lines
5.8 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Configure additional security features for Nginx on VMID 2500
# - Rate limiting
# - Firewall rules
# - Security headers enhancement
set -e
VMID=2500
PROXMOX_HOST="192.168.11.10"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
log_info "Configuring additional security features for Nginx on VMID $VMID"
echo ""
# Configure rate limiting in Nginx
log_info "1. Configuring rate limiting..."
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- bash" <<'RATE_LIMIT_EOF'
# Add rate limiting configuration to nginx.conf
if ! grep -q "limit_req_zone" /etc/nginx/nginx.conf; then
# Add rate limiting zones before http block
sed -i '/^http {/i\\n# Rate limiting zones\nlimit_req_zone $binary_remote_addr zone=rpc_limit:10m rate=10r/s;\nlimit_req_zone $binary_remote_addr zone=rpc_burst:10m rate=50r/s;\nlimit_conn_zone $binary_remote_addr zone=conn_limit:10m;\n' /etc/nginx/nginx.conf
fi
# Update site configuration to use rate limiting
if [ -f /etc/nginx/sites-available/rpc-core ]; then
# Add rate limiting to HTTP RPC location
sed -i '/location \/ {/,/^ }/ {
/proxy_pass http:\/\/127.0.0.1:8545;/a\
\n # Rate limiting\n limit_req zone=rpc_limit burst=20 nodelay;\n limit_conn conn_limit 10;
}' /etc/nginx/sites-available/rpc-core
# Add rate limiting to WebSocket location
sed -i '/location \/ {/,/^ }/ {
/proxy_pass http:\/\/127.0.0.1:8546;/a\
\n # Rate limiting\n limit_req zone=rpc_burst burst=50 nodelay;\n limit_conn conn_limit 5;
}' /etc/nginx/sites-available/rpc-core
fi
# Test configuration
nginx -t
RATE_LIMIT_EOF
if [ $? -eq 0 ]; then
log_success "Rate limiting configured"
else
log_warn "Rate limiting configuration may need manual adjustment"
fi
# Configure firewall rules (if iptables is available)
log_info ""
log_info "2. Configuring firewall rules..."
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- bash" <<'FIREWALL_EOF'
# Check if iptables is available
if command -v iptables >/dev/null 2>&1; then
# Allow HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT 2>/dev/null || true
# Allow HTTPS
iptables -A INPUT -p tcp --dport 443 -j ACCEPT 2>/dev/null || true
# Allow WebSocket HTTPS
iptables -A INPUT -p tcp --dport 8443 -j ACCEPT 2>/dev/null || true
# Allow Besu RPC (internal only)
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8545 -j ACCEPT 2>/dev/null || true
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8546 -j ACCEPT 2>/dev/null || true
# Allow Besu P2P (if needed)
iptables -A INPUT -p tcp --dport 30303 -j ACCEPT 2>/dev/null || true
# Allow Besu Metrics (internal only)
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 9545 -j ACCEPT 2>/dev/null || true
echo "Firewall rules configured (may need to be persisted)"
else
echo "iptables not available, skipping firewall configuration"
fi
FIREWALL_EOF
log_success "Firewall rules configured"
# Enhance security headers
log_info ""
log_info "3. Enhancing security headers..."
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- bash" <<'SECURITY_EOF'
if [ -f /etc/nginx/sites-available/rpc-core ]; then
# Add additional security headers if not present
if ! grep -q "Referrer-Policy" /etc/nginx/sites-available/rpc-core; then
sed -i '/add_header X-XSS-Protection/a\
add_header Referrer-Policy "strict-origin-when-cross-origin" always;\
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
' /etc/nginx/sites-available/rpc-core
fi
# Test configuration
nginx -t
fi
SECURITY_EOF
if [ $? -eq 0 ]; then
log_success "Security headers enhanced"
else
log_warn "Security headers may need manual adjustment"
fi
# Reload Nginx
log_info ""
log_info "4. Reloading Nginx..."
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- systemctl reload nginx"
if [ $? -eq 0 ]; then
log_success "Nginx reloaded successfully"
else
log_error "Failed to reload Nginx"
exit 1
fi
# Verify configuration
log_info ""
log_info "5. Verifying configuration..."
if sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- nginx -t 2>&1 | grep -q 'successful'"; then
log_success "Nginx configuration is valid"
else
log_error "Nginx configuration test failed"
exit 1
fi
# Test rate limiting
log_info ""
log_info "6. Testing rate limiting..."
RATE_TEST=$(sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
"pct exec $VMID -- timeout 2 curl -k -s -X POST https://localhost:443 \
-H 'Content-Type: application/json' \
-d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_blockNumber\",\"params\":[],\"id\":1}' 2>&1 || echo 'TEST'")
if echo "$RATE_TEST" | grep -q "result\|jsonrpc"; then
log_success "RPC endpoint still responding (rate limiting active)"
else
log_warn "Rate limiting test inconclusive"
fi
echo ""
log_success "Security configuration complete!"
echo ""
log_info "Configuration Summary:"
log_info " ✓ Rate limiting: 10 req/s (burst: 20) for HTTP RPC"
log_info " ✓ Rate limiting: 50 req/s (burst: 50) for WebSocket RPC"
log_info " ✓ Connection limiting: 10 connections per IP (HTTP), 5 (WebSocket)"
log_info " ✓ Firewall rules: Configured for ports 80, 443, 8443"
log_info " ✓ Enhanced security headers: Added"
echo ""
log_info "Note: Firewall rules may need to be persisted (iptables-save)"
Reference in New Issue View Git Blame Copy Permalink