cb47cce074
- Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards.
296 lines
11 KiB
Bash
Executable File
296 lines
11 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Complete SSL setup for Blockscout with Cloudflare Tunnel
|
|
# Sets up Let's Encrypt certificates, Nginx SSL, and Cloudflare tunnel HTTPS
|
|
# Usage: ./setup-blockscout-ssl-complete.sh
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
ENV_FILE="${ENV_FILE:-$SCRIPT_DIR/../.env}"
|
|
|
|
# Configuration
|
|
VMID="${VMID:-5000}"
|
|
IP="${IP:-192.168.11.140}"
|
|
DOMAIN="${DOMAIN:-explorer.d-bis.org}"
|
|
BLOCKSCOUT_PORT="${BLOCKSCOUT_PORT:-4000}"
|
|
PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}"
|
|
EMAIL="${EMAIL:-admin@d-bis.org}"
|
|
PASSWORD="${PASSWORD:-L@kers2010}"
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
CYAN='\033[0;36m'
|
|
NC='\033[0m'
|
|
|
|
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
|
|
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
|
|
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
|
|
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
|
|
|
|
# Load environment variables
|
|
if [ -f "$ENV_FILE" ]; then
|
|
source "$ENV_FILE"
|
|
fi
|
|
|
|
echo "════════════════════════════════════════════════════════"
|
|
echo "Blockscout SSL Setup with Cloudflare Tunnel"
|
|
echo "════════════════════════════════════════════════════════"
|
|
echo ""
|
|
echo "Configuration:"
|
|
echo " VMID: $VMID"
|
|
echo " IP: $IP"
|
|
echo " Domain: $DOMAIN"
|
|
echo " Email: $EMAIL"
|
|
echo ""
|
|
|
|
# Function to execute command in container (direct SSH to container IP)
|
|
exec_container() {
|
|
local cmd="$1"
|
|
sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no root@"$IP" "bash -c '$cmd'" 2>&1
|
|
}
|
|
|
|
# Step 1: Install Certbot
|
|
log_info "Step 1: Installing Certbot..."
|
|
exec_container "export DEBIAN_FRONTEND=noninteractive && apt-get update -qq && apt-get install -y -qq certbot python3-certbot-nginx" || {
|
|
log_error "Failed to install Certbot"
|
|
exit 1
|
|
}
|
|
log_success "Certbot installed"
|
|
|
|
# Step 2: Configure Nginx for ACME challenge (HTTP port 80)
|
|
log_info "Step 2: Configuring Nginx for ACME challenge..."
|
|
# Create config file locally then copy
|
|
cat > /tmp/blockscout-nginx-acme.conf <<EOF
|
|
# HTTP server - for Let's Encrypt ACME challenge
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name $DOMAIN $IP;
|
|
|
|
# Allow Let's Encrypt ACME challenges
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/html;
|
|
try_files \$uri =404;
|
|
}
|
|
|
|
# Temporary: proxy to Blockscout for testing (will redirect to HTTPS after cert)
|
|
location / {
|
|
proxy_pass http://127.0.0.1:$BLOCKSCOUT_PORT;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_read_timeout 300s;
|
|
}
|
|
}
|
|
EOF
|
|
|
|
sshpass -p "$PASSWORD" scp -o StrictHostKeyChecking=no /tmp/blockscout-nginx-acme.conf root@"$IP":/etc/nginx/sites-available/blockscout
|
|
exec_container "mkdir -p /var/www/html/.well-known/acme-challenge && chown -R www-data:www-data /var/www/html && ln -sf /etc/nginx/sites-available/blockscout /etc/nginx/sites-enabled/ && rm -f /etc/nginx/sites-enabled/default && nginx -t && systemctl reload nginx" || {
|
|
log_error "Failed to configure Nginx"
|
|
exit 1
|
|
}
|
|
log_success "Nginx configured for ACME challenge"
|
|
|
|
# Step 3: Obtain SSL certificate from Let's Encrypt
|
|
log_info "Step 3: Obtaining SSL certificate from Let's Encrypt..."
|
|
log_info "This may take a minute..."
|
|
CERT_RESULT=$(exec_container "certbot certonly --nginx -d $DOMAIN --non-interactive --agree-tos --email $EMAIL --keep-until-expiring 2>&1" || echo "FAILED")
|
|
|
|
if echo "$CERT_RESULT" | grep -q "Successfully received certificate"; then
|
|
log_success "SSL certificate obtained successfully"
|
|
CERT_PATH="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
|
|
KEY_PATH="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
|
|
else
|
|
log_error "Failed to obtain SSL certificate"
|
|
echo "$CERT_RESULT" | tail -20
|
|
exit 1
|
|
fi
|
|
|
|
# Step 4: Configure Nginx with SSL
|
|
log_info "Step 4: Configuring Nginx with SSL certificates..."
|
|
cat > /tmp/blockscout-nginx-ssl.conf <<EOF
|
|
# HTTP server - redirect to HTTPS
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name $DOMAIN $IP;
|
|
|
|
# Allow Let's Encrypt ACME challenges
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/html;
|
|
try_files \$uri =404;
|
|
}
|
|
|
|
# Redirect all other traffic to HTTPS
|
|
location / {
|
|
return 301 https://\$host\$request_uri;
|
|
}
|
|
}
|
|
|
|
# HTTPS server - Blockscout Explorer
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name $DOMAIN $IP;
|
|
|
|
# SSL configuration
|
|
ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
# Security headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/blockscout-access.log;
|
|
error_log /var/log/nginx/blockscout-error.log;
|
|
|
|
# Increase timeouts for Blockscout requests
|
|
proxy_connect_timeout 300s;
|
|
proxy_send_timeout 300s;
|
|
proxy_read_timeout 300s;
|
|
send_timeout 300s;
|
|
|
|
# Client body size (for large contract verification uploads)
|
|
client_max_body_size 100M;
|
|
|
|
# Blockscout Explorer endpoint
|
|
location / {
|
|
proxy_pass http://127.0.0.1:$BLOCKSCOUT_PORT;
|
|
proxy_http_version 1.1;
|
|
|
|
# Headers
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_set_header Connection "";
|
|
|
|
# Buffer settings
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
|
|
# WebSocket support
|
|
proxy_set_header Upgrade \$http_upgrade;
|
|
proxy_set_header Connection \$connection_upgrade;
|
|
}
|
|
|
|
# API endpoint
|
|
location /api/ {
|
|
proxy_pass http://127.0.0.1:$BLOCKSCOUT_PORT;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_read_timeout 300s;
|
|
}
|
|
|
|
# Health check endpoint
|
|
location /health {
|
|
access_log off;
|
|
proxy_pass http://127.0.0.1:$BLOCKSCOUT_PORT/api/v2/status;
|
|
proxy_set_header Host \$host;
|
|
add_header Content-Type application/json;
|
|
}
|
|
}
|
|
|
|
# WebSocket upgrade mapping
|
|
map \$http_upgrade \$connection_upgrade {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
EOF
|
|
|
|
sshpass -p "$PASSWORD" scp -o StrictHostKeyChecking=no /tmp/blockscout-nginx-ssl.conf root@"$IP":/etc/nginx/sites-available/blockscout
|
|
exec_container "nginx -t && systemctl reload nginx" || {
|
|
log_error "Failed to configure Nginx with SSL"
|
|
exit 1
|
|
}
|
|
log_success "Nginx configured with SSL"
|
|
|
|
# Step 5: Set up auto-renewal
|
|
log_info "Step 5: Setting up certificate auto-renewal..."
|
|
exec_container "systemctl enable certbot.timer && systemctl start certbot.timer" || {
|
|
log_warn "Failed to enable certbot timer (may already be enabled)"
|
|
}
|
|
log_success "Auto-renewal configured"
|
|
|
|
# Step 6: Update Blockscout to use HTTPS
|
|
log_info "Step 6: Updating Blockscout configuration for HTTPS..."
|
|
exec_container "cd /opt/blockscout && if [ -f docker-compose.yml ]; then sed -i 's|BLOCKSCOUT_PROTOCOL=http|BLOCKSCOUT_PROTOCOL=https|g' docker-compose.yml && sed -i 's|BLOCKSCOUT_HOST=192.168.11.140|BLOCKSCOUT_HOST=$DOMAIN|g' docker-compose.yml && docker-compose restart blockscout 2>/dev/null || docker compose restart blockscout 2>/dev/null || true && echo 'Blockscout configuration updated'; else echo 'docker-compose.yml not found, skipping Blockscout config update'; fi" || {
|
|
log_warn "Failed to update Blockscout configuration (may need manual update)"
|
|
}
|
|
|
|
# Step 7: Update Cloudflare Tunnel to use HTTPS
|
|
log_info "Step 7: Updating Cloudflare Tunnel route to HTTPS..."
|
|
if [ -f "$SCRIPT_DIR/configure-cloudflare-tunnel-route.sh" ]; then
|
|
export EXPLORER_IP="$IP"
|
|
export EXPLORER_PORT="443"
|
|
bash "$SCRIPT_DIR/configure-cloudflare-tunnel-route.sh" || {
|
|
log_warn "Failed to update Cloudflare tunnel route automatically"
|
|
log_info "Manual update needed: Change tunnel route to https://$IP:443"
|
|
}
|
|
else
|
|
log_warn "Cloudflare tunnel route script not found"
|
|
log_info "Manual update needed: Change tunnel route to https://$IP:443"
|
|
fi
|
|
|
|
# Step 8: Test SSL configuration
|
|
log_info "Step 8: Testing SSL configuration..."
|
|
sleep 5
|
|
|
|
SSL_TEST=$(exec_container "timeout 5 curl -k -s -o /dev/null -w '%{http_code}' https://localhost/health 2>&1" || echo "000")
|
|
if [ "$SSL_TEST" = "200" ] || [ "$SSL_TEST" = "301" ] || [ "$SSL_TEST" = "302" ]; then
|
|
log_success "HTTPS is working (HTTP $SSL_TEST)"
|
|
else
|
|
log_warn "HTTPS test returned: HTTP $SSL_TEST"
|
|
fi
|
|
|
|
# Step 9: Verify certificate
|
|
log_info "Step 9: Verifying SSL certificate..."
|
|
CERT_INFO=$(exec_container "openssl x509 -in /etc/letsencrypt/live/$DOMAIN/fullchain.pem -noout -subject -issuer -dates 2>&1" || echo "")
|
|
if [ -n "$CERT_INFO" ]; then
|
|
log_success "Certificate details:"
|
|
echo "$CERT_INFO" | while read line; do
|
|
log_info " $line"
|
|
done
|
|
fi
|
|
|
|
echo ""
|
|
echo "════════════════════════════════════════════════════════"
|
|
echo "SSL Setup Complete!"
|
|
echo "════════════════════════════════════════════════════════"
|
|
echo ""
|
|
log_success "Configuration Summary:"
|
|
echo " Domain: $DOMAIN"
|
|
echo " SSL Certificate: /etc/letsencrypt/live/$DOMAIN/"
|
|
echo " HTTPS Port: 443"
|
|
echo " HTTP Port: 80 (redirects to HTTPS)"
|
|
echo ""
|
|
log_info "Access Points:"
|
|
echo " Internal HTTPS: https://$IP"
|
|
echo " External HTTPS: https://$DOMAIN"
|
|
echo " Health Check: https://$DOMAIN/health"
|
|
echo ""
|
|
log_info "Next Steps:"
|
|
echo " 1. Verify Cloudflare tunnel route points to https://$IP:443"
|
|
echo " 2. Test external access: curl https://$DOMAIN/health"
|
|
echo " 3. Monitor certificate renewal: systemctl status certbot.timer"
|
|
echo ""
|
|
|
|
# Cleanup
|
|
rm -f /tmp/blockscout-nginx-acme.conf /tmp/blockscout-nginx-ssl.conf
|