scripts/render-rpc-access-gate-nginx.sh

#!/usr/bin/env bash

set -euo pipefail

PRODUCT_SLUG=""
SERVER_NAME=""
OUTPUT_PATH=""
INTERNAL_SECRET="${ACCESS_INTERNAL_SECRET:-}"
VALIDATOR_URL="http://127.0.0.1:8081/api/v1/access/internal/validate-key"
UPSTREAM_URL=""

usage() {
  cat <<'EOF'
Render a lane-specific nginx auth_request gate for explorer-managed RPC access.

Usage:
  bash explorer-monorepo/scripts/render-rpc-access-gate-nginx.sh \
    --product thirdweb-rpc \
    --server-name thirdweb-rpc.example.org \
    --internal-secret "$ACCESS_INTERNAL_SECRET" \
    [--output /etc/nginx/conf.d/thirdweb-rpc-gated.conf] \
    [--validator-url http://127.0.0.1:8081/api/v1/access/internal/validate-key] \
    [--upstream http://192.168.11.217:8545]

Supported products:
  - core-rpc
  - alltra-rpc
  - thirdweb-rpc

Notes:
  - --server-name is required because public/internal hostnames vary by deployment.
  - --internal-secret is required so nginx can authenticate to the explorer validator.
  - --output writes the rendered config to disk; otherwise the config is printed to stdout.
EOF
}

while [[ $# -gt 0 ]]; do
  case "$1" in
    --product)
      PRODUCT_SLUG="$2"
      shift 2
      ;;
    --server-name)
      SERVER_NAME="$2"
      shift 2
      ;;
    --output)
      OUTPUT_PATH="$2"
      shift 2
      ;;
    --internal-secret)
      INTERNAL_SECRET="$2"
      shift 2
      ;;
    --validator-url)
      VALIDATOR_URL="$2"
      shift 2
      ;;
    --upstream)
      UPSTREAM_URL="$2"
      shift 2
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "Unknown argument: $1" >&2
      usage >&2
      exit 1
      ;;
  esac
done

if [[ -z "$PRODUCT_SLUG" ]]; then
  echo "ERROR: --product is required." >&2
  exit 1
fi

if [[ -z "$SERVER_NAME" ]]; then
  echo "ERROR: --server-name is required." >&2
  exit 1
fi

if [[ -z "$INTERNAL_SECRET" ]]; then
  echo "ERROR: --internal-secret is required. Set ACCESS_INTERNAL_SECRET or pass --internal-secret." >&2
  exit 1
fi

case "$PRODUCT_SLUG" in
  core-rpc)
    DEFAULT_UPSTREAM_URL="http://192.168.11.211:8545"
    PRODUCT_COMMENT="Private Chain 138 Core RPC lane with approval-oriented access controls."
    ;;
  alltra-rpc)
    DEFAULT_UPSTREAM_URL="http://192.168.11.212:8545"
    PRODUCT_COMMENT="Alltra-managed RPC lane for partner and subscription traffic."
    ;;
  thirdweb-rpc)
    DEFAULT_UPSTREAM_URL="http://192.168.11.217:8545"
    PRODUCT_COMMENT="Thirdweb-managed RPC lane for SaaS and metered API-key traffic."
    ;;
  *)
    echo "ERROR: unsupported product slug '$PRODUCT_SLUG'." >&2
    exit 1
    ;;
esac

UPSTREAM_URL="${UPSTREAM_URL:-$DEFAULT_UPSTREAM_URL}"

rendered_config="$(
cat <<EOF
# Rendered by scripts/render-rpc-access-gate-nginx.sh
# Product: ${PRODUCT_SLUG}
# ${PRODUCT_COMMENT}

server {
    listen 443 ssl http2;
    server_name ${SERVER_NAME};

    location = /__access_validate_rpc {
        internal;
        proxy_pass ${VALIDATOR_URL};
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Access-Internal-Secret "${INTERNAL_SECRET}";
        proxy_set_header X-API-Key \$http_x_api_key;
        proxy_set_header Authorization \$http_authorization;
        proxy_set_header X-Access-Method \$request_method;
        proxy_set_header X-Access-Request-Count "1";
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }

    location / {
        auth_request /__access_validate_rpc;
        auth_request_set \$validated_product \$upstream_http_x_validated_product;
        auth_request_set \$validated_tier \$upstream_http_x_validated_tier;
        auth_request_set \$validated_scopes \$upstream_http_x_validated_scopes;
        auth_request_set \$quota_remaining \$upstream_http_x_quota_remaining;

        proxy_pass ${UPSTREAM_URL};
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_set_header X-Validated-Product \$validated_product;
        proxy_set_header X-Validated-Tier \$validated_tier;
        proxy_set_header X-Validated-Scopes \$validated_scopes;
        proxy_set_header X-Quota-Remaining \$quota_remaining;
    }
}
EOF
)"

if [[ -n "$OUTPUT_PATH" ]]; then
  mkdir -p "$(dirname "$OUTPUT_PATH")"
  printf '%s\n' "$rendered_config" > "$OUTPUT_PATH"
  echo "Wrote rendered nginx gate config to: $OUTPUT_PATH"
else
  printf '%s\n' "$rendered_config"
fi
refactor: rename SolaceScanScout to Solace and update related configurations - Updated branding from "SolaceScanScout" to "Solace" across various files including deployment scripts, API responses, and documentation. - Changed default base URL for Playwright tests and updated security headers to reflect the new branding. - Enhanced README and API documentation to include new authentication endpoints and product access details. This refactor aligns the project branding and improves clarity in the API documentation. 2026-04-10 12:52:17 -07:00			`#!/usr/bin/env bash`

			`set -euo pipefail`

			`PRODUCT_SLUG=""`
			`SERVER_NAME=""`
			`OUTPUT_PATH=""`
			`INTERNAL_SECRET="${ACCESS_INTERNAL_SECRET:-}"`
			`VALIDATOR_URL="http://127.0.0.1:8081/api/v1/access/internal/validate-key"`
			`UPSTREAM_URL=""`

			`usage() {`
			`cat <<'EOF'`
			`Render a lane-specific nginx auth_request gate for explorer-managed RPC access.`

			`Usage:`
			`bash explorer-monorepo/scripts/render-rpc-access-gate-nginx.sh \`
			`--product thirdweb-rpc \`
			`--server-name thirdweb-rpc.example.org \`
			`--internal-secret "$ACCESS_INTERNAL_SECRET" \`
			`[--output /etc/nginx/conf.d/thirdweb-rpc-gated.conf] \`
			`[--validator-url http://127.0.0.1:8081/api/v1/access/internal/validate-key] \`
			`[--upstream http://192.168.11.217:8545]`

			`Supported products:`
			`- core-rpc`
			`- alltra-rpc`
			`- thirdweb-rpc`

			`Notes:`
			`- --server-name is required because public/internal hostnames vary by deployment.`
			`- --internal-secret is required so nginx can authenticate to the explorer validator.`
			`- --output writes the rendered config to disk; otherwise the config is printed to stdout.`
			`EOF`
			`}`

			`while [[ $# -gt 0 ]]; do`
			`case "$1" in`
			`--product)`
			`PRODUCT_SLUG="$2"`
			`shift 2`
			`;;`
			`--server-name)`
			`SERVER_NAME="$2"`
			`shift 2`
			`;;`
			`--output)`
			`OUTPUT_PATH="$2"`
			`shift 2`
			`;;`
			`--internal-secret)`
			`INTERNAL_SECRET="$2"`
			`shift 2`
			`;;`
			`--validator-url)`
			`VALIDATOR_URL="$2"`
			`shift 2`
			`;;`
			`--upstream)`
			`UPSTREAM_URL="$2"`
			`shift 2`
			`;;`
			`-h\|--help)`
			`usage`
			`exit 0`
			`;;`
			`*)`
			`echo "Unknown argument: $1" >&2`
			`usage >&2`
			`exit 1`
			`;;`
			`esac`
			`done`

			`if [[ -z "$PRODUCT_SLUG" ]]; then`
			`echo "ERROR: --product is required." >&2`
			`exit 1`
			`fi`

			`if [[ -z "$SERVER_NAME" ]]; then`
			`echo "ERROR: --server-name is required." >&2`
			`exit 1`
			`fi`

			`if [[ -z "$INTERNAL_SECRET" ]]; then`
			`echo "ERROR: --internal-secret is required. Set ACCESS_INTERNAL_SECRET or pass --internal-secret." >&2`
			`exit 1`
			`fi`

			`case "$PRODUCT_SLUG" in`
			`core-rpc)`
			`DEFAULT_UPSTREAM_URL="http://192.168.11.211:8545"`
			`PRODUCT_COMMENT="Private Chain 138 Core RPC lane with approval-oriented access controls."`
			`;;`
			`alltra-rpc)`
			`DEFAULT_UPSTREAM_URL="http://192.168.11.212:8545"`
			`PRODUCT_COMMENT="Alltra-managed RPC lane for partner and subscription traffic."`
			`;;`
			`thirdweb-rpc)`
			`DEFAULT_UPSTREAM_URL="http://192.168.11.217:8545"`
			`PRODUCT_COMMENT="Thirdweb-managed RPC lane for SaaS and metered API-key traffic."`
			`;;`
			`*)`
			`echo "ERROR: unsupported product slug '$PRODUCT_SLUG'." >&2`
			`exit 1`
			`;;`
			`esac`

			`UPSTREAM_URL="${UPSTREAM_URL:-$DEFAULT_UPSTREAM_URL}"`

			`rendered_config="$(`
			`cat <<EOF`
			`# Rendered by scripts/render-rpc-access-gate-nginx.sh`
			`# Product: ${PRODUCT_SLUG}`
			`# ${PRODUCT_COMMENT}`

			`server {`
			`listen 443 ssl http2;`
			`server_name ${SERVER_NAME};`

			`location = /__access_validate_rpc {`
			`internal;`
			`proxy_pass ${VALIDATOR_URL};`
			`proxy_pass_request_body off;`
			`proxy_set_header Content-Length "";`
			`proxy_set_header X-Access-Internal-Secret "${INTERNAL_SECRET}";`
			`proxy_set_header X-API-Key \$http_x_api_key;`
			`proxy_set_header Authorization \$http_authorization;`
			`proxy_set_header X-Access-Method \$request_method;`
			`proxy_set_header X-Access-Request-Count "1";`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`}`

			`location / {`
			`auth_request /__access_validate_rpc;`
			`auth_request_set \$validated_product \$upstream_http_x_validated_product;`
			`auth_request_set \$validated_tier \$upstream_http_x_validated_tier;`
			`auth_request_set \$validated_scopes \$upstream_http_x_validated_scopes;`
			`auth_request_set \$quota_remaining \$upstream_http_x_quota_remaining;`

			`proxy_pass ${UPSTREAM_URL};`
			`proxy_http_version 1.1;`
			`proxy_set_header Host \$host;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto \$scheme;`
			`proxy_set_header X-Validated-Product \$validated_product;`
			`proxy_set_header X-Validated-Tier \$validated_tier;`
			`proxy_set_header X-Validated-Scopes \$validated_scopes;`
			`proxy_set_header X-Quota-Remaining \$quota_remaining;`
			`}`
			`}`
			`EOF`
			`)"`

			`if [[ -n "$OUTPUT_PATH" ]]; then`
			`mkdir -p "$(dirname "$OUTPUT_PATH")"`
			`printf '%s\n' "$rendered_config" > "$OUTPUT_PATH"`
			`echo "Wrote rendered nginx gate config to: $OUTPUT_PATH"`
			`else`
			`printf '%s\n' "$rendered_config"`
			`fi`