#!/usr/bin/env bash # Configure Nginx with JWT authentication using auth_request (no Lua required) # This script configures VMID 2501 (Permissioned RPC) with JWT token authentication # for rpc-http-prv.d-bis.org and rpc-ws-prv.d-bis.org set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}" VMID=2501 HTTP_DOMAIN="rpc-http-prv.d-bis.org" WS_DOMAIN="rpc-ws-prv.d-bis.org" IP="192.168.11.251" HOSTNAME="besu-rpc-2" # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color info() { echo -e "${GREEN}[INFO]${NC} $1"; } warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } error() { echo -e "${RED}[ERROR]${NC} $1"; } log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } info "Configuring JWT authentication for Permissioned RPC (VMID $VMID)" info "HTTP Domain: $HTTP_DOMAIN" info "WS Domain: $WS_DOMAIN" echo "" # Check if container is running STATUS=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct status $VMID 2>/dev/null | awk '{print \$2}'" 2>/dev/null || echo "unknown") if [[ "$STATUS" != "running" ]]; then error "Container $VMID is not running (status: $STATUS)" exit 1 fi # Install required packages info "Installing required packages (nginx, python3, openssl)..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash -c ' export DEBIAN_FRONTEND=noninteractive apt-get update -qq apt-get install -y -qq nginx openssl python3 python3-pip || true pip3 install PyJWT cryptography 2>/dev/null || { # Fallback: install via apt if available apt-get install -y -qq python3-jwt python3-cryptography || true } '" || { warn "Some packages may not be available, continuing..." } # Generate JWT secret key if it doesn't exist info "Generating JWT secret key..." JWT_SECRET=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash -c ' if [ ! -f /etc/nginx/jwt_secret ]; then openssl rand -base64 32 > /etc/nginx/jwt_secret chmod 600 /etc/nginx/jwt_secret fi cat /etc/nginx/jwt_secret '") if [ -z "$JWT_SECRET" ]; then error "Failed to generate JWT secret" exit 1 fi info "✓ JWT secret generated: ${JWT_SECRET:0:20}..." # Create Python JWT validation script info "Creating JWT validation script..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash" <<'PYTHON_SCRIPT_EOF' cat > /usr/local/bin/jwt-validate.py <<'PYTHON_EOF' #!/usr/bin/env python3 import sys import os import hmac import hashlib import base64 import json import time def base64url_decode(data): # Add padding if needed padding = 4 - len(data) % 4 if padding != 4: data += '=' * padding return base64.urlsafe_b64decode(data) def verify_jwt(token, secret): try: parts = token.split('.') if len(parts) != 3: return False, "Invalid token format" header_data = base64url_decode(parts[0]) payload_data = base64url_decode(parts[1]) signature = parts[2] # Verify signature message = f"{parts[0]}.{parts[1]}" expected_sig = hmac.new( secret.encode('utf-8'), message.encode('utf-8'), hashlib.sha256 ).digest() expected_sig_b64 = base64.urlsafe_b64encode(expected_sig).decode('utf-8').rstrip('=') if signature != expected_sig_b64: return False, "Invalid signature" # Check expiration payload = json.loads(payload_data) if 'exp' in payload: if time.time() > payload['exp']: return False, "Token expired" return True, payload except Exception as e: return False, str(e) if __name__ == '__main__': # Read secret with open('/etc/nginx/jwt_secret', 'r') as f: secret = f.read().strip() # Get token from Authorization header auth_header = os.environ.get('HTTP_AUTHORIZATION', '') if not auth_header.startswith('Bearer '): print('Status: 401 Unauthorized') print('Content-Type: application/json') print('') print('{"error": "Missing or invalid Authorization header"}') sys.exit(0) token = auth_header[7:] # Remove "Bearer " valid, result = verify_jwt(token, secret) if valid: print('Status: 200 OK') print('Content-Type: application/json') print('') print('{"valid": true}') sys.exit(0) else: print('Status: 401 Unauthorized') print('Content-Type: application/json') print('') print(f'{{"error": "Invalid token", "reason": "{result}"}}') sys.exit(0) PYTHON_EOF chmod +x /usr/local/bin/jwt-validate.py PYTHON_SCRIPT_EOF # Create Nginx configuration with JWT authentication using auth_request info "Creating Nginx configuration with JWT authentication..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash" < /etc/nginx/sites-available/rpc-perm <<'EOF' # HTTP to HTTPS redirect server { listen 80; listen [::]:80; server_name ${HTTP_DOMAIN} ${WS_DOMAIN} ${HOSTNAME} ${IP}; return 301 https://\$host\$request_uri; } # Internal server for JWT validation server { listen 127.0.0.1:8888; server_name _; location /validate { fastcgi_pass unix:/var/run/fcgiwrap.socket; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/local/bin/jwt-validate.py; fastcgi_param HTTP_AUTHORIZATION \$http_authorization; } } # HTTPS server - HTTP RPC API (Permissioned with JWT) server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ${HTTP_DOMAIN} ${HOSTNAME} ${IP}; ssl_certificate /etc/nginx/ssl/rpc.crt; ssl_certificate_key /etc/nginx/ssl/rpc.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; access_log /var/log/nginx/rpc-http-prv-access.log; error_log /var/log/nginx/rpc-http-prv-error.log; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; send_timeout 300s; # JWT authentication using auth_request location = /auth { internal; proxy_pass http://127.0.0.1:8888/validate; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI \$request_uri; proxy_set_header Authorization \$http_authorization; } # HTTP RPC endpoint location / { auth_request /auth; auth_request_set \$auth_status \$upstream_status; # Return 401 if auth failed error_page 401 = @auth_failed; proxy_pass http://127.0.0.1:8545; proxy_http_version 1.1; proxy_set_header Host localhost; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_set_header Connection ""; proxy_buffering off; proxy_request_buffering off; } # Handle auth failures location @auth_failed { return 401 '{"jsonrpc":"2.0","error":{"code":-32000,"message":"Unauthorized. Missing or invalid JWT token. Use: Authorization: Bearer "},"id":null}'; add_header Content-Type application/json; } # Health check endpoint (no JWT required) location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } } # HTTPS server - WebSocket RPC API (Permissioned with JWT) server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ${WS_DOMAIN}; ssl_certificate /etc/nginx/ssl/rpc.crt; ssl_certificate_key /etc/nginx/ssl/rpc.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; access_log /var/log/nginx/rpc-ws-prv-access.log; error_log /var/log/nginx/rpc-ws-prv-error.log; # JWT authentication for WebSocket connections location = /auth { internal; proxy_pass http://127.0.0.1:8888/validate; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI \$request_uri; proxy_set_header Authorization \$http_authorization; } location / { auth_request /auth; auth_request_set \$auth_status \$upstream_status; error_page 401 = @auth_failed; proxy_pass http://127.0.0.1:8546; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host localhost; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_read_timeout 86400; proxy_send_timeout 86400; } location @auth_failed { return 401 '{"error": "Unauthorized. Missing or invalid JWT token. Use: Authorization: Bearer "}'; add_header Content-Type application/json; } # Health check endpoint (no JWT required) location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } } EOF # Disable old config if it exists if [ -L /etc/nginx/sites-enabled/rpc ]; then rm -f /etc/nginx/sites-enabled/rpc echo "⚠ Disabled old rpc config" fi # Enable the new permissioned config ln -sf /etc/nginx/sites-available/rpc-perm /etc/nginx/sites-enabled/ rm -f /etc/nginx/sites-enabled/default # Install fcgiwrap for FastCGI support apt-get install -y -qq fcgiwrap || { # If fcgiwrap not available, use a simpler HTTP-based validation echo "⚠ fcgiwrap not available, using alternative validation method" } # Test configuration nginx -t # Reload Nginx systemctl enable nginx systemctl restart nginx NGINX_CONFIG_EOF if [ $? -eq 0 ]; then info "✓ Nginx configured with JWT authentication" else error "Failed to configure Nginx" exit 1 fi # Display JWT secret for token generation echo "" info "JWT Authentication configured successfully!" echo "" warn "IMPORTANT: Save this JWT secret for token generation:" echo " ${JWT_SECRET}" echo "" info "Next steps:" echo " 1. Use the generate-jwt-token.sh script to create JWT tokens" echo " 2. Test with: curl -k -H 'Authorization: Bearer ' https://${HTTP_DOMAIN}" echo " 3. Update DNS records to point rpc-http-prv.d-bis.org and rpc-ws-prv.d-bis.org to ${IP}"