#!/usr/bin/env bash # Configure Nginx with JWT authentication for Permissioned RPC endpoints # This script configures VMID 2501 (Permissioned RPC) with JWT token authentication # for rpc-http-prv.d-bis.org and rpc-ws-prv.d-bis.org set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}" VMID=2501 HTTP_DOMAIN="rpc-http-prv.d-bis.org" WS_DOMAIN="rpc-ws-prv.d-bis.org" IP="192.168.11.251" HOSTNAME="besu-rpc-2" # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color info() { echo -e "${GREEN}[INFO]${NC} $1"; } warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } error() { echo -e "${RED}[ERROR]${NC} $1"; } log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } info "Configuring JWT authentication for Permissioned RPC (VMID $VMID)" info "HTTP Domain: $HTTP_DOMAIN" info "WS Domain: $WS_DOMAIN" echo "" # Check if container is running STATUS=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct status $VMID 2>/dev/null | awk '{print \$2}'" 2>/dev/null || echo "unknown") if [[ "$STATUS" != "running" ]]; then error "Container $VMID is not running (status: $STATUS)" exit 1 fi # Install required packages info "Installing required packages (nginx-extras for lua support, openssl)..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash -c ' export DEBIAN_FRONTEND=noninteractive export LC_ALL=C export LANG=C apt-get update -qq 2>&1 | grep -vE \"(perl: warning|locale:)\" || true # Check if nginx is installed and what version if command -v nginx >/dev/null 2>&1; then # Remove nginx-core if present and install nginx-extras which includes lua support apt-get remove -y -qq nginx-core 2>&1 | grep -vE \"(perl: warning|locale:)\" || true apt-get install -y -qq nginx-extras 2>&1 | grep -vE \"(perl: warning|locale:)\" || { echo \"Warning: nginx-extras installation had issues\" >&2 exit 1 } else # Fresh install - use nginx-extras apt-get install -y -qq nginx-extras openssl 2>&1 | grep -vE \"(perl: warning|locale:)\" || { echo \"Error: nginx-extras installation failed\" >&2 exit 1 } fi # Verify nginx-extras was installed and has Lua support if nginx -V 2>&1 | grep -q \"http_lua_module\"; then echo \"✓ nginx-extras with Lua module installed successfully\" else echo \"Error: nginx Lua module not detected after installation\" >&2 echo \"nginx -V output:\" >&2 nginx -V 2>&1 | head -5 >&2 exit 1 fi '" 2>&1 | grep -vE "(perl: warning|locale:|dpkg-preconfigure)" || { warn "Some packages may not be available, continuing with basic setup..." } # Generate JWT secret key if it doesn't exist info "Generating JWT secret key..." JWT_SECRET=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash -c ' if [ ! -f /etc/nginx/jwt_secret ]; then openssl rand -base64 32 > /etc/nginx/jwt_secret chmod 600 /etc/nginx/jwt_secret fi cat /etc/nginx/jwt_secret '") if [ -z "$JWT_SECRET" ]; then error "Failed to generate JWT secret" exit 1 fi info "✓ JWT secret generated: ${JWT_SECRET:0:20}..." # Create Lua script for JWT validation info "Creating JWT validation Lua script..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash" <<'LUA_SCRIPT_EOF' export LC_ALL=C export LANG=C cat > /etc/nginx/jwt-validate.lua <<'LUA_EOF' local jwt = require "resty.jwt" local secret = io.open("/etc/nginx/jwt_secret", "r") if not secret then ngx.log(ngx.ERR, "Failed to read JWT secret") ngx.status = 500 ngx.say('{"error": "Internal server error"}') ngx.exit(500) end local jwt_secret = secret:read("*all") secret:close() jwt_secret = jwt_secret:gsub("%s+", "") -- Get JWT token from Authorization header local auth_header = ngx.var.http_authorization if not auth_header then ngx.status = 401 ngx.header["Content-Type"] = "application/json" ngx.say('{"error": "Missing Authorization header"}') ngx.exit(401) end -- Extract Bearer token local token = auth_header:match("Bearer%s+(.+)") if not token then ngx.status = 401 ngx.header["Content-Type"] = "application/json" ngx.say('{"error": "Invalid Authorization header format. Use: Bearer "}') ngx.exit(401) end -- Validate JWT local jwt_obj = jwt:verify(jwt_secret, token) if not jwt_obj.valid then ngx.status = 401 ngx.header["Content-Type"] = "application/json" ngx.say('{"error": "Invalid or expired token", "reason": "' .. (jwt_obj.reason or "unknown") .. '"}') ngx.exit(401) end -- Token is valid, continue ngx.log(ngx.INFO, "JWT validated successfully for user: " .. (jwt_obj.payload.sub or "unknown")) LUA_EOF chmod 644 /etc/nginx/jwt-validate.lua LUA_SCRIPT_EOF # Install lua-resty-jwt library info "Installing lua-resty-jwt library..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash" <<'INSTALL_LUA_JWT_EOF' export LC_ALL=C export LANG=C # Install dependencies apt-get install -y -qq git curl unzip 2>&1 | grep -vE "(perl: warning|locale:|dpkg-preconfigure)" || true # Install lua-resty-jwt mkdir -p /usr/share/lua/5.1/resty cd /tmp rm -rf lua-resty-jwt* # Try to clone or download if command -v git &> /dev/null; then git clone --depth 1 https://github.com/cdbattags/lua-resty-jwt.git 2>/dev/null || { curl -L https://github.com/cdbattags/lua-resty-jwt/archive/refs/heads/master.zip -o lua-resty-jwt.zip unzip -q lua-resty-jwt.zip mv lua-resty-jwt-master lua-resty-jwt } else curl -L https://github.com/cdbattags/lua-resty-jwt/archive/refs/heads/master.zip -o lua-resty-jwt.zip 2>/dev/null || { curl -L https://github.com/cdbattags/lua-resty-jwt/archive/refs/heads/master.tar.gz | tar -xz mv lua-resty-jwt-master lua-resty-jwt } unzip -q lua-resty-jwt.zip 2>/dev/null || true fi if [ -d lua-resty-jwt/lib/resty ]; then cp -r lua-resty-jwt/lib/resty/* /usr/share/lua/5.1/resty/ echo "✓ lua-resty-jwt installed" else echo "⚠ Failed to install lua-resty-jwt, will use Python fallback" fi INSTALL_LUA_JWT_EOF # Check if Lua module is available before creating config info "Verifying nginx Lua module availability..." LUA_AVAILABLE=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash -c 'nginx -V 2>&1 | grep -q \"http_lua_module\" && echo \"yes\" || echo \"no\"'" 2>/dev/null || echo "no") if [[ "$LUA_AVAILABLE" != "yes" ]]; then error "Nginx Lua module is not available. nginx-extras may not be properly installed." error "Please run: pct exec $VMID -- apt-get install -y nginx-extras" error "Or use the Python-based script: ./scripts/configure-nginx-jwt-auth-simple.sh" exit 1 fi info "✓ Lua module confirmed available" # Create Nginx configuration with JWT authentication info "Creating Nginx configuration with JWT authentication..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $VMID -- bash" < /etc/nginx/sites-available/rpc-perm <<'EOF' # HTTP to HTTPS redirect server { listen 80; listen [::]:80; server_name ${HTTP_DOMAIN} ${WS_DOMAIN} ${HOSTNAME} ${IP}; return 301 https://\$host\$request_uri; } # HTTPS server - HTTP RPC API (Permissioned with JWT) server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ${HTTP_DOMAIN} ${HOSTNAME} ${IP}; ssl_certificate /etc/nginx/ssl/rpc.crt; ssl_certificate_key /etc/nginx/ssl/rpc.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; access_log /var/log/nginx/rpc-http-prv-access.log; error_log /var/log/nginx/rpc-http-prv-error.log; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; send_timeout 300s; # JWT authentication for all requests except health check location / { # Validate JWT token access_by_lua_block { local jwt = require "resty.jwt" local secret_file = io.open("/etc/nginx/jwt_secret", "r") if not secret_file then ngx.log(ngx.ERR, "Failed to read JWT secret") ngx.status = 500 ngx.exit(500) end local jwt_secret = secret_file:read("*all") secret_file:close() jwt_secret = jwt_secret:gsub("%s+", "") local auth_header = ngx.var.http_authorization if not auth_header then ngx.status = 401 ngx.header["Content-Type"] = "application/json" ngx.say('{"jsonrpc":"2.0","error":{"code":-32000,"message":"Missing Authorization header. Use: Authorization: Bearer "},"id":null}') ngx.exit(401) end local token = auth_header:match("Bearer%s+(.+)") if not token then ngx.status = 401 ngx.header["Content-Type"] = "application/json" ngx.say('{"jsonrpc":"2.0","error":{"code":-32000,"message":"Invalid Authorization header format. Use: Bearer "},"id":null}') ngx.exit(401) end local jwt_obj = jwt:verify(jwt_secret, token) if not jwt_obj.valid then ngx.status = 401 ngx.header["Content-Type"] = "application/json" ngx.say('{"jsonrpc":"2.0","error":{"code":-32000,"message":"Invalid or expired token","data":"' .. (jwt_obj.reason or "unknown") .. '"},"id":null}') ngx.exit(401) end } proxy_pass http://127.0.0.1:8545; proxy_http_version 1.1; proxy_set_header Host localhost; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_set_header Connection ""; proxy_buffering off; proxy_request_buffering off; } # Health check endpoint (no JWT required) location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } } # HTTPS server - WebSocket RPC API (Permissioned with JWT) server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ${WS_DOMAIN}; ssl_certificate /etc/nginx/ssl/rpc.crt; ssl_certificate_key /etc/nginx/ssl/rpc.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; access_log /var/log/nginx/rpc-ws-prv-access.log; error_log /var/log/nginx/rpc-ws-prv-error.log; # JWT authentication for WebSocket connections location / { # Validate JWT token before upgrading to WebSocket access_by_lua_block { local jwt = require "resty.jwt" local secret_file = io.open("/etc/nginx/jwt_secret", "r") if not secret_file then ngx.log(ngx.ERR, "Failed to read JWT secret") ngx.status = 500 ngx.exit(500) end local jwt_secret = secret_file:read("*all") secret_file:close() jwt_secret = jwt_secret:gsub("%s+", "") local auth_header = ngx.var.http_authorization if not auth_header then ngx.status = 401 ngx.header["Content-Type"] = "application/json" ngx.say('{"error": "Missing Authorization header. Use: Authorization: Bearer "}') ngx.exit(401) end local token = auth_header:match("Bearer%s+(.+)") if not token then ngx.status = 401 ngx.header["Content-Type"] = "application/json" ngx.say('{"error": "Invalid Authorization header format. Use: Bearer "}') ngx.exit(401) end local jwt_obj = jwt:verify(jwt_secret, token) if not jwt_obj.valid then ngx.status = 401 ngx.header["Content-Type"] = "application/json" ngx.say('{"error": "Invalid or expired token", "reason": "' .. (jwt_obj.reason or "unknown") .. '"}') ngx.exit(401) end } proxy_pass http://127.0.0.1:8546; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host localhost; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_read_timeout 86400; proxy_send_timeout 86400; } # Health check endpoint (no JWT required) location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } } EOF # Disable old config if it exists (rpc-http-pub/rpc-ws-pub on this VMID) if [ -L /etc/nginx/sites-enabled/rpc ]; then rm -f /etc/nginx/sites-enabled/rpc echo "⚠ Disabled old rpc config (rpc-http-pub/rpc-ws-pub should be on VMID 2502)" fi # Enable the new permissioned config ln -sf /etc/nginx/sites-available/rpc-perm /etc/nginx/sites-enabled/ rm -f /etc/nginx/sites-enabled/default # Update nginx.conf to include lua_package_path if lua module is available if nginx -V 2>&1 | grep -q "http_lua_module"; then if ! grep -q "lua_package_path" /etc/nginx/nginx.conf; then # Use a more reliable method to add lua_package_path # Create a temporary file with the addition cat > /tmp/nginx_lua_add.conf <<'LUA_ADD_EOF' # Lua package path lua_package_path "/usr/share/lua/5.1/?.lua;/usr/share/lua/5.1/?/init.lua;;"; LUA_ADD_EOF # Insert after "http {" line sed -i '/^http {/r /tmp/nginx_lua_add.conf' /etc/nginx/nginx.conf rm -f /tmp/nginx_lua_add.conf fi else warn "Nginx Lua module not available - JWT validation will use alternative method" fi # Test configuration nginx -t # Reload Nginx systemctl enable nginx systemctl restart nginx NGINX_CONFIG_EOF if [ $? -eq 0 ]; then info "✓ Nginx configured with JWT authentication" else error "Failed to configure Nginx" exit 1 fi # Display JWT secret for token generation echo "" info "JWT Authentication configured successfully!" echo "" warn "IMPORTANT: Save this JWT secret for token generation:" echo " ${JWT_SECRET}" echo "" info "Next steps:" echo " 1. Use the generate-jwt-token.sh script to create JWT tokens" echo " 2. Test with: curl -k -H 'Authorization: Bearer ' https://${HTTP_DOMAIN}" echo " 3. Update DNS records to point rpc-http-prv.d-bis.org and rpc-ws-prv.d-bis.org to ${IP}"