Added nginx public node config generation script.

2025-05-01 11:09:57 -07:00 · 2025-05-01 11:09:57 -07:00 · c74fc6ac27
commit c74fc6ac27
parent 057c306df4
1 changed files with 146 additions and 0 deletions
--- a/generate-nginx-node-config.sh
+++ b/generate-nginx-node-config.sh
@ -0,0 +1,146 @@
+#!/bin/bash
+
+# === Require root if installing on local system ===
+run_locally=""
+
+read -rp "Are you running this script on the actual server that will host NGINX? [y/N]: " answer
+if [[ "$answer" =~ ^[Yy]$ ]]; then
+    run_locally=true
+    if [ "$EUID" -ne 0 ]; then
+        echo "❌ This script must be run as root when deploying directly on the target system."
+        echo "ℹ️  Try again with: sudo $0"
+        exit 1
+    fi
+else
+    run_locally=false
+    echo "ℹ️ Generating config for remote deployment – it will be saved to the current directory."
+fi
+
+# === Prompt or take args ===
+SERVER_NAME="${1:-}"
+SSL_CERT_PATH="${2:-}"
+SSL_KEY_PATH="${3:-}"
+NODE_PORT="${4:-12391}"
+
+# Prompt if not passed
+if [ -z "$SERVER_NAME" ]; then
+  read -rp "Enter server_name (e.g. ext-node.qortal.link): " SERVER_NAME
+fi
+if [ -z "$SSL_CERT_PATH" ]; then
+  read -rp "Enter full path to SSL certificate: " SSL_CERT_PATH
+fi
+if [ -z "$SSL_KEY_PATH" ]; then
+  read -rp "Enter full path to SSL certificate key: " SSL_KEY_PATH
+fi
+if [ -z "$NODE_PORT" ]; then
+  read -rp "Enter Qortal node port [default: 12391]: " NODE_PORT
+  NODE_PORT="${NODE_PORT:-12391}"
+fi
+
+# === Output destination ===
+if [[ "$run_locally" == true ]]; then
+    NGINX_CONF_DIR="/etc/nginx/sites-available"
+    NGINX_ENABLED_DIR="/etc/nginx/sites-enabled"
+    CONF_PATH="${NGINX_CONF_DIR}/${SERVER_NAME}"
+else
+    SCRIPT_DIR="$(pwd)"
+    CONF_PATH="${SCRIPT_DIR}/${SERVER_NAME}.nginx.conf"
+fi
+
+# === Template ===
+cat > "$CONF_PATH" <<EOF
+server {
+    listen 80 default_server;
+    server_name _;
+
+    return 301 https://\$host\$request_uri;
+}
+
+map \$scheme \$ws_scheme {
+    default "ws";
+    https "wss";
+}
+
+server {
+    listen 443 ssl;
+    server_name ${SERVER_NAME};
+
+    ssl_certificate     ${SSL_CERT_PATH};
+    ssl_certificate_key ${SSL_KEY_PATH};
+    ssl_prefer_server_ciphers on;
+
+    client_max_body_size 500M;
+
+    location ~* ^/(lists|admin/(restart|stop|forcesync|apikey/generate|enginestats|orphan|mintingaccounts)|arbitrary/resources/cache/rebuild)\$ {
+        if (\$request_method ~* ^(POST|DELETE)\$) {
+            access_log /var/log/nginx/forbidden-methods.log;
+            return 403;
+        }
+    }
+
+    location ~* ^/(admin/repository/|admin/logs|arbitrary/hosted|crosschain/tradebot|bootstrap/create)\$ {
+        deny all;
+        error_log /var/log/nginx/forbidden.log debug;
+    }
+
+    location / {
+        proxy_hide_header Access-Control-Allow-Origin;
+
+        proxy_pass http://localhost:${NODE_PORT};
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+        send_timeout 3600s;
+        keepalive_timeout 3600s;
+    }
+
+    location /websockets/ {
+        proxy_pass http://localhost:${NODE_PORT}/websockets/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host \$host;
+        proxy_ssl_session_reuse off;
+        proxy_read_timeout 86400;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+
+    location /websockets/crosschain/ {
+        proxy_pass \$ws_scheme://localhost:${NODE_PORT}/websockets/crosschain/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host \$host;
+        proxy_ssl_session_reuse off;
+        proxy_read_timeout 86400;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+}
+EOF
+
+echo "✅ NGINX config generated at: $CONF_PATH"
+
+# === Symlink + reload only if running locally
+if [[ "$run_locally" == true ]]; then
+    if [ ! -e "${NGINX_ENABLED_DIR}/${SERVER_NAME}" ]; then
+        ln -s "$CONF_PATH" "${NGINX_ENABLED_DIR}/${SERVER_NAME}"
+        echo "🔗 Symlinked into sites-enabled."
+    fi
+
+    read -rp "Reload NGINX now? [y/N] " RELOAD
+    if [[ "$RELOAD" =~ ^[Yy]$ ]]; then
+        nginx -t && systemctl reload nginx && echo "✅ NGINX reloaded."
+    else
+        echo "ℹ️ Skipped reload. You can run: sudo systemctl reload nginx"
+    fi
+else
+    echo "📝 You can now copy the generated config to your server’s /etc/nginx/sites-available/ directory."
+fi
+