crowetic/qortal-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
qortal-scripts/generate-nginx-node-config.sh

147 lines
4.5 KiB
Bash
Executable File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# === Require root if installing on local system ===
run_locally=""
read -rp "Are you running this script on the actual server that will host NGINX? [y/N]: " answer
if [[ "$answer" =~ ^[Yy]$ ]]; then
run_locally=true
if [ "$EUID" -ne 0 ]; then
echo "❌ This script must be run as root when deploying directly on the target system."
echo " Try again with: sudo $0"
exit 1
fi
else
run_locally=false
echo " Generating config for remote deployment it will be saved to the current directory."
fi
# === Prompt or take args ===
SERVER_NAME="${1:-}"
SSL_CERT_PATH="${2:-}"
SSL_KEY_PATH="${3:-}"
NODE_PORT="${4:-12391}"
# Prompt if not passed
if [ -z "$SERVER_NAME" ]; then
read -rp "Enter server_name (e.g. ext-node.qortal.link): " SERVER_NAME
fi
if [ -z "$SSL_CERT_PATH" ]; then
read -rp "Enter full path to SSL certificate: " SSL_CERT_PATH
fi
if [ -z "$SSL_KEY_PATH" ]; then
read -rp "Enter full path to SSL certificate key: " SSL_KEY_PATH
fi
if [ -z "$NODE_PORT" ]; then
read -rp "Enter Qortal node port [default: 12391]: " NODE_PORT
NODE_PORT="${NODE_PORT:-12391}"
fi
# === Output destination ===
if [[ "$run_locally" == true ]]; then
NGINX_CONF_DIR="/etc/nginx/sites-available"
NGINX_ENABLED_DIR="/etc/nginx/sites-enabled"
CONF_PATH="${NGINX_CONF_DIR}/${SERVER_NAME}"
else
SCRIPT_DIR="$(pwd)"
CONF_PATH="${SCRIPT_DIR}/${SERVER_NAME}.nginx.conf"
fi
# === Template ===
cat > "$CONF_PATH" <<EOF
server {
listen 80 default_server;
server_name _;
return 301 https://\$host\$request_uri;
}
map \$scheme \$ws_scheme {
default "ws";
https "wss";
}
server {
listen 443 ssl;
server_name ${SERVER_NAME};
ssl_certificate ${SSL_CERT_PATH};
ssl_certificate_key ${SSL_KEY_PATH};
ssl_prefer_server_ciphers on;
client_max_body_size 500M;
location ~* ^/(lists|admin/(restart|stop|forcesync|apikey/generate|enginestats|orphan|mintingaccounts)|arbitrary/resources/cache/rebuild)\$ {
if (\$request_method ~* ^(POST|DELETE)\$) {
access_log /var/log/nginx/forbidden-methods.log;
return 403;
}
}
location ~* ^/(admin/repository/|admin/logs|arbitrary/hosted|crosschain/tradebot|bootstrap/create)\$ {
deny all;
error_log /var/log/nginx/forbidden.log debug;
}
location / {
proxy_hide_header Access-Control-Allow-Origin;
proxy_pass http://localhost:${NODE_PORT};
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
keepalive_timeout 3600s;
}
location /websockets/ {
proxy_pass http://localhost:${NODE_PORT}/websockets/;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host \$host;
proxy_ssl_session_reuse off;
proxy_read_timeout 86400;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
}
location /websockets/crosschain/ {
proxy_pass \$ws_scheme://localhost:${NODE_PORT}/websockets/crosschain/;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host \$host;
proxy_ssl_session_reuse off;
proxy_read_timeout 86400;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
}
}
EOF
echo "✅ NGINX config generated at: $CONF_PATH"
# === Symlink + reload only if running locally
if [[ "$run_locally" == true ]]; then
if [ ! -e "${NGINX_ENABLED_DIR}/${SERVER_NAME}" ]; then
ln -s "$CONF_PATH" "${NGINX_ENABLED_DIR}/${SERVER_NAME}"
echo "🔗 Symlinked into sites-enabled."
fi
read -rp "Reload NGINX now? [y/N] " RELOAD
if [[ "$RELOAD" =~ ^[Yy]$ ]]; then
nginx -t && systemctl reload nginx && echo "✅ NGINX reloaded."
else
echo " Skipped reload. You can run: sudo systemctl reload nginx"
fi
else
echo "📝 You can now copy the generated config to your servers /etc/nginx/sites-available/ directory."
fi
Reference in New Issue View Git Blame Copy Permalink