Files
nym/scripts/nym-node-setup/setup-nginx-proxy-wss.sh
2025-11-14 16:22:58 +01:00

188 lines
5.5 KiB
Bash

#!/usr/bin/env bash
set -euo pipefail
if [[ "$(id -u)" -ne 0 ]]; then
echo "This script must be run as root."
exit 1
fi
# load env
if [[ -n "${ENV_FILE:-}" && -f "${ENV_FILE}" ]]; then
set -a; . "${ENV_FILE}"; set +a
elif [[ -f "./env.sh" ]]; then
set -a; . ./env.sh; set +a
fi
: "${HOSTNAME:?HOSTNAME not set}"
: "${EMAIL:?EMAIL not set}"
export DEBIAN_FRONTEND=noninteractive
WEBROOT="/var/www/${HOSTNAME}"
SITES_AVAIL="/etc/nginx/sites-available"
SITES_EN="/etc/nginx/sites-enabled"
HTTP_CONF="${SITES_AVAIL}/${HOSTNAME}"
WSS_CONF="${SITES_AVAIL}/wss-config-nym"
echo
echo "* * * Starting nginx configuration for landing page, reverse proxy and WSS * * *"
###############################################################################
# step 1: ensure landing page exists (local fetch -> github -> template)
###############################################################################
mkdir -p "${WEBROOT}"
SCRIPT_DIR="$(dirname "${ENV_FILE:-./env.sh}")"
LOCAL_FETCHED_PAGE="${SCRIPT_DIR}/landing-page.html"
if [[ -s "${LOCAL_FETCHED_PAGE}" ]]; then
cp "${LOCAL_FETCHED_PAGE}" "${WEBROOT}/index.html"
elif curl -fsSL \
https://raw.githubusercontent.com/nymtech/nym/develop/scripts/nym-node-setup/landing-page.html \
-o "${WEBROOT}/index.html"; then
:
else
cat > "${WEBROOT}/index.html" <<EOF
<!DOCTYPE html>
<html>
<head><title>nym node</title></head>
<body style="font-family:sans-serif;text-align:center;padding:2em;">
<h1>nym exit gateway</h1>
<p>this is a nym exit gateway.</p>
<p>Operator contact: <a href="mailto:${EMAIL}">${EMAIL}</a></p>
</body>
</html>
EOF
fi
echo "Landing page at ${WEBROOT}/index.html"
###############################################################################
# step 2: remove default site and old configs, restart nginx
###############################################################################
echo "Cleaning existing nginx configuration"
# remove default nginx site
[[ -L "${SITES_EN}/default" ]] && unlink "${SITES_EN}/default" || true
# optional: remove default available config if present
rm -f /etc/nginx/sites-available/default || true
# remove old vhosts for this domain
rm -f "${SITES_EN}/${HOSTNAME}" || true
rm -f "${SITES_EN}/${HOSTNAME}-ssl" || true
rm -f "${SITES_EN}/wss-config-nym" || true
rm -f "${HTTP_CONF}" || true
rm -f "${WSS_CONF}" || true
systemctl restart nginx || systemctl start nginx
###############################################################################
# step 3: create basic HTTP config like manual flow (80 -> 8080)
###############################################################################
cat > "${HTTP_CONF}" <<EOF
server {
listen 80;
listen [::]:80;
server_name ${HOSTNAME};
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
}
EOF
ln -sf "${HTTP_CONF}" "${SITES_EN}/${HOSTNAME}"
nginx -t
systemctl daemon-reload
systemctl restart nginx
###############################################################################
# step 4: install certbot and obtain certificate (letsencrypt)
###############################################################################
apt-get update -y >/dev/null 2>&1 || true
apt-get install -y certbot python3-certbot-nginx >/dev/null 2>&1 || true
echo "Requesting Let's Encrypt certificate for ${HOSTNAME}"
certbot --nginx --non-interactive --agree-tos --redirect --reuse-key \
-m "${EMAIL}" -d "${HOSTNAME}" || true
###############################################################################
# step 5: create WSS 9001 config using certbot-generated certs
###############################################################################
if [[ -s "/etc/letsencrypt/live/${HOSTNAME}/fullchain.pem" ]]; then
echo "Certificate detected, creating WSS config"
cat > "${WSS_CONF}" <<EOF
server {
listen 9001 ssl http2;
listen [::]:9001 ssl http2;
server_name ${HOSTNAME};
ssl_certificate /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${HOSTNAME}/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /favicon.ico {
return 204;
access_log off;
log_not_found off;
}
location / {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
add_header 'Access-Control-Allow-Headers' '*' always;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_pass http://localhost:9000;
proxy_intercept_errors on;
}
}
EOF
ln -sf "${WSS_CONF}" "${SITES_EN}/wss-config-nym"
nginx -t
systemctl daemon-reload
systemctl restart nginx
else
echo "Certificate missing, skipping WSS config"
fi
###############################################################################
# step 6: summary
###############################################################################
echo "done."
echo "http : http://${HOSTNAME}"
if [[ -s "/etc/letsencrypt/live/${HOSTNAME}/fullchain.pem" ]]; then
echo "https : https://${HOSTNAME}"
echo "wss : wss://${HOSTNAME}:9001"
else
echo "https not active yet (no cert)"
fi