-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'feat/prevent-overwrite-gen-l2-addresses' of https://git…
…hub.com/Snapchain/op-chain-deployment into feat/prevent-overwrite-gen-l2-addresses
- Loading branch information
Showing
9 changed files
with
198 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -43,3 +43,19 @@ GS_PROPOSER_PRIVATE_KEY= | |
# Sequencer address | ||
GS_SEQUENCER_ADDRESS= | ||
GS_SEQUENCER_PRIVATE_KEY= | ||
|
||
# DNS Configuration | ||
L2_SYSTEM_SERVER_IP=11.22.33.44 | ||
CLOUDFLARE_AUTH_EMAIL=<[email protected]> | ||
# 1. Log into Cloudflare dashboard | ||
# 2. Go to "My Profile" (top right) | ||
# 3. Scroll to "API Tokens" | ||
# 4. View your "Global API Key" | ||
CLOUDFLARE_API_KEY=<your-api-key> | ||
# 1. Log into Cloudflare dashboard | ||
# 2. Select your domain | ||
# 3. Look in the right sidebar - "Zone ID" is listed there | ||
CLOUDFLARE_ZONE_ID=<your-zone-id> | ||
CLOUDFLARE_DNS_SUBDOMAIN=tohma | ||
CERTBOT_EMAIL=[email protected] | ||
CERTBOT_DOMAIN_SUFFIX=tohma.snapchain.dev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
|
||
server { | ||
listen 443 ssl; | ||
server_name bridge.${CERTBOT_DOMAIN_SUFFIX}; | ||
|
||
ssl_certificate /etc/letsencrypt/live/${CERTBOT_DOMAIN_SUFFIX}/fullchain.pem; | ||
ssl_certificate_key /etc/letsencrypt/live/${CERTBOT_DOMAIN_SUFFIX}/privkey.pem; | ||
|
||
location / { | ||
proxy_pass http://localhost:3002; # bridge UI port | ||
proxy_http_version 1.1; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection 'upgrade'; | ||
proxy_set_header Host $host; | ||
proxy_cache_bypass $http_upgrade; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
server { | ||
listen 443 ssl; | ||
server_name explorer.${CERTBOT_DOMAIN_SUFFIX}; | ||
|
||
ssl_certificate /etc/letsencrypt/live/${CERTBOT_DOMAIN_SUFFIX}/fullchain.pem; | ||
ssl_certificate_key /etc/letsencrypt/live/${CERTBOT_DOMAIN_SUFFIX}/privkey.pem; | ||
|
||
location ~ ^/(api|socket|sitemap.xml|auth/auth0|auth/auth0/callback|auth/logout) { | ||
proxy_pass http://localhost:8088; | ||
proxy_http_version 1.1; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
} | ||
|
||
location / { | ||
proxy_pass http://localhost:8088; | ||
proxy_http_version 1.1; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
server { | ||
listen 443 ssl; | ||
server_name rpc.${CERTBOT_DOMAIN_SUFFIX}; | ||
|
||
ssl_certificate /etc/letsencrypt/live/${CERTBOT_DOMAIN_SUFFIX}/fullchain.pem; | ||
ssl_certificate_key /etc/letsencrypt/live/${CERTBOT_DOMAIN_SUFFIX}/privkey.pem; | ||
|
||
location / { | ||
proxy_pass http://localhost:9545; | ||
proxy_http_version 1.1; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection 'upgrade'; | ||
proxy_set_header Host $host; | ||
proxy_cache_bypass $http_upgrade; | ||
|
||
# prevent duplicate headers by resetting existing ones | ||
proxy_hide_header 'Access-Control-Allow-Origin'; | ||
proxy_hide_header 'Access-Control-Allow-Methods'; | ||
proxy_hide_header 'Access-Control-Allow-Headers'; | ||
|
||
if ($request_method = 'OPTIONS') { | ||
add_header 'Access-Control-Allow-Origin' $http_origin always; | ||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; | ||
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always; | ||
add_header 'Access-Control-Max-Age' 1728000 always; | ||
add_header 'Content-Type' 'text/plain charset=UTF-8' always; | ||
add_header 'Content-Length' 0 always; | ||
return 204; | ||
} | ||
|
||
# this line is needed to prevent CORS errors | ||
add_header 'Access-Control-Allow-Origin' $http_origin always; | ||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; | ||
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always; | ||
add_header 'Access-Control-Allow-Credentials' 'true' always; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Submodule optimism
updated
4 files
+1 −43 | .github/CODEOWNERS | |
+1 −1 | .github/workflows/lint-test-op-node.yml | |
+9 −7 | .github/workflows/publish.yml | |
+45 −29 | op-node/rollup/finality/finalizer.go |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
set -a | ||
source $(pwd)/.env | ||
set +a | ||
|
||
# reference: https://developers.cloudflare.com/api/operations/dns-records-for-a-zone-batch-dns-records | ||
create_dns_records() { | ||
local names=("$@") | ||
local records="" | ||
|
||
for name in "${names[@]}"; do | ||
if [ -n "$records" ]; then | ||
records="${records}," | ||
fi | ||
records="${records} | ||
{ | ||
\"type\": \"A\", | ||
\"name\": \"${name}.${CLOUDFLARE_DNS_SUBDOMAIN}\", | ||
\"content\": \"$L2_SYSTEM_SERVER_IP\", | ||
\"proxied\": false | ||
}" | ||
done | ||
|
||
curl --request POST \ | ||
--url "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/batch" \ | ||
--header "Content-Type: application/json" \ | ||
--header "X-Auth-Email: $CLOUDFLARE_AUTH_EMAIL" \ | ||
--header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ | ||
--data "{ | ||
\"posts\": [${records}] | ||
}" | ||
} | ||
|
||
# 1. create the DNS records for the subdomains | ||
# (RPC, Bridge, Explorer) | ||
create_dns_records "rpc" "bridge" "explorer" | ||
|
||
# 2. obtain the SSL certificate for each subdomain | ||
# the certs will be stored in /etc/letsencrypt/live/${CERTBOT_DOMAIN_SUFFIX} | ||
# | ||
# note that Certbot creates a single certificate that's valid for all those | ||
# domains (called a SAN - Subject Alternative Names certificate) | ||
# | ||
# after running the command, you can verify by: | ||
# sudo openssl x509 -in /etc/letsencrypt/live/${CERTBOT_DOMAIN_SUFFIX}/fullchain.pem -text | grep DNS: | ||
# | ||
# reference: https://eff-certbot.readthedocs.io/en/latest/using.html | ||
certbot certonly --nginx --non-interactive --agree-tos -m ${CERTBOT_EMAIL} \ | ||
--cert-name ${CERTBOT_DOMAIN_SUFFIX} \ | ||
-d rpc.${CERTBOT_DOMAIN_SUFFIX} \ | ||
-d bridge.${CERTBOT_DOMAIN_SUFFIX} \ | ||
-d explorer.${CERTBOT_DOMAIN_SUFFIX} | ||
|
||
# 3. create the nginx config files for each subdomain | ||
cp configs/nginx/l2-rpc.conf.template /etc/nginx/sites-available/l2-rpc.conf | ||
cp configs/nginx/bridge.conf.template /etc/nginx/sites-available/bridge.conf | ||
cp configs/nginx/l2-explorer.conf.template /etc/nginx/sites-available/l2-explorer.conf | ||
|
||
# 4. replace ${CERTBOT_DOMAIN_SUFFIX} in the nginx config files | ||
sed -i 's/\${CERTBOT_DOMAIN_SUFFIX}/'"${CERTBOT_DOMAIN_SUFFIX}"'/g' /etc/nginx/sites-available/*.conf | ||
|
||
# 5. enable the nginx config files | ||
mkdir -p /etc/nginx/sites-enabled | ||
ln -sf /etc/nginx/sites-available/l2-rpc.conf /etc/nginx/sites-enabled/ | ||
ln -sf /etc/nginx/sites-available/bridge.conf /etc/nginx/sites-enabled/ | ||
ln -sf /etc/nginx/sites-available/l2-explorer.conf /etc/nginx/sites-enabled/ | ||
|
||
# 6. verify the nginx config files | ||
nginx -t | ||
|
||
# 7. restart nginx | ||
# | ||
# after running this, you can check the status of nginx by: | ||
# systemctl status nginx | ||
# | ||
# see logs | ||
# journalctl -u nginx.service -f | ||
systemctl start nginx | ||
systemctl enable nginx |