openhands-proposal/scripts/web-proxy-userdata.sh at main · randellconley-admin/openhands-proposal · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
#!/bin/bash
# Web Proxy User Data Script for OpenHands Infrastructure
# This script configures the web proxy server with Nginx, SSL, and authentication

set -e

# Update system
apt-get update && apt-get upgrade -y

# Install required packages
apt-get install -y \
    nginx \
    certbot \
    python3-certbot-nginx \
    fail2ban \
    apache2-utils \
    ufw \
    awscli \
    curl \
    wget

# Configure firewall
ufw allow 22
ufw allow 80
ufw allow 443
ufw --force enable

# Create openhands user
useradd -m -s /bin/bash openhands
OPENHANDS_PASSWORD=$(openssl rand -base64 32)
echo "openhands:$OPENHANDS_PASSWORD" | chpasswd

# Create htpasswd file for basic authentication
htpasswd -cb /etc/nginx/.htpasswd openhands "$OPENHANDS_PASSWORD"

# Create Nginx configuration for OpenHands
cat > /etc/nginx/sites-available/openhands << 'EOF'
server {
    listen 80;
    server_name _;

    # Redirect HTTP to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name _;

    # SSL configuration
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Security headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Basic authentication
    auth_basic "OpenHands Access - Authorized Users Only";
    auth_basic_user_file /etc/nginx/.htpasswd;

    # Rate limiting
    limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
    limit_req zone=login burst=5 nodelay;

    # Proxy configuration for OpenHands
    location / {
        proxy_pass http://OPENHANDS_PRIVATE_IP:3000;
        proxy_http_version 1.1;

        # WebSocket support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';

        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $server_name;

        # Proxy timeouts for long-running operations
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;

        # Disable proxy buffering for real-time responses
        proxy_cache_bypass $http_upgrade;
        proxy_buffering off;

        # Handle large file uploads
        client_max_body_size 100M;
    }

    # Health check endpoint (bypasses auth)
    location /health {
        access_log off;
        auth_basic off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }

    # Deny access to sensitive files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
}
EOF

# Create self-signed SSL certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /etc/ssl/private/nginx-selfsigned.key \
    -out /etc/ssl/certs/nginx-selfsigned.crt \
    -subj "/C=US/ST=State/L=City/O=${project_name}/CN=localhost"

# Set proper permissions for SSL files
chmod 600 /etc/ssl/private/nginx-selfsigned.key
chmod 644 /etc/ssl/certs/nginx-selfsigned.crt

# Create script to update OpenHands IP
cat > /root/update_openhands_ip.sh << 'EOF'
#!/bin/bash
# Script to update OpenHands server IP in Nginx configuration

if [ -z "$1" ]; then
    echo "Usage: $0 <openhands-private-ip>"
    echo "Example: $0 10.0.1.100"
    exit 1
fi

OPENHANDS_IP="$1"

# Validate IP format
if [[ ! $OPENHANDS_IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
    echo "Error: Invalid IP address format"
    exit 1
fi

echo "Updating OpenHands server IP to: $OPENHANDS_IP"

# Update the Nginx configuration
sed -i "s/OPENHANDS_PRIVATE_IP/$OPENHANDS_IP/g" /etc/nginx/sites-available/openhands

# Enable the site
ln -sf /etc/nginx/sites-available/openhands /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default

# Test Nginx configuration
if nginx -t; then
    systemctl reload nginx
    echo "Nginx configuration updated and reloaded successfully"
    echo "OpenHands should now be accessible via the web proxy"
else
    echo "Error: Nginx configuration test failed"
    exit 1
fi
EOF

chmod +x /root/update_openhands_ip.sh

# Configure fail2ban for additional security
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 10.0.0.0/16

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 7200

[nginx-limit-req]
enabled = true
filter = nginx-limit-req
logpath = /var/log/nginx/error.log
maxretry = 10
findtime = 600
bantime = 600
EOF

# Create custom fail2ban filter for nginx rate limiting
cat > /etc/fail2ban/filter.d/nginx-limit-req.conf << 'EOF'
[Definition]
failregex = limiting requests, excess: .* by zone .*, client: <HOST>
ignoreregex =
EOF

# Configure log rotation
cat > /etc/logrotate.d/openhands-proxy << 'EOF'
/var/log/nginx/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 0644 www-data adm
    sharedscripts
    prerotate
        if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
            run-parts /etc/logrotate.d/httpd-prerotate; \
        fi \
    endscript
    postrotate
        invoke-rc.d nginx rotate >/dev/null 2>&1
    endscript
}
EOF

# Enable and start services
systemctl enable nginx fail2ban
systemctl start nginx fail2ban

# Create monitoring script
cat > /root/monitor_proxy.sh << 'EOF'
#!/bin/bash
# Simple monitoring script for the web proxy

LOG_FILE="/var/log/proxy-monitor.log"

echo "=== $(date) ===" >> $LOG_FILE

# Check Nginx status
if systemctl is-active --quiet nginx; then
    echo "Nginx: RUNNING" >> $LOG_FILE
else
    echo "Nginx: STOPPED - Attempting restart" >> $LOG_FILE
    systemctl restart nginx
fi

# Check fail2ban status
if systemctl is-active --quiet fail2ban; then
    echo "Fail2ban: RUNNING" >> $LOG_FILE
else
    echo "Fail2ban: STOPPED - Attempting restart" >> $LOG_FILE
    systemctl restart fail2ban
fi

# Check SSL certificate expiry
CERT_EXPIRY=$(openssl x509 -in /etc/ssl/certs/nginx-selfsigned.crt -noout -enddate | cut -d= -f2)
echo "SSL Certificate expires: $CERT_EXPIRY" >> $LOG_FILE

# Check disk space
DISK_USAGE=$(df -h / | awk 'NR==2 {print $5}')
echo "Disk usage: $DISK_USAGE" >> $LOG_FILE

# Check memory usage
MEM_USAGE=$(free | grep Mem | awk '{printf("%.1f%%", $3/$2 * 100.0)}')
echo "Memory usage: $MEM_USAGE" >> $LOG_FILE

echo "" >> $LOG_FILE
EOF

chmod +x /root/monitor_proxy.sh

# Add monitoring to crontab
echo "*/15 * * * * /root/monitor_proxy.sh" | crontab -

# Install CloudWatch agent if available
if command -v aws &> /dev/null; then
    wget -q https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
    dpkg -i amazon-cloudwatch-agent.deb 2>/dev/null || true
    rm -f amazon-cloudwatch-agent.deb
fi

# Create setup completion log
cat > /var/log/setup.log << EOF
=== Web Proxy Setup Complete ===
Date: $(date)
Project: ${project_name}

Credentials:
- Username: openhands
- Password: $OPENHANDS_PASSWORD

Next Steps:
1. Update OpenHands server IP: /root/update_openhands_ip.sh <private-ip>
2. Access web interface: https://<public-ip>

Configuration Files:
- Nginx config: /etc/nginx/sites-available/openhands
- SSL certificate: /etc/ssl/certs/nginx-selfsigned.crt
- Authentication: /etc/nginx/.htpasswd
- Fail2ban config: /etc/fail2ban/jail.local

Monitoring:
- Monitor script: /root/monitor_proxy.sh
- Monitor log: /var/log/proxy-monitor.log
EOF

chmod 600 /var/log/setup.log

# Secure SSH configuration
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
systemctl restart sshd

echo "Web proxy setup completed successfully!"
echo "Check /var/log/setup.log for credentials and next steps"