Secure your STRONG node with a reverse proxy

Ok, you’ve followed GrzzDad’s guide, setup GETH as a service following my previous post and now… Now you should secure your node a bit more with setting up a reverse proxy for your endpoint access.

If you’re running your STRONG node on a Pi4 i’m not sure if this won’t overload the capacity of your Pi, but you can try to follow along.

First lets install Nginx:

sudo apt update
sudo apt install nginx

and then we start & enable the service:

sudo systemctl start nginx
sudo systemctl enable nginx

Now let’s enable HTTP access through the firewall:

sudo ufw allow http

Next we’ll create the configuration file for out endpoint access to GETH:

sudo nano /etc/nginx/conf.d/geth.conf

Paste the following into that document:

server {
  listen 80;
  listen [::]:80;
  server_name localhost;

  location ^~ /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://127.0.0.1:8546/;
  }

  location ^~ /rpc {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://127.0.0.1:8545/;
  }
}

Disable or delete the default Welcome to NGINX page:

sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.disabled
sudo rm /etc/nginx/sites-enabled/default

Test the configuration:

sudo nginx -t

If no errors are reported, reload the new configuration:

sudo nginx -s reload

That’s it, your endpoints are now reachable at:
RPC: http://<node address>/rpc
WS: ws://<node address>/ws

If you want to be secure you should disable access to ports 8545 and 8546 from the outside again with:

sudo ufw deny 8545/tcp
sudo ufw deny 8546/tcp

And that’s that, more secured but still accessible from the outside…

If you appreciate the info, send me some signals towards Morty’s node or Morty’s captain future node at app.strongblock.com.

Leave a Reply