Secure your STRONG node with a reverse proxy

Ok, you’ve followed GrzzDad’s guide, setup GETH as a service following my previous post and now… Now you should secure your node a bit more with setting up a reverse proxy for your endpoint access.

If you’re running your STRONG node on a Pi4 i’m not sure if this won’t overload the capacity of your Pi, but you can try to follow along.

First lets install Nginx:

sudo apt update
sudo apt install nginx

and then we start & enable the service:

sudo systemctl start nginx
sudo systemctl enable nginx

Now let’s enable HTTP access through the firewall:

sudo ufw allow http

Next we’ll create the configuration file for out endpoint access to GETH:

sudo nano /etc/nginx/conf.d/geth.conf

Paste the following into that document:

server {
  listen 80;
  listen [::]:80;
  server_name yournodehostname;

  location ^~ /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://127.0.0.1:8546/;
  }

  location ^~ /rpc {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://127.0.0.1:8545/;
  }
}

Replace yournodehostname with the subdomain you created for your node.

Disable or delete the default Welcome to NGINX page:

sudo rm /etc/nginx/sites-enabled/default

Test the configuration:

sudo nginx -t

If no errors are reported, reload the new configuration:

sudo nginx -s reload

That’s it, your endpoints are now reachable at:
RPC: http://<node address>/rpc
WS: ws://<node address>/ws

If you want to be secure you should disable access to ports 8545 and 8546 from the outside again with:

sudo ufw delete allow 8545/tcp
sudo ufw delete allow 8546/tcp

And that’s that, more secured but still accessible from the outside…

Now making it even a bit more secure we can add SSL to the mix. First we need to install certbot:

sudo add-apt-repository ppa:certbot/certbot

Press [Enter] to continue the installation.

sudo apt update
sudo apt install python-certbot-nginx

Now let’s reconfigure the firewall again:

sudo ufw allow 'Nginx Full'
sudo ufw allow ssh
sudo ufw delete allow http
sudo ufw enable

And finally we need to get the certificate:

sudo certbot --nginx -d yournodehostname

Replace yournodehostname with the same subdomain you entered into the geth.conf earlier.

You can fill in your e-mail if you want, you need to Agree to the terms of service and can subscribe to the newsletter if you want.

Lastly, make sure you select select Redirect (2) to redirect all traffic to HTTPS.

Oh, and don’t forget to update your endpoints in the json if you did this:

"rpc_endpoint": "https://yournodehostname/rpc"
"ws_endpoint": "wss://yournodehostname/ws"

If you appreciate the info, send me some signals towards Morty’s node or Morty’s captain future node at app.strongblock.com.

Leave a Reply