In short, user provide ssh key to rpc server manager. Once the manager configured, then everytime the user need to type folowing commands to access to the geth rpc server:
ssh -N -L 9545:localhost:8545 geth@machine_A_addr- ... and set the rpc to
http://localhost:9545
For convenienve, in the following I use these abbreviations:
- machine A: run geth full node with RPC server
- machine B: using the geth RPC from machine A
To let B use rpc from A. instead of open the geth rpc in A to public, one other way is use ssh port forwarding. Machine B ssh into A with port forwarding which map port 8545 of machine A to a port of machine B (in the following I'll use port 9545).
Why this way?
- Don't want to run geth node in all machines
- infura free tier is limited to 100,000 queries/day (as of Aug 2019)
- https://cloudflare-eth.com does not have test net nodes, and don't know the rate limits
- in A, add an account, here use
geth- with a home directory and password (but only allow ssh key to login, see below)
- in A,
/etc/ssh/sshd_configshould contain this linePasswordAuthentication noto deny password login- passwordless login is not essential, but safer and more convenient
- in B, create a ssh key pair or use existing one. To create one, one can use:
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "john@example.com"- remember the passphrase; replace the comment above (value of
-C) to a reasonable one
- in B, copy the content of the pub key (such as
~/.ssh/ip_ed25519.pub) - in A, paste the content of the pub key into the file
$HOME/.ssh/authorized_keysof accountgeth- now should able to ssh into A from B with the key
- (In A) By default, sshd block port forwarding, need to add these lines to the END of
/etc/ssh/sshd_config- Match User geth
- AllowTcpForwarding yes
- PermitOpen localhost:8545
- (in A) restart sshd by
sudo service sshd restart
So, during preparation, the user in B only need to do one thing: provide pub key to manager of A.
Assuming in A there is a geth running with rpc server enabled. For user in B:
- Use ssh port forwarding, such as local port 9545 mapping to remote host 8545:
ssh -N -L 9545:localhost:8545 geth@machine_A_addr- to close the connection, simply
CTRL-C- alternatively add the
-fargument to send ssh to background. To close it, need to locate it bytoporps auxthen kill it.
- alternatively add the
- set the rpc to
http://localhost:9545
The user provide the ssh pub key to manager of A. Once A append it to the authorized_keys, user in C simply follow the usage above to connect to RPC in A.
- SECURITY In A, should restrict further the account
geth, such as- add the
commandoption inauthorized_keys, for example, see https://www.linuxjournal.com/article/8257 - use chroot?
- also, do not unlock through the open rpc (unless trust all other users)
- add the
- here assume the firewall in A is properly configured (8545 and 30303 should open if connect to public chain).
- To temporarily stop such service in A, either:
- use
sudo usermod -L gethto lock the account (use-Uto unlock) - remove the corresponding key in
$HOME/.ssh/authorized_keysof account geth
- use
- How to expose geth RPC to external connections
- https://ethereum.stackexchange.com/questions/3163/how-can-i-expose-geths-rpc-server-to-external-connections
- again, DO NOT set
--rpcaddr "0.0.0.0"
- in sshd, only allow port forwarding for some ports: