Skip to content

Instantly share code, notes, and snippets.

@azappella

azappella/geth-secure.md

Forked from miohtama/geth-secure.md
Created October 18, 2018 15:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save azappella/45474d38e9976b0ec312bccac38524ff to your computer and use it in GitHub Desktop.
Save azappella/45474d38e9976b0ec312bccac38524ff to your computer and use it in GitHub Desktop.
Download ZIP
Secure RPC connections to geth daemon
Raw
geth-secure.md

Go Ethereum (geth) is a software for Ethereum. geth doesn't provide secure networking and it should do this, as this kind of built-in functionality would increase complexity and add attack surface to critical blockchain node software. Fortunately, in UNIX world, you can easily combine different tools to work together. The solution to this particular problem is to use VPN/tunneling software for secure connections. The tunnel will expose the server local connections to your own computer. The most popular tool for this (available in every OS by default, nowadays including Windows) is Secure Shell (SSH).

Note this question only addresses issues how to

If you are not familiar with SSH please first read SSH tutorial how to safely do passwordless logins using SSH keys.

Start a node on server. When the node starts it binds its RPC port to localhost (127.0.0.1 in IPv4, ::1 in IPv6). This is so-called loopback connection that you can only access from the computer itself and not from external network. If you need to daemonize the node to run on background you can e.g. use UNIX screen command:

 geth --testnet --fast --rpc --rpcapi "db,eth,net,web3,personal" --verbosity 3 --rpccorsdomain "*"

Then on a local computer we define connection to this SSH host using ~/.ssh/config file that also gives us tunneling parameters. We build tunnel from local computer 8545 to our server 8545.

Host ethereum-testnet
User ubuntu  # UNIX remote user
Hostname 8.8.8.8 # Server IP address
IdentityFile ~/.ssh/testnet-private-key.pem  # SSH key file we use to log in
LocalForward 8545 localhost:8545  # Define tunnel

Connect the remote serve and build the tunnel:

# We give some extra verbosity level to debug connectivity issues
ssh -vvvv ethereum-testnet

Now you can safely interact with geth on your local computer over localhost:8545 tunneling. Start miner example:

curl -X POST --data '{"jsonrpc":"2.0","method":"miner_start","params":[],"id":74}' localhost:8545

Another example to unlock geth account from local computer:

# Figure out coinbase account over web3
COINBASE=`geth --exec 'web3.eth.coinbase' attach rpc:http://127.0.0.1:8545 ` 

# Ask for password
echo -n "Give passphrase to unlock $COINBASE" 
read -s password

# Unlock coinbase
geth --exec "web3.personal.unlock($COINBASE, "$password", 30*24*3600)" attach rpc:http://127.0.0.1:8545
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment