Skip to content

Instantly share code, notes, and snippets.

Last active July 21, 2020 07:27
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Securing your Elrond validator + Netdata service behind nginx with self-signed SSL certificate on Ubuntu

Securing your Elrond validator + Netdata service behind nginx with self-signed SSL certificate on Ubuntu

Doing the following will ensure access to your node server is protected behind the firewall with the following URLs available:

  • https://<server ip>/node/* - you should see JSON output showing node stats (replace * with status, statistics, etc, see full list)
  • https://<server ip>/netdata - you will be prompted for the username and password you setup below, following which you should see your netdata dashboard

How to do it

Setup the firewall:

ufw alllow 22
ufw allow 443
ufw enable

Generate a self-signed SSL certificate (More advanced users are encouraged to use letsencrypt for a proper one!):

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out elrond.crt \
            -keyout elrond.key
mv elrond.crt /etc/ssl/certs
mv elrond.key /etc/ssl/private

Install nginx and some utilities:

apt install nginx apache2-utils

Create auth file (Note: replace <username> with your desired login username. You will be prompted for the password you want to use with this username):

cd /etc/nginx
htpasswd -c ./httpd.auth <username>

Edit /etc/nginx/sites-available/default and enter the following as its contents:

upstream backend {
    keepalive 64;

server {
	listen 443 default_server ssl;
	server_name  _;

	ssl_certificate      /etc/ssl/certs/elrond.crt;
	ssl_certificate_key  /etc/ssl/private/elrond.key;
	keepalive_timeout    70;

	location /node {
       location = /netdata {
                return 301 /netdata/;
	location ~ /netdata/(?<ndpath>.*) {
		auth_basic           "Elrond validator";
		auth_basic_user_file /etc/nginx/httpd.auth;

		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_http_version 1.1;
		proxy_pass_request_headers on;
		proxy_set_header Connection "keep-alive";
		proxy_store off;
		proxy_pass http://backend/$ndpath$is_args$args;

		gzip on;
		gzip_proxied any;
		gzip_types *;

Now you can visit the URLs shown at the beginning and they should work!


The certificate is self-signed so in your browser may warn you when you visit it, e.g:

Your connection is not private
Attackers might be trying to steal your information from ...

Just ignore this and continue onwards.

To avoid this message you will need to obtain an actual CA-signed SSL certificate using letsencrypt.

Copy link

SeverMM commented Jul 18, 2020

Thank you so much for putting this together.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment