Skip to content

Instantly share code, notes, and snippets.

@hiddentao

hiddentao/instructions.md

Last active July 21, 2020 07:27
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save hiddentao/e6283952b9fffe3f6b42dfeec87c684e to your computer and use it in GitHub Desktop.
Save hiddentao/e6283952b9fffe3f6b42dfeec87c684e to your computer and use it in GitHub Desktop.
Download ZIP
Securing your Elrond validator + Netdata service behind nginx with self-signed SSL certificate on Ubuntu
Raw
instructions.md

Securing your Elrond validator + Netdata service behind nginx with self-signed SSL certificate on Ubuntu

Doing the following will ensure access to your node server is protected behind the firewall with the following URLs available:

  • https://<server ip>/node/* - you should see JSON output showing node stats (replace * with status, statistics, etc, see full list)
  • https://<server ip>/netdata - you will be prompted for the username and password you setup below, following which you should see your netdata dashboard

How to do it

Setup the firewall:

ufw alllow 22
ufw allow 443
ufw enable

Generate a self-signed SSL certificate (More advanced users are encouraged to use letsencrypt for a proper one!):

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out elrond.crt \
            -keyout elrond.key
						
mv elrond.crt /etc/ssl/certs
mv elrond.key /etc/ssl/private

Install nginx and some utilities:

apt install nginx apache2-utils

Create auth file (Note: replace <username> with your desired login username. You will be prompted for the password you want to use with this username):

cd /etc/nginx
htpasswd -c ./httpd.auth <username>

Edit /etc/nginx/sites-available/default and enter the following as its contents:

upstream backend {
    server 127.0.0.1:19999;
    keepalive 64;
}

server {
	listen 443 default_server ssl;
	server_name  _;

	ssl_certificate      /etc/ssl/certs/elrond.crt;
	ssl_certificate_key  /etc/ssl/private/elrond.key;
	keepalive_timeout    70;

	location /node {
		proxy_pass http://127.0.0.1:8080/node;
	}
		
       location = /netdata {
                return 301 /netdata/;
        }
				
	location ~ /netdata/(?<ndpath>.*) {
		auth_basic           "Elrond validator";
		auth_basic_user_file /etc/nginx/httpd.auth;

		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_http_version 1.1;
		proxy_pass_request_headers on;
		proxy_set_header Connection "keep-alive";
		proxy_store off;
		proxy_pass http://backend/$ndpath$is_args$args;

		gzip on;
		gzip_proxied any;
		gzip_types *;
    	}		
}

Now you can visit the URLs shown at the beginning and they should work!

Troubleshooting

The certificate is self-signed so in your browser may warn you when you visit it, e.g:

Your connection is not private
Attackers might be trying to steal your information from ...
NET::ERR_CERT_AUTHORITY_INVALID

Just ignore this and continue onwards.

To avoid this message you will need to obtain an actual CA-signed SSL certificate using letsencrypt.

@SeverMM
Copy link

SeverMM commented Jul 18, 2020

Thank you so much for putting this together.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment