This guide is written for owners of official Skywire Miner with official OS packages installed. I tried to make it as simple as possible, skipping out a lot of unnecessary steps, just to get it working. If you need further help, just ask in the Telegram group.
- Port forwarding
- NGINX SSL & HTTP BASIC AUTH
- Fail2Ban
This is just a rewrite of a guide provided by @MrHodlr
I'll be working with a standard setup, which is most likely the same as yours:
ISP -> Router (wifi) -> PC
-> Skywire Router -> Manager Node
-> Node x7
The goal is to be able to SSH into your nodes from PC or even from outside of your network.
If you follow this guide, you will be able to directly control only your manager node. You will have to connect to other nodes through the manager node.
- Connect your PC to the Skywire Router (LAN port - one of the eight on the left side) using ethernet cable
- Connect your home router to Skywire Router (WAN port - right side) using ethernet cable
- Open http://192.168.0.1/ in your browser
- Login with password
admin - Go to
Services -> Remote Management, turn it on with the default port (80) - Go to
Homeand remember theIP Addressfrom sectionInternet Status - Unplug your ethernet cable from Skywire Router
- Open http:// (for example http://192.168.1.20) and you should see the Skywire Router's interface
You can access Skywire Router, now you want to be able to SSH into your nodes.
- Open Skywire Router's interface again
- Go to
Services -> Port forwardingand enable it - Fill the form with following data:
IP: 192.168.0.2
Internal port: 22
External port: 55555 (you can use different number)
- Submit it and repeat again:
IP: 192.168.0.2
Internal port: 443
External port: 55556 (you can use different number)
- First one was for SSH (terminal), second one is for manager's web interface
In order for this to work, you must have a public IP
If you want to be able to manage your node using SSH / web interface from outside of your network, you will have to do the port forwarding on your home's router. This time, you will use IP of Skywire Router (the one you were supposed to remember!), internal and external port should be 55555, then you will do it again with port 55556.
Open your terminal, connect to the manager node ssh -p 55555 root@192.168.1.20 (55555 is the SSH port we forwarded, 192.168.1.20 is the IP of Skywire Router)
The password should be 123456, change it by running passwd command.
From here, you can connect to any other node by running ssh root@192.168.0.3 for example. The nodes have IPs in range from 192.168.0.2 to 192.168.0.10
I guess you know something about HTTP/HTTPS (green lock in browser). Because we are super cool, we will have RED LOCK. Don't worry, I'll explain...
- Generate new SSL certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt(when asked for details, just press enter) - Generate something else
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048(it will take a while)
apt-get install nginx
cd /etc/nginx/snippets/
rm snakeoil.conf
nano ssl.conf
- You are in a text editor, paste this:
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
- Save it (
CTRL+X->Y->ENTER)
cd /etc/nginx/sites-enabled
rm default
nano manager
- Editor, again, paste this:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
location / {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://127.0.0.1:8000;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
- Save it
- Let's create login for http basic auth. Replace
MYLOGINwith whatever you want (it's like a username), second command will prompt your for a password (you should use something strong)
sh -c "echo -n 'MYLOGIN:' >> /etc/nginx/.htpasswd"
sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"
- Alright, restart NGINX to apply changes
systemctl restart nginx
At this point, the web interface is protected by http basic auth (the login you just created) and the communication is encrypted thanks to the certificate we generated earlier.
You should be able to access the web interface on an address like https://192.168.1.20:55556 (notice https and port).
About the red lock.. simply said - everything is working as expected, there is nothing to worry about. Just skip the warning (there IS a button or link).
In order to stop attackers from brute-forcing the passwords (ssh or http basic auth), we need to install fail2ban.
- Install it using
apt-get install fail2ban
cd /etc/fail2ban/
cp fail2ban.conf fail2ban.local
cp jail.conf jail.local
nano jail.local
- Scroll down a bit to find
[nginx-http-auth]and enable it by rewritingenabled = falsetoenabled = true - Save it
SSH protection is enabled by default, this enabled http basic auth protection. You can modify the fail2ban.local and jail.local further to enable other filters and limits.