LogoLogo
Visit Site
  • WELCOME
    • What is POKT?
    • $POKT Token
      • Bridging
        • Wrapped POKT (wPOKT)
          • Wrapping Walkthrough
          • Wrapping and Unwrapping FAQ
          • LP Staking Walkthrough
          • Liquidity Provider Staking FAQ
      • POKT Rewards
        • Stake POKT
      • Holding POKT
        • NodeWallet
        • Pocket Wallet
        • Ledger
  • WHO WE ARE
    • POKT Overview
  • POKT Protocol
    • Our evolution
    • The Morse Protocol
      • The Economics
    • The Shannon Upgrade
      • Technical Overview
        • Launch Roadmap
        • Morse -> Shannon Migration
          • PIP Migration
          • Other Migration
          • Expected Gaps
          • Future Features
        • Secondary DA Networks
      • Shannon Actors
        • Sovereign Applications
        • Gateways
        • Suppliers
        • Sources
      • Proposed Tokenomics
        • Token Logic Modules
        • Gaming Prevention
        • Aligned Incentives
        • Tokenomics Resources
      • Jump in to Shannon Today
  • Developers
    • Access RPC
    • Use a Gateway
      • Nodies
      • Grove
    • Use a Public Endpoint
  • Node Operators
    • Operate a Node
    • Manual Node Setup Guide
      • Part 1 - Server Setup
      • Part 2 - Software Installation
      • Part 3 - Pocket Configuration
      • Part 4 - Proxy Configuration
      • Part 5 - Going Live
  • Gateways
    • Host a Gateway
      • Gateway Server
      • Quick Onboarding Guide
      • Node Selection
      • API Endpoints
      • Relay Process
  • Community
    • DAO (OS)
    • Start Contributing
      • Bounties
      • Quick Grants
      • RFPs
      • Maintainers
      • How to Use Karma GAP
    • Governance
      • Earn Your Vote
      • Node Runners
      • App Developers
      • Community Shepherds
      • Contributors
      • CREDS - Governance Upgrade
        • Privacy & anonymity
        • Onboarding New Voters
        • Migration of Existing Voters
        • System Flow Design
    • Retro POKT Goods Funding
      • Timeline
      • Eligibility Criteria
      • Rules of Conduct
      • Voters & Voting
      • Voting Rubric
      • Support & FAQ
      • What is Retro POKT Goods funding Round 1?
    • Community Calls + Events
    • POKT Events Playbook
      • Hosting Your Event
        • Event Type
          • Small Events
          • Mid-sized Events
          • Large Events
      • Event Agenda
      • Speaker
      • Venue
      • Applying for Funding
      • Your Responsibilities as a Host
      • Resources
        • Email Templates
        • Social Media Templates
        • Survey Questions Template
  • Reference
    • Supported Chains
    • API Definition
Powered by GitBook
On this page
  • SSL Setup
  • Configure Nginx
  • Enable UFW
  1. Node Operators
  2. Manual Node Setup Guide

Part 4 - Proxy Configuration

PreviousPart 3 - Pocket ConfigurationNextPart 5 - Going Live

Last updated 1 year ago

SSL Setup

Pocket requires that nodes have an SSL () certificate for secure communications. SSL is a layer of security that sits on top of TCP/IP (). It’s used to encrypt the data sent between a client and a server. To use SSL, you need to have a certificate and a key. Thankfully, getting an SSL certificate and key is straightforward and free.

To get a certificate, we’ll be using, which is a service that issues SSL certificates for free. We’ll also be using software called to register, install, and renew the certificate.

Registering an SSL certificate

We installed certbot in a previous step; now we’ll use it to request a certificate.

To get a certificate, we’ll need to use the certbot command with the following options:

  • --register-unsafely-without-email: This option is required to get a certificate without an email address.

  • --agree-tos: This option is required to agree to the Let’s Encrypt Terms of Service.

  • --nginx: This option is required to use the Nginx plugin.

  • --no-redirect: This option is required to disable the redirect to the Let’s Encrypt website.

  • --domain: This option is required to specify the domain name.

Here’s an example of how to request a certificate. Just replace $HOSTNAME with the DNS name of your node:

CommandResponse

sudo certbot --nginx --domain $HOSTNAME --register-unsafely-without-email --no-redirect --agree-tos

The output from this command should confirm that the certificate was successfully registered.

Testing your certificate

To be sure, you’ll want to test that the certificate is working.

The command that certbot provides to test the auto-renewal of the certificate also confirms that the certificate is working. You can run it using the following command:

CommandResponse

sudo certbot renew --dry-run

The resulting output should confirm that the certificate is working.

Configure Nginx

Nginx is a web server. We installed it in a previous step but now we need to reconfigure it.

Nginx uses config files to define servers and routes for incoming requests. For Pocket nodes, Nginx needs to relay public requests to a local HTTP server that Pocket Core is running. This is referred to as the proxy. We’ll also need to proxy requests made by the Pocket CLI. For example, when we run the command pocket query height, the CLI makes an HTTP request to the node’s local HTTP server.

Config files

The Nginx configuration files we’re interested in are located in the /etc/nginx/sites-available/ directory. In that directory there's a default configuration file named "default." This is the configuration that comes with the Nginx install, but we’ll be creating our own for our node.

To configure Nginx:

  1. Confirm the name of your SSL certificate:

    sudo ls /etc/letsencrypt/live/
  2. Create a new config file with nano:

    sudo nano /etc/nginx/sites-available/pocket
  3. Add the following code, making sure to change the hostname values (pokt001.pokt.run) to your node’s DNS hostname in the three places found below:

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
    
        root /var/www/html;
    
        index index.html index.htm index.nginx-debian.html;
    
        server_name _;
    
        location / {
            try_files $uri $uri/ =404;
        }
    }
    
    server {
        add_header Access-Control-Allow-Origin "*";
        listen 80 ;
        listen [::]:80 ;
        listen 8081 ssl;
        listen [::]:8081 ssl;
    
        root /var/www/html;
    
        index index.html index.htm index.nginx-debian.html;
    
        server_name pokt001.pokt.run;
    
        location / {
            try_files $uri $uri/ =404;
        }
    
        listen [::]:443 ssl ipv6only=on;
        listen 443 ssl;
    
        ssl_certificate /etc/letsencrypt/live/pokt001.pokt.run/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/pokt001.pokt.run/privkey.pem;
    
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
        access_log /var/log/nginx/reverse-access.log;
        error_log /var/log/nginx/reverse-error.log;
    
        location ~* ^/v1/client/(dispatch|relay|challenge|sim) {
            proxy_pass http://127.0.0.1:8082;
            add_header Access-Control-Allow-Methods "POST, OPTIONS";
            allow all;
        }
    
        location = /v1 {
            add_header Access-Control-Allow-Methods "GET";
            proxy_pass http://127.0.0.1:8082;
            allow all;
        }
    }
  4. Save the change with Ctrl+O.

  5. Exit nano with Ctrl+X.

  6. Stop Nginx with:

    sudo systemctl stop nginx
  7. Disable the default configuration:

    sudo rm /etc/nginx/sites-enabled/default
  8. Enable our new configuration:

    sudo ln -s /etc/nginx/sites-available/pocket /etc/nginx/sites-enabled/pocket
  9. Start Nginx:

    sudo systemctl start nginx

Enable UFW

Ports you need to open

To run a Pocket node, you’ll need to open the following ports on the server:

  • 22: SSH

  • 80: HTTP

  • 443: HTTPS

  • 8081: For the Pocket HTTP API

  • 26656: For the Pocket RPC API

Use UFW to disable unnecessary ports

To use UFW to configure the firewall:

  1. Enable UFW. When prompted, press y to confirm:

    sudo ufw enable
  2. Set the default to deny all incoming connections:

    sudo ufw default deny
  3. Allow the SSH port:

    sudo ufw allow ssh
  4. Allow port 80:

    sudo ufw allow 80
  5. Allow port 443:

    sudo ufw allow 443
  6. Allow port 8081:

    sudo ufw allow 8081
  7. Allow port 26656:

    sudo ufw allow 26656

That’s it for the UFW setup. To confirm that only the necessary ports are open, run the following command:

sudo ufw status

Now you're ready to proceed to the final steps.

We’re almost done, but before we finish we’ll make our server more secure by setting firewall rules to limit network exposure. The (UFW) is a security tool that makes configuring the firewall simple. We’ll use it to disable unnecessary ports.

Secure Sockets Layer
Internet Protocol Suite
Let’s Encrypt
certbot
Uncomplicated Firewall