Part 4 - Proxy Configuration
Last updated
Last updated
Pocket requires that nodes have an SSL () certificate for secure communications. SSL is a layer of security that sits on top of TCP/IP (). It’s used to encrypt the data sent between a client and a server. To use SSL, you need to have a certificate and a key. Thankfully, getting an SSL certificate and key is straightforward and free.
To get a certificate, we’ll be using, which is a service that issues SSL certificates for free. We’ll also be using software called to register, install, and renew the certificate.
We installed certbot in a previous step; now we’ll use it to request a certificate.
To get a certificate, we’ll need to use the certbot command with the following options:
--register-unsafely-without-email: This option is required to get a certificate without an email address.
--agree-tos: This option is required to agree to the Let’s Encrypt Terms of Service.
--nginx: This option is required to use the Nginx plugin.
--no-redirect: This option is required to disable the redirect to the Let’s Encrypt website.
--domain: This option is required to specify the domain name.
Here’s an example of how to request a certificate. Just replace $HOSTNAME with the DNS name of your node:
CommandResponse
The output from this command should confirm that the certificate was successfully registered.
To be sure, you’ll want to test that the certificate is working.
The command that certbot provides to test the auto-renewal of the certificate also confirms that the certificate is working. You can run it using the following command:
CommandResponse
The resulting output should confirm that the certificate is working.
Nginx is a web server. We installed it in a previous step but now we need to reconfigure it.
Nginx uses config files to define servers and routes for incoming requests. For Pocket nodes, Nginx needs to relay public requests to a local HTTP server that Pocket Core is running. This is referred to as the proxy. We’ll also need to proxy requests made by the Pocket CLI. For example, when we run the command pocket query height, the CLI makes an HTTP request to the node’s local HTTP server.
Config files
The Nginx configuration files we’re interested in are located in the /etc/nginx/sites-available/ directory. In that directory there's a default configuration file named "default." This is the configuration that comes with the Nginx install, but we’ll be creating our own for our node.
To configure Nginx:
Confirm the name of your SSL certificate:
Create a new config file with nano:
Add the following code, making sure to change the hostname values (pokt001.pokt.run) to your node’s DNS hostname in the three places found below:
Save the change with Ctrl+O.
Exit nano with Ctrl+X.
Stop Nginx with:
Disable the default configuration:
Enable our new configuration:
Start Nginx:
Ports you need to open
To run a Pocket node, you’ll need to open the following ports on the server:
22: SSH
80: HTTP
443: HTTPS
8081: For the Pocket HTTP API
26656: For the Pocket RPC API
To use UFW to configure the firewall:
Enable UFW. When prompted, press y to confirm:
Set the default to deny all incoming connections:
Allow the SSH port:
Allow port 80:
Allow port 443:
Allow port 8081:
Allow port 26656:
That’s it for the UFW setup. To confirm that only the necessary ports are open, run the following command:
Now you're ready to proceed to the final steps.
We’re almost done, but before we finish we’ll make our server more secure by setting firewall rules to limit network exposure. The (UFW) is a security tool that makes configuring the firewall simple. We’ll use it to disable unnecessary ports.