Part 4 - Proxy Configuration

SSL Setup

Pocket requires that nodes have an SSL (Secure Sockets Layer) certificate for secure communications. SSL is a layer of security that sits on top of TCP/IP (Internet Protocol Suite). It’s used to encrypt the data sent between a client and a server. To use SSL, you need to have a certificate and a key. Thankfully, getting an SSL certificate and key is straightforward and free.

To get a certificate, we’ll be using Let’s Encrypt, which is a service that issues SSL certificates for free. We’ll also be using software called certbot to register, install, and renew the certificate.

Registering an SSL certificate

We installed certbot in a previous step; now we’ll use it to request a certificate.

To get a certificate, we’ll need to use the certbot command with the following options:

--register-unsafely-without-email: This option is required to get a certificate without an email address.
--agree-tos: This option is required to agree to the Let’s Encrypt Terms of Service.
--nginx: This option is required to use the Nginx plugin.
--no-redirect: This option is required to disable the redirect to the Let’s Encrypt website.
--domain: This option is required to specify the domain name.

Here’s an example of how to request a certificate. Just replace $HOSTNAME with the DNS name of your node:

CommandResponse

sudo certbot --nginx --domain $HOSTNAME --register-unsafely-without-email --no-redirect --agree-tos

The output from this command should confirm that the certificate was successfully registered.

Testing your certificate

To be sure, you’ll want to test that the certificate is working.

The command that certbot provides to test the auto-renewal of the certificate also confirms that the certificate is working. You can run it using the following command:

CommandResponse

sudo certbot renew --dry-run

The resulting output should confirm that the certificate is working.

Configure Nginx

Nginx is a web server. We installed it in a previous step but now we need to reconfigure it.

Nginx uses config files to define servers and routes for incoming requests. For Pocket nodes, Nginx needs to relay public requests to a local HTTP server that Pocket Core is running. This is referred to as the proxy. We’ll also need to proxy requests made by the Pocket CLI. For example, when we run the command pocket query height, the CLI makes an HTTP request to the node’s local HTTP server.

Config files

The Nginx configuration files we’re interested in are located in the /etc/nginx/sites-available/ directory. In that directory there's a default configuration file named "default." This is the configuration that comes with the Nginx install, but we’ll be creating our own for our node.

To configure Nginx:

Confirm the name of your SSL certificate:
```
sudo ls /etc/letsencrypt/live/
```

Create a new config file with nano:

sudo nano /etc/nginx/sites-available/pocket

Add the following code, making sure to change the hostname values (pokt001.pokt.run) to your node’s DNS hostname in the three places found below:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {
    add_header Access-Control-Allow-Origin "*";
    listen 80 ;
    listen [::]:80 ;
    listen 8081 ssl;
    listen [::]:8081 ssl;

    root /var/www/html;

    index index.html index.htm index.nginx-debian.html;

    server_name pokt001.pokt.run;

    location / {
        try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl ipv6only=on;
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/pokt001.pokt.run/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pokt001.pokt.run/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/log/nginx/reverse-access.log;
    error_log /var/log/nginx/reverse-error.log;

    location ~* ^/v1/client/(dispatch|relay|challenge|sim) {
        proxy_pass http://127.0.0.1:8082;
        add_header Access-Control-Allow-Methods "POST, OPTIONS";
        allow all;
    }

    location = /v1 {
        add_header Access-Control-Allow-Methods "GET";
        proxy_pass http://127.0.0.1:8082;
        allow all;
    }
}

Save the change with Ctrl+O.
Exit nano with Ctrl+X.
Stop Nginx with:
```
sudo systemctl stop nginx
```

Disable the default configuration:

sudo rm /etc/nginx/sites-enabled/default

Enable our new configuration:

sudo ln -s /etc/nginx/sites-available/pocket /etc/nginx/sites-enabled/pocket

Start Nginx:
```
sudo systemctl start nginx
```

Enable UFW

We’re almost done, but before we finish we’ll make our server more secure by setting firewall rules to limit network exposure. The Uncomplicated Firewall (UFW) is a security tool that makes configuring the firewall simple. We’ll use it to disable unnecessary ports.

Ports you need to open

To run a Pocket node, you’ll need to open the following ports on the server:

22: SSH
80: HTTP
443: HTTPS
8081: For the Pocket HTTP API
26656: For the Pocket RPC API

Use UFW to disable unnecessary ports

To use UFW to configure the firewall:

Enable UFW. When prompted, press y to confirm:
```
sudo ufw enable
```
Set the default to deny all incoming connections:
```
sudo ufw default deny
```
Allow the SSH port:
```
sudo ufw allow ssh
```
Allow port 80:
```
sudo ufw allow 80
```
Allow port 443:
```
sudo ufw allow 443
```
Allow port 8081:
```
sudo ufw allow 8081
```
Allow port 26656:
```
sudo ufw allow 26656
```

That’s it for the UFW setup. To confirm that only the necessary ports are open, run the following command:

sudo ufw status

Now you're ready to proceed to the final steps.

PreviousPart 3 - Pocket Configuration NextPart 5 - Going Live

Last updated 7 months ago