-
Notifications
You must be signed in to change notification settings - Fork 21
Set up WSS and HTTP Endpoint for Remote Connections
In order to make the Node accessible for remote RPC API connections from all over the Internet you need to set up a proxy for websocket connections. Follow the tips down below to set it up on remote.
Note: This should only be done for sync nodes. Never open websockets to your Validator node - there's no reason to do that and it can only lead to security gaffes.
In this guide we'll be using Ubuntu 18.04 hosted on a $10 DigitalOcean droplet. We'll assume you're using a similar OS, and that you have nginx installed (if not, run sudo apt-get install nginx).
The Node's default websocket connection: port 9944 on localhost. Create a new server on your provider of choice or locally at home (preferred).
Follow these tips to either build the Node or download the latest release, set up keys and get it running. Make sure it is up to date with the network before getting round to the next steps.
./target/release/poscan-consensus \
--base-path ~/3dp-chain/ \
--chain mainnetSpecRaw.json
--name "DigitalOcean 10 USD droplet ftw" \
--validator \
--telemetry-url "wss://submit.3dpass.network/submit 0" \
--author <your mining pub key> \
--threads 2 \
--no-mdns \
--unsafe-ws-external \
--unsafe-rpc-external \
--rpc-cors all \
--ws-port 9945 \
--rpc-port 9934 \RPC provider parameters:
-
--rpc-cors all- the--rpc-corsmode needs to be set toall, so that all external connections are allowed. -
--ws-port 9944- WS/WSS internal port, so the provider is available atws://localhost:9944 -
--rpc-port 9934- HTTP/HTTPS internal port, so that the provider is available athttp://localhost:9934
The next required steps are:
- A. setting up SSL for secure connections;
- B. Setting up Nginx to redirect external connections to either
wss://localhost:9944orhttps://localhost:9934.
For example:
Your server Ipv4: 82.196.8.192
- WSS RPC API endpoint:
wss://82.196.8.192->wss://localhost:9944 - HTTPS RPC API endpoint:
https://82.196.8.192->https://localhost:9944
It is required to set up an SSL certificate for WSS (secure websocket), and there are two possible approaches to do so, such as:
The first approach is getting a dedicated domain, redirecting its nameservers to your IP address, setting up an Nginx server for that domain, and finally following LetsEncrypt instructions for Nginx setup.
This will auto-generate an SSL certificate and include it in your Nginx configuration. This will let you connect your UI to a URL like mynode.mydomain.com rather than 82.196.8.192, which is arguably more user friendly.
This is simple to do on cloud hosting providers or if you have a static IP, but harder to pull off when running things from your home server.
The second approach and one we'll follow here is generating a self-signed certificate and relying on the raw IP address of your node when connecting to it.
Generate a self-signed certificate:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Now it's time to tell Nginx to use these certificates. The server block below is all you need, but keep in mind that you need to replace some placeholder values. Notably:
-
SERVER_ADDRESSshould be replaced by your domain name if you have it, or your server's IP address if not. -
CERT_LOCATIONshould be/etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pemif you used Certbot, or/etc/ssl/certs/nginx-selfsigned.crtif self-signed. -
CERT_LOCATION_KEYshould be/etc/letsencrypt/live/YOUR_DOMAIN/privkey.pemif you used Certbot, or/etc/ssl/private/nginx-selfsigned.keyif self-signed. -
CERT_DHPARAMshould be/etc/letsencrypt/ssl-dhparams.pemif you used Certbot, and/etc/ssl/certs/dhparam.pemif self-signed.
Note that if you used Certbot, it should have made the path insertions below for you if you followed the official instructions
server {
server_name SERVER_ADDRESS;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
proxy_buffering off;
proxy_pass http://localhost:9944;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate CERT_LOCATION;
ssl_certificate_key CERT_LOCATION_KEY;
ssl_session_cache shared:cache_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_dhparam CERT_DHPARAM;
}Restart nginx after setting this up: sudo service nginx restart.
If you used the self-signed certificate approach, modern browsers will not let you connect to this websocket endpoint without that certificate being imported - they will emit an NET:ERR_CERT_AUTHORITY_INVALID message.
Every websocket connection bootstraps itself with https first, so to allow the certificate, visit the IP of your machine in the browser prefixed with https, like so: https://MY_IP. This should produce a "Not private" warning which you can skip by going to "Advanced" and the clicking on "Proceed to Site". You have now whitelisted this IP and its self-signed certificate for connecting.
WSS:
- Follow these instructions to connect 3dpass wallet through your WSS provider
wss://MY_IPorwss://MY_DOMAIN.COM
HTTPS:
- Use these steps to connect Metamask over your HTTPS provider
https://MY_IPorhttps://MY_DOMAIN.COM
3dpass.org - The Ledger of Things
Join our community: Discord | Telegram | Bitcointalk