To aid projects host their own private nodes securely, the following script has been created to help reduce the time required to manually configure a secure RPC node.
The nginx reverse proxy configuration allows projects to restrict access to the node from their own environments source IPv4 addresses while also applying NIST security best practices to further help protect the node.
Current functionality
- Install options for Mainnet & Testnet
- Supports the use of custom variables using the
xf_node.varsfile - Detects if existing Docker installation & modifies to support Nginx.
- Detects UFW firewall & applies necessary firewall updates.
- Installs & configures Nginx
- Currently only supports multi-domain deployment with one A record & two CNAME records (requires operator has control over the domain)
- Automatically detects the ssh session source IP & adds to the config as a permitted source
- Applies NIST security best practices
Planned functionality
- Add '0x' prefix support
- Add cron job for lets-encrypt auto renewal
- Add support for docker upgrades e.g. stashing customisations & re-applying
- Add support for single domain with sub-folder for RPC & WSS
- Add support for multiple nginx permitted IPv4 source addresses via the
xf_node.varsfile - Add IPv6 support for source address permit lists
- Improve error detection & handling within the script
- Add backup features to save out customisations
- Add backup of Staked Apothem node e.g. wallet keystore etc.
Discussion (1)
Great job @inv4fee2020 as usual.