Skip to main content

Set up a reverse proxy for TLS

Enabling TLS (Transport Layer Security) is essential for securing all nodes within the network. This can be achieved by setting up a reverse proxy in front of Postchain, such as Nginx. Below, you will find a sample configuration file to establish a reverse proxy for Postchain. Remember to replace placeholders with your actual public IP address and ensure that you obtain a TLS certificate signed by a trusted certificate authority like Let’s Encrypt.

Prerequisite

  • Ensure Nginx is installed on your server. If it's not installed yet, you can follow the Nginx Admin Guide for installation instructions.
  • Automatic certificate renewal: Set up auto-renewal for your TLS certificate to ensure continued security without manual intervention.
  • Rate limiting: Implement a rate limit that suits your operational needs. Chromia nodes typically operate with a limit of 500 requests per IP per second.

Configure the Nginx server block

Nginx uses server blocks to define settings for individual websites. You'll need to create a new server block configuration file tailored for the Postchain reverse proxy. Here is a basic configuration for Nginx that you can adapt for your Postchain deployment:

server {
listen 7740 ssl;
listen [::]:7740 ssl;

server_name <hostname of server>; # replace <hostname of server>

access_log /var/log/nginx/postchain.access.log logger-json;
error_log /var/log/nginx/postchain.error.log warn;

ssl_certificate /etc/letsencrypt/live/[...]/fullchain.pem; # replace [...]
ssl_certificate_key /etc/letsencrypt/live/[...]/privkey.pem; # replace [...]

client_max_body_size 50M;

location / {
proxy_pass http://127.0.0.1:7741/; # this is the number exposed by Docker from the Postchain container, internally on the host machine
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_set_header x-forwarded-for $remote_addr;
proxy_cache off;
}
}

In the above configuration file:

PropertyDescription
Listen on port 80In the first server block, Nginx listens on port 80, which is the default HTTP port. Replace <your public IP address> with your server's public IP.
server_nameThe domain name that will be used to access the reverse proxy. Replace <your domain name> with your actual domain name.
Listen on port 7740 with SSLThe second server block listens on port 7740 with SSL enabled. This is where TLS encryption is enforced. Again, replace <your public IP address> and <your domain name> with your server's IP and domain name.
SSL certificate configurationTo secure your reverse proxy, you can use SSL certificates. You should obtain a trusted TLS certificate from a Certificate Authority (CA) like Let's Encrypt. Once you have the certificate, you can configure Nginx to use it. Specify the paths to your TLS certificate files. Replace <your domain name> with the actual domain name you have the certificate for.
proxy_passTells Nginx to forward the incoming requests to the specified backend server.
proxy_buffer_sizeSets the buffer size that Nginx uses to temporarily store data received from the backend server before delivering it to the client. In this case, the buffer size is set to 128 kilobytes (KB).
proxy_buffersDetermines the number and size of the memory buffers Nginx uses to store data. In this case, it allocates four buffers, each with a size of 256 kilobytes (KB). These buffers are used to store parts of the response from the backend server before sending them to the client. Adjusting these values can help optimize memory usage and response handling.
proxy_busy_buffers_sizeSpecifies the maximum size of a busy buffer, which is a buffer that is currently being used to store data from the backend server. In this case, the busy buffer size is set to 256 kilobytes (KB). If the data size exceeds this limit, Nginx will start sending the data to the client, even if the buffer isn't full. This helps prevent excessive buffering and delays in response delivery.
proxy_set_headerSets the "x-forwarded-for" HTTP header in the request being sent to the backend server. It appends the IP address of the client (the remote address accessed through the $remote_addr variable) to this header. This is often used to pass information about the original client's IP address to the backend server, especially in scenarios where Nginx is acting as a reverse proxy for load balancing or logging purposes.

Verify

To ensure your ports are correctly configured and that you can access your node externally, use the following commands:

telnet <your host> 9870
curl https://<your host>:7740/version
curl https://<your host>:7750/_debug

Running these commands will confirm whether your node is accessible from outside and that TLS is functioning properly. Adjust your configurations as necessary based on the responses you receive.

Restart Nginx

After configuring the file, test the configuration and restart Nginx to apply the configuration changes.