Set up a reverse proxy for TLS
Enabling TLS (Transport Layer Security) on all nodes is a crucial security measure to encrypt data transmission and protect it from potential eavesdropping or tampering. To achieve this, you can set up TLS by implementing a reverse proxy, such as Nginx, in front of your Postchain server.
Here's an example of configuring a reverse proxy with Nginx:
Prerequisite
Ensure Nginx is installed on your server. If it's not installed yet, you can follow the Nginx Admin Guide for installation instructions.
Configure the Nginx Server Block
Nginx uses server blocks to define settings for individual websites. You'll need to create a new server block configuration file tailored for the Postchain reverse proxy. Here's a sample Nginx configuration file with placeholders for your specific details:
server {
listen <your public IP address>:80;
root /var/www/html;
server_name <your domain name>;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen <your public IP address>:7740 ssl;
server_name <your domain name>;
access_log /var/log/nginx/postchain.access.log logger-json;
error_log /var/log/nginx/postchain.error.log warn;
ssl_certificate /etc/letsencrypt/live/<your domain name>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<your domain name>/privkey.pem;
client_max_body_size 50M;
location / {
proxy_pass http://127.0.0.1:7740/;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_set_header x-forwarded-for $remote_addr;
}
}
In the above configuration file:
- Listen on port 80: In the first server block, Nginx listens on port 80, which is the default HTTP port. Replace
<your public IP address>with your server's public IP. - server_name is the domain name that will be used to access the reverse proxy. Replace
<your domain name>with your actual domain name. - Listen on port 7740 with SSL: The second server block listens on port 7740 with SSL enabled. This is where TLS encryption is enforced. Again, replace
<your public IP address>and<your domain name>with your server's IP and domain name. - SSL certificate configuration: To secure your reverse proxy, you can use SSL certificates. You should obtain a trusted TLS certificate from a Certificate Authority (CA) like Let's Encrypt. Once you have the certificate, you can configure Nginx to use it. Specify the paths to your TLS certificate files. Replace
<your domain name>with the actual domain name you have the certificate for. - **proxy_pass ** tells Nginx to forward the incoming requests to the specified backend server.
- proxy_buffer_size sets the buffer size that Nginx uses to temporarily store data received from the backend server before delivering it to the client. In this case, the buffer size is set to 128 kilobytes (KB).
- proxy_buffers determines the number and size of the memory buffers Nginx uses to store data. In this case, it allocates four buffers, each with a size of 256 kilobytes (KB). These buffers are used to store parts of the response from the backend server before sending them to the client. Adjusting these values can help optimize memory usage and response handling.
- proxy_busy_buffers_size specifies the maximum size of a busy buffer, which is a buffer that is currently being used to store data from the backend server. In this case, the busy buffer size is set to 256 kilobytes (KB). If the data size exceeds this limit, Nginx will start sending the data to the client, even if the buffer isn't full. This helps prevent excessive buffering and delays in response delivery.
- proxy_set_header sets the "x-forwarded-for" HTTP header in the request being sent to the backend server. It appends the IP address of the client (the remote address accessed through the
$remote_addrvariable) to this header. This is often used to pass information about the original client's IP address to the backend server, especially in scenarios where Nginx is acting as a reverse proxy for load balancing or logging purposes.
Restart Nginx
After configuring the file, test the configuration and restart Nginx to apply the configuration changes.