Xinfin XDC custom Docker node installation with nginx & lets encrypt TLS certificate.
This script will take the standard XDC Docker node install and supplement it with the necessary configuration to provide a TLS secured RPC/WSS endpoint using Nginx.
Note: If you have an existing node deployed using the standard Docker installation method from XinFinOrg then you must run the script under the same account which you originally installed your node.
- Install options for Mainnet & Testnet
- Supports the use of custom variables using the
xf_node.varsfile - Detects if existing Docker installation & modifies to support Nginx.
- Detects UFW firewall & applies necessary firewall updates.
- Installs & configures Nginx
- Currently only supports multi-domain deployment with one A record & two CNAME records (requires operator has control over the domain)
- Automatically detects the ssh session source IP & adds to the config as a permitted source
- Applies NIST security best practices
- Add '0x' prefix support
- Add cron job for lets-encrypt auto renewal
- Add support for docker upgrades e.g. stashing customisations & re-applying
- Add support for single domain with sub-folder for RPC & WSS
- Add support for multiple nginx permitted IPv4 source addresses via the
xf_node.varsfile - Add IPv6 support for source address permit lists
- Improve error detection & handling within the script
- Add backup features to save out customisations
- Add backup of Staked Apothem node e.g. wallet keystore etc.
To download the script(s) to your local node & install, read over the following sections and when ready simply copy and paste the code snippets to your terminal window.
cd ~/
git clone https://github.com/inv4fee2020/xf_node.git
cd xf_node
chmod +x *.sh
The vars file allows you to manually update the following variables which help to avoid interactive prompts during the install;
USER_DOMAINS- note the order in which the A & CNAME records must be entered.CERT_EMAIL- email address for certificate renewals etc.
The file also controls some of the packages that are installed on the node. More features will be added over time.
Simply clone down the repo and update the file using your preferred editor such as nano;
nano ~/xf_node/xf_node.vars
The following example will install a testnet node
./setup.sh testnet
Usage: ./setup.sh {function} example: ./setup.sh testnet where {function} is one of the following; mainnet == deploys the full Mainnet node with Nginx & Let's Encrypt TLS certificate testnet == deploys the full Apothem node with Nginx & Let's Encrypt TLS certificate logrotate == implements the logrotate config for chain log file(s)"
It is assumed that the node is being deployed to a dedicated host with no other nginx configuration. The node specfic config is contained in the NGX_CONF_NEW variable which is a file named xinfin.
As part of the installation, the script adds the ssh session source IPv4 address as a permitted source for accessing reverse proxied services. Operators should update this as necessary with additional source IPv4 addresses as required.
tbc
In order to add/remove source IPv4 addresses from the permit list within the nginx config, you simple access the file with your preferred editor e.g. vim or nano etc. Each of the server blocks must be updated to reflect your desired access control policy.
Open the file with the 'nano' editor;
sudo nano /etc/nginx/sites-available/xinfin
Move the cursor to the server blocks, similar to the following;
location / {
try_files / =404;
allow 198.51.100.102; # Allow the source IP of the SSH session
allow 198.51.100.171; # Mgmt VPS station
deny all;
proxy_pass http://172.19.0.2:8556;
ADD : Simply add a new line after the last allow (& above the deny all) being sure to enter a valid IPv4 address and end with a semi-colon ';'
REMOVE : Simple delete the entire line.
Save the file and exit the editor.
For the changes to take effect, you will need to restart the nginx service as follows;
sudo systemctl restart nginx
The following are examples of tests that have been used successfully to validate correct operation;
Copy the following command and update with the your RPC domain that you entered at run time or in the vars file.
curl -H "Content-Type: application/json" --data "{\"jsonrpc\":\"2.0\",\"method\":\"net_version\",\"params\":[],\"id\":67}" https://rpc.mydomain.com/
This should return an output similar to the following;
{"jsonrpc":"2.0","id":67,"result":"51"}
The 'net_version' result is the chain id for the node e.g. mainnet or testnet, depending on your chosen option.
Copy the following command and update with the your WSS domain that you entered at run time or in the vars file.
wscat -c wss://wss.mydomain.com
This should open another session within your terminal, similar to the below;
Connected (press CTRL+C to quit)
>
..where you can then enter the following test string;
{"jsonrpc": "2.0", "id": 0, "method": "eth_gasPrice"}
This should then return a value similar to the following;
Connected (press CTRL+C to quit)
> {"jsonrpc": "2.0", "id": 0, "method": "eth_gasPrice"}
< {"jsonrpc":"2.0","id":0,"result":"0x2e90edd00"}
>
To apply repo updates to your local clone, be sure to stash any modifications you may have made to the xf_node.vars file & take a manual backup also.
cd ~/xf_node
git stash
cp xf_node.vars ~/xf_node_$(date +'%Y%m%d%H%M%S').vars
git pull
git stash apply
A special thanks & shout out to the following community members for their input & testing;
- @realgo140point6
- @s4njk4n
- @samsam
Please provide feedback on any issues encountered or indeed functionality by utilising the relevant Github issues & xdc.dev comments section and I will endeavour to update/integrate where possible.