Xahau submission node installation with nginx & lets encrypt TLS certificate.
This script will take the standard Xahau node install (non-docker version) and supplement it with the necessary configuration to provide a TLS secured RPC/WSS endpoint using Nginx.
- Install options for Mainnet (Testnet if demand warrants)
- Supports the use of custom variables using the
xahl_node.varsfile - Detects UFW firewall & applies necessary firewall updates.
- Installs & configures Nginx
- Currently only supports multi-domain deployment with one A record & two CNAME records (requires operator has control over the domain)
- Automatically detects the ssh session source IP & adds to the config as a permitted source
- Applies NIST security best practices
To download the script(s) to your local node & install, read over the following sections and when ready simply copy and paste the code snippets to your terminal window.
cd ~/
git clone https://github.com/go140point6/xahl-node
cd xahl-node
chmod +x *.sh
The vars file allows you to manually update the following variables which help to avoid interactive prompts during the install;
USER_DOMAINS- note the order in which the A & CNAME records must be entered.CERT_EMAIL- email address for certificate renewals etc.
The file also controls some of the packages that are installed on the node. More features will be added over time.
Simply clone down the repo and update the file using your preferred editor such as nano;
nano ~/xahl-node/xahl_node.vars
The following example will install a mainnet node
./setup.sh mainnet
Usage: ./setup.sh {function} example: ./setup.sh mainnet where {function} is one of the following; mainnet == deploys the full Mainnet node with Nginx & Let's Encrypt TLS certificate
It is assumed that the node is being deployed to a dedicated host with no other nginx configuration. The node specific config is contained in the NGX_CONF_NEW variable which is a file named xahau.
As part of the installation, the script adds the ssh session source IPv4 address as a permitted source for accessing reverse proxied services. Operators should update this as necessary with additional source IPv4 addresses as required.
tbc
In order to add/remove source IPv4 addresses from the permit list within the nginx config, you simple access the file with your preferred editor e.g. vim or nano etc. Each of the server blocks must be updated to reflect your desired access control policy.
Open the file with the 'nano' editor;
sudo nano /etc/nginx/sites-available/xahau
Move the cursor to the server blocks, similar to the following;
location / {
try_files / =404;
allow 198.51.100.102; # Allow the source IP of the SSH session
allow 198.51.100.171; # Mgmt VPS station
deny all;
proxy_pass http://127.0.0.1;
ADD : Simply add a new line after the last allow (& above the deny all) being sure to enter a valid IPv4 address and end with a semi-colon ';'
REMOVE : Simple delete the entire line.
Save the file and exit the editor.
For the changes to take effect, you will need to restart the nginx service as follows;
sudo systemctl restart nginx
The following are examples of tests that have been used successfully to validate correct operation;
Copy the following command and update with the your WSS domain that you entered at run time or in the vars file.
wscat -c wss://wss.mydomain.com
This should open another session within your terminal, similar to the below;
Connected (press CTRL+C to quit)
>
To apply repo updates to your local clone, be sure to stash any modifications you may have made to the xahl_node.vars file & take a manual backup also.
cd ~/xahl-node
git stash
cp xahl_node.vars ~/xahl_node_$(date +'%Y%m%d%H%M%S').vars
git pull
git stash apply
This was all made possible by @inv4fee2020, this is 98% his work, I just copied pasta'd.
A special thanks & shout out to the following community members for their input & testing;
- @realgo140point6
- @s4njk4n
- @samsam
Please provide feedback on any issues encountered or indeed functionality by utilising the relevant Github issues..