This guide assumes that you have already configured your hardware with the appropriate specs.
Because validators need to have publicly accessible IP addresses and ports to receive connections, adding a proxy may potentially reduce connectivity and result in lower era points or the inability to validate blocks. If using a proxy, it’s recommended to keep an eye out on networking metrics.
We will walk you through how to configure a reverse proxy using NGINX in front of your validator node. The validator uses the reverse proxy to filter traffic, whereby additional adjustments can be made to respond to a DDoS attack.
1. Firewall Configuration
We will configure the firewall with ufw. There needs to be three main ports for this setup.
- An SSH port, commonly ssh/tcp port 22.
- A proxy port
- p2p port: must be denied at the firewall level.
In this example, we will assign the port number 2435 to the proxy port and the port number 30333 to the p2p port. To enable the firewall and the use of the ports, allow SSH access.
YOU WILL NEED TO ALLOW FOR BOTH INBOUND AND OUTBOUND TRAFFIC ON THE P2P PORT
Since the proxy port is the public-facing port, this will need to have inbound and outbound traffic open, with the normal p2p port closed.
ufw enable
# ssh port
ufw allow 22/tcp
# proxy port
ufw allow 2435/tcp
# libp2p port
ufw deny 30333/tcp
# default port for HTTP
ufw deny 9933
# default port for WS
ufw deny 9944
ufw reload
# double check the firewall rules
ufw verbose
The verbose option shows some extra information about the firewall’s behavior.
2. Basic Log Viewing
We use journald logs for basic log viewing. Create a file called journald.conf file inside the /etc/systemd/ directory with the following content:
[Journal]
Storage=persistent
RateLimitIntervalSec=30s
RateLimitBurst=20000
SystemMaxUse=50G
SystemMaxFileSize=512M
SystemMaxFiles=100
Check out the example journald configuration file for more available options.
Finally, run the following command to restart the journald service:
systemctl restart systemd-journald
3. NGINX reverse proxy setup
First, install NGINX with the following command:
sudo apt-get install nginx
Next, create an NGINX configuration file called nginx.conf inside the /etc/nginx/ directory with the following content:
user www-data www-data;
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
stream {
include streams-enabled/*;
}
http {
include sites-enabled/*;
}
events{
}
This will import and make use of the NGINX stream module. In a nutshell, this module allows for continuous streaming of data in or out of the validator machine with all the benefits of having an optimized reverse proxy.
Next, create a folder called /streams-enabled/ inside the /etc/nginx/ directory and remove the default NGINX site.
# Create the streams-enabled folder
mkdir /etc/nginx/streams-enabled
# Delete the default configuration
/etc/nginx/sites-enabled/default
Now, inside the newly created directory /etc/nginx/streams-enabled/, create the proxy service file called polkadot-proxy.confwith the following content:
USE THE PREVIOUSLY DEFINED PORTS: PORT 2435 FOR THE PROXY PORT & PORT NUMBER 30333 FOR THE P2P PORT
server {
listen 0.0.0.0:2435;
location / {
proxy_pass http://localhost:30333;
}
}
Change the permissions of the file polkadot-proxy.conf accordingly:
chmod 0600 polkadot-proxy.conf
Finally, restart NGINX with the following command:
service nginx restart
4. Defining your proxy port and p2p port in the polkadot command
These are some of the flags you are going to use when executing the command.
- –public-addr <VALIDATOR_IP>, <PROXY_PORT> – This flag defines the validator’s IP and the proxy port that all other nodes in the network will connect to.
- –listen-addr <LOCALHOST>, <P2P_PORT> – This flag defines the p2p port that the polkadot application will use to connect to the NGINX reverse proxy.
P2P Networking
Nodes will use libp2p as the networking layer to establish peers and gossip messages, but uses NGINX as a load balancer which acts as a first listener of the streaming data to help balance the load.
public-addr
public-addr – a flexible encoding of multiple layers of protocols into a human-readable addressing scheme. In our example, /ip4/<VALIDATOR_IP>/tcp/<PROXY_PORT> is a valid public-addr that specifies wanting the network to reach the validator IPv4 address with TCP packets on the pre-defined proxy port.
- IP_ADDRESS – the public IP address of the validator.
- PROXY_PORT – the port that nodes will send p2p messages over the network and are read by the NGINX reverse proxy.
listen-addr
listen-addr – the specification of what port the Geode application will connect to the reverse proxy. In our example, /ip4/0.0.0.0/tcp/<P2P_PORT> specifies that you want to listen to NGINX on the localhost address (0.0.0.0, or all interfaces), with TCP packets on the pre-defined p2p port.
- P2P_PORT – the port that the polkadot application connects to NGINX.
Starting the validator with the NGINX proxy
After retrieving the appropriate IP_ADDRESS, PROXY_PORT and P2P_PORT of the validator node, we can start the validator.
Start your validator with the –validator flag:
# Validator Node
geode \
–name My_Validator_Name \
–validator \
–public-addr=/ip4/IP_ADDRESS/tcp/2435 \
–listen-addr=/ip4/0.0.0.0/tcp/30333 \
–rpc-methods=Unsafe \
–chain=geode
You should see your validator’s peers, as well as the p2p port you are using to connect to NGINX.
Congratulations! You have successfully set up a validator with NGINX and now have a more secure way of running your validator.