How to setup HTTPs for your IOTA full-node

This tutorial is based on the tutorial written by Jort de Bokx. Some small tweaks have been made and it has been copied so it won’t be lost if the article disappears. Read the original tutorial here.
This is a step-by-step guide on how to make your node more secure by using the HTTPs protocol instead of the standard HTTP for your node.

Why would you want to do this?

When you are making a transaction using a light-wallet on your device, it will send the details of said transaction to the associated full node. By default this communication is done via HTTP, which is unencrypted.
If someone were to be sniffing around your network, they would be able to see the transactions that you are making. If you are using HTTPS, this data in encrypted and no one will know what you’re up to.

Approach

In order to encrypt the connection to your node, we need to obtain certificates, and handle https requests. As of writing this article, IRI has no built-in mechanism for handling https requests. So we will use the following tools to make it all work:

  • Nginx to run a reverse proxy, which acts as an intermediate layer between IRI and connecting clients
  • Letsencrypt for free and secure certificates

 

Prerequisites

In order to protect your wallet-node connection, you’ll need the following already setup:

  • A domain name. You can get these from various companies. One example here: https://www.namecheap.com/domains/domain-name-search.aspx
  • Your full-node, I’ll show you how to setup nginx assuming you run your iri api on port 14265

 

Step 0: Create an A Record or Nameserver for your domain

It depends on your IP settings how you need to configure your domain. There is 2 options here:

  1. You use a public Static IP Address. In this case you’ll need to configure the A record in the DNS settings.
    • Go to your domain settings and find DNS configurations.
    • Navigate to A-Records and add your own public Static IP address.
  2. This 2nd option is not tested and based on assumptions.
    You are using a hostname like no-ip. In this case you will need to add a Nameserver record.

    • Go to your domain settings and find DNS configurations.
    • Navigate to NS-Records
    • Add your hostname to the list of nameservers.

You might be able to test this step. If you enter your public IP in the browser, and you’ll end up seeing your router menu, then you should also see this menu when you enter your your domain address in the browser. If you don’t see your router menu when entering your public ip, you could try to connect to publicIP:5000 or publicIP:14265 (Nelson Gui port or IRI port). If you end up in the nelson gui or seeing a “invalid version” message, you could try to connect to your domain:5000 or domain:14265 to see if you get the same output.

Step 1: Installing Nginx

First step is to install Nginx on your system.

sudo apt-get update
sudo apt-get install nginx

After nginx is done installing, let’s check if it’s working properly, run:

systemctl status nginx

you should see something along the lines of:

nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-01-29 16:20:50 CET; 4min 20s ago
 Main PID: 1452 (nginx)
    Tasks: 2
   Memory: 8.4M
      CPU: 1.952s
   CGroup: /system.slice/nginx.service
           ├─1452 nginx: master process /usr/sbin/nginx -g daemon on; master_process on
           ─1453 nginx: worker process

You can verify nginx is working by going to http://server_domain_or_IP and be greeted with nginx’s welcome message. (don’t worry, we’ll remove this in a minute).

Step 2: Acquiring certificates

Now that nginx is running we will setup letsencrypt to get our certificates. In this step I will use the DNS TXT record verification method, however you can use other verification methods should you please to do so (certbot’s documentation is your friend).

Let’s firstly install certbot:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Now let’s make our certificates. Please note that your domain name should not contain http:// or www. Example: http://www.rock64Iota.com should be rock64iota.com.

We’ll create the certificates by invoking the following command:

sudo certbot certonly --manual --preferred-challenges=dns

You will now be asked a couple of questions, read clearly what they ask at each question and enter the correct information. At some point certbot will ask you to make a text record at _acme-challenge.<your_domain> and give it a special value. This is done to make sure you own the domain for which you are registering your certificate.

important note: The script will tell you to make a TXT record entree called _acme-challenge.Your_Domain. But this is not what you should add! You should only add _acme-challenge

Example: If the script tells you to add a TXT record named _acme-challenge.exampleDomain.com, then you will need to add a TXT entree named _acme-challenge (Without .exampleDomain.com).

Go to your domain configuration settings. This step will be slightly different depending on the domain service operator you have chosen. Inside DNS configuration, add a TXT record. Use _acme-challenge as a prefix or name value, and the special value as value.

After having registered the TXT record, go for a walk, grab a drink, or go swing around on your office chair for a few minutes to make sure that the update is published to the domain name servers (this can actually take up to 24 hours for very slow domain service operators, but in most cases it should be done in about 5 minutes). After you have had some fresh air, rehydrated or became dizzy it’s time to hit enter and let certbot check you have done it correctly.

When completed successfully, certbot will give you the following message, which also tells you where you can find your certificates

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2018-04-29. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 3: Automatically renewing certificates

Letsencrypt certificates don’t last long. Luckily certbot v0.19.0 automatically creates a cron entry,which can be found at:/etc/cron.d/certbot. You can verify that it’s working by checking whether the certbot.timer is present when you execute systemctl list-timers — all

Step 4: Configuring nginx

Now that we have acquired our certificates, we can finally setup nginx. We do this by editing its configuration file:

sudo nano /etc/nginx/sites-available/default 

You can now nuke all of it’s contents, as we won’t be needing it (you might want to leave the commented sections for future reference).

Pro-tip: Use Ctrl + ^ on the keyboard to start marking text. Use Page up or down to mark all the text. Then use Ctrl + K to cut the text. This way everything will be removed instantly.

Once everything is removed, add the following, changing parameters as you go:
IMPORTANT: Make sure you get all the characters right. your_domain is your domain name excluding http:// and without a / at the end (e.g. example_node.com)

server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;

server_name your_domain;
error_page 497 https://$host:$server_port$request_uri;

ssl_certificate your_cert_path/fullchain.pem;
ssl_certificate_key your_cert_path/privkey.pem;

location / { proxy_pass http://your_domain:your_IRI_port; } }

In the above configuration set the following:

  • your_domain To your domain (e.g. node.example.com) Don’t include http:// or www. here.
  • your_cert_path To the path where certbot placed all your certificates (e.g. /etc/letsencrypt/live/your_domain)
  • your_IRI_port to the port that IRI is running on (default 14265)

Now that you have completed the configuration, hit ctrl + x when using nano, and hit Y if it asks you to save changes.
Test your configuration by running:

sudo nginx -t

If there are any errors, go back and fix them. Otherwise reload your nginx configuration by running:

sudo systemctl reload nginx

Step 5: Port forwarding and ufw setup

Forward the following ports on your router. The IP address should be the local IP address of your node:

  • 80
  • 443

Next to that, you also want to take a look at your Linux server firewall.

First, check if the firewall is enabled:

  • sudo ufw status
    • If you see something like: Unknown command: ufw, this means your firewall is not working. In that case, enable it first:
      • sudo apt-get install ufw
      • Add all the Node ports to the exceptions:
        • sudo ufw allow IRI_PORT (Default 14265)
        • sudo ufw allow NELSON_CLI_PORT (Default 16600)
        • sudo ufw allow NELSON_GUI_PORT (Default 5000)
        • sudo ufw allow NELSON_API_PORT (Default 18600)
        • sudo ufw allow CARRIOTA_PORT (Default 21310)
        • sudo ufw allow TCP_PORT/tcp (Default 15600/tcp)
        • sudo ufw allow UDP_PORT/udp (Default 14600/udp)
    • If you see a list of ports that means the firewall is running.

Add the port exceptions to the firewall:

  • sudo ufw allow https
  • sudo ufw allow 80
  • sudo ufw allow 443
  • Optional: sudo ufw allow 22
    • This allows you to connect via SSH.

Restart ufw:

  • sudo ufw enable

Step 6: Check everything is working

Now that we have completed the setup it is time to check whether everything is working correctly.

  • Open up your browser and go to https://your_domain

It should show you a message saying {“error”:”Invalid API Version”,”duration”:1} but more importantly you should see a green padlock in the top left corner (at least when using chrome or firefox).
You can now setup your wallet using your new secured protocol!

Step 7: Config Trinity

  • In your Trinity app, go to settings –> Node.
  • Fill in your node address under Custom Node: https://YOUR_DOMAIN:443
  • Save!

You are now using your own Rock64 Node with Trinity!