Recently, some developers and myself had missed having a simple way to enable remote https access to applications running in public nodes and a custom port.
When websites and services that want to connect to a public node have their backend running on https, unencrypted http calls can become a problem.
Installing SSL Certificates with Letsencrypt/Certbot has become easier than ever, so this is a workaround for the issue that I don't think has been posted before, and might be useful.
It has been tried and will probably be used for SuperNET Iguana nodes (and Basilisk, the lite client evolution), but the first time I discussed this was with Tosch and around Nxt nodes, and it worked easily when I tested it in a public Nxt node.
Requirements1) A Linux server running Nxt, and configured for public API access. This should only require creating a
nxt.properties under nxt/conf similar to this:
nxt.apiServerCORS=true
nxt.uiServerCORS=true
nxt.myAddress=SERVER_IP_ADDRESS
nxt.allowedBotHosts=*
nxt.allowedUserHosts=127.0.0.1; localhost; SERVER_IP_ADDRESS; 0:0:0:0:0:0:0:1;
nxt.enableAPIserver=true
nxt.apiServerHost=0.0.0.0
2) A subdomain (or domain) to access your node. This is required to use an SSL certificate. The subdomain should be included in the domain nameservers configuration as an A record pointing to your server IP.
ProcedureIn this example, setup was done using root account. If you're using a non-root account, it needs to be in the
sudo group and commands need to be run using sudo.
1) Install letsencrypt (certbot) and generate the SSL certificate for your (sub)domain.
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto certonly --standalone --email admin@example.com -d sub.example.com
2) Install apache webserver and enable the modules for ssl and reverse proxy.
apt-get install apache2
a2enmod ssl proxy_http
3) Configure the default apache configuration file.
nano /etc/apache2/sites-available/000-default.conf
Replace the default configuration lines with the following, replacing the strings in red with your (sub)domain:
<VirtualHost *:80>
ServerName sub.example.com
Redirect permanent / https://sub.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName sub.example.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/sub.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sub.example.com/chain.pem
SSLProxyEngine On
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:7876/
ProxyPassReverse / http://localhost:7876/
</VirtualHost>
</IfModule>
4) Finally, restart the apache webserver.
service apache2 restart
As an example, you can check
https://node001.nxtinside.org, and try a Nxt API request to that node using encrypted connection -
https://node001.nxtinside.org/nxt?requestType=getStateAny improvements and alternatives for this procedure will be welcome.