Recently, some developers and myself had missed having a simple way to enable remote https access to applications running in public nodes and a custom port.
When websites and services that want to connect to a public node have their backend running on https, unencrypted http calls can become a problem.
Installing SSL Certificates with Letsencrypt/Certbot has become easier than ever, so this is a workaround for the issue that I don't think has been posted before, and might be useful.
It has been tried and will probably be used for SuperNET Iguana nodes (and Basilisk, the lite client evolution), but the first time I discussed this was with Tosch and around Nxt nodes, and it worked easily when I tested it in a public Nxt node.
1) A Linux server running Nxt, and configured for public API access. This should only require creating a nxt.properties
under nxt/conf similar to this:
nxt.allowedUserHosts=127.0.0.1; localhost; SERVER_IP_ADDRESS; 0:0:0:0:0:0:0:1;
2) A subdomain (or domain) to access your node. This is required to use an SSL certificate. The subdomain should be included in the domain nameservers configuration as an A record pointing to your server IP.
In this example, setup was done using root account. If you're using a non-root account, it needs to be in the sudo
group and commands need to be run using sudo.
1) Install letsencrypt (certbot) and generate the SSL certificate for your (sub)domain.
chmod a+x ./certbot-auto
./certbot-auto certonly --standalone --email email@example.com -d sub.example.com
2) Install apache webserver and enable the modules for ssl and reverse proxy.
apt-get install apache2
a2enmod ssl proxy_http
3) Configure the default apache configuration file.
Replace the default configuration lines with the following, replacing the strings in red with your (sub)domain:
Redirect permanent / https://sub.example.com/
ProxyPass / http://localhost:7876/
ProxyPassReverse / http://localhost:7876/
4) Finally, restart the apache webserver.
service apache2 restart
As an example, you can check https://node001.nxtinside.org
, and try a Nxt API request to that node using encrypted connection - https://node001.nxtinside.org/nxt?requestType=getState
Any improvements and alternatives for this procedure will be welcome.