Set Up a Validator with NGINX Reverse Proxy
This guide assumes that you have already configured your hardware with the appropriate specs. It has the same configuration as the polkadot validator setup.
INFO
Because validators of parachains need to have publicly accessible IP addresses and ports to receive connections from parachain collators, adding a proxy may potentially reduce connectivity and result in lower era points or the inability to validate parachain blocks. If using a proxy, it's recommended to keep an eye out on networking metrics.
We will walk you through how to configure a reverse proxy using NGINX in front of your validator node. The validator uses the reverse proxy to filter traffic, whereby additional adjustments can be made to respond to a DDoS attack.
1. Firewall configuration
We will configure the firewall with ufw. There needs to be three main ports for this setup.
An SSH port, commonly ssh/tcp port
22
.A proxy port
p2p port: must be denied at the firewall level.
In this example, we will assign the port number 2435
to the proxy port and the port number 30333
to the p2p port. To enable the firewall and the use of the ports, allow SSH access.
FOR PARACHAINS, YOU WILL NEED TO ALLOW FOR BOTH INBOUND AND OUTBOUND TRAFFIC ON THE P2P PORT
Since the proxy port is the public-facing port, this will need to have inbound and outbound traffic open, with the normal p2p port closed.
The verbose
option shows some extra information about the firewall's behavior.
2. Basic log viewing
We use journald logs for basic log viewing. Create a file called journald.conf
file inside the /etc/systemd/
directory with the following content:
Check out the example journald configuration file for more available options.
Finally, run the following command to restart the journald service:
3. NGINX reverse proxy setup
First, install NGINX with the following command:
Next, create an NGINX configuration file called nginx.conf
inside the /etc/nginx/
directory with the following content:
This will import and make use of the NGINX stream module. In a nutshell, this module allows for continuous streaming of data in or out of the validator machine with all the benefits of having an optimized reverse proxy.
Next, create a folder called /streams-enabled/
inside the /etc/nginx/
directory and remove the default NGINX site.
Now, inside the newly created directory /etc/nginx/streams-enabled/
, create the proxy service file called polkadot-proxy.conf
with the following content:
USE THE PREVIOUSLY DEFINED PORTS: PORT 2435
FOR THE PROXY PORT & PORT NUMBER 30333
FOR THE P2P PORT
Change the permissions of the file polkadot-proxy.conf
accordingly:
Finally, restart NGINX with the following command:
4. Defining your proxy port and p2p port in the polkadot command
These are some of the flags you are going to use when executing the command.
--public-addr <VALIDATOR_IP>, <PROXY_PORT>
- This flag defines the validator's IP and the proxy port that all other nodes in the network will connect to.
--listen-addr <LOCALHOST>, <P2P_PORT>
- This flag defines the p2p port that the polkadot application will use to connect to the NGINX reverse proxy.
P2P Networking
Nodes will use libp2p as the networking layer to establish peers and gossip messages, but uses NGINX as a load balancer which acts as a first listener of the streaming data to help balance the load.
public-addr
public-addr
- a flexible encoding of multiple layers of protocols into a human-readable addressing scheme. In our example, /ip4/<VALIDATOR_IP>/tcp/<PROXY_PORT>
is a valid public-addr
that specifies wanting the network to reach the validator IPv4 address with TCP packets on the pre-defined proxy port.
IP_ADDRESS
- the public IP address of the validator.PROXY_PORT
- the port that nodes will send p2p messages over the network and are read by the NGINX reverse proxy.
listen-addr
listen-addr
- the specification of what port the polkadot application will connect to the reverse proxy. In our example, /ip4/0.0.0.0/tcp/<P2P_PORT>
specifies that you want to listen to NGINX on the localhost address (0.0.0.0
, or all interfaces), with TCP packets on the pre-defined p2p port.
P2P_PORT
- the port that the polkadot application connects to NGINX.
Starting the validator with the NGINX proxy
After retrieving the appropriate IP_ADDRESS
, PROXY_PORT
and P2P_PORT
of the validator node, we can start the validator.
Start your validator with the --validator
flag:
You should see your validator's peers, as well as the p2p port you are using to connect to NGINX.
Congratulations! You have successfully set up a validator with NGINX and now have a more secure way of running your validator.
Last updated