diff --git a/documentation/operators/src/nodes/proxy-configuration.md b/documentation/operators/src/nodes/proxy-configuration.md index c0ea85ce08..b552a03701 100644 --- a/documentation/operators/src/nodes/proxy-configuration.md +++ b/documentation/operators/src/nodes/proxy-configuration.md @@ -1,8 +1,8 @@ # Reverse Proxy & Web Secure Socket -This section will guide you in setting up a reverse proxy for serving `nym-node` HTTP requests and to set up a custom [landing page](../legal/landing-pages.md) for your node. +This section will guide you in setting up a reverse proxy & secure websocket (wss) for serving `nym-node` HTTP requests and to set up a custom [landing page](../legal/landing-pages.md) for your node. -In later sections, you will be setting up secure websocket (wss) to add additional security and encrypt connections coming to your node. Follow [this guide](#web-secure-socket-setup) for installation. +The secure websocket (wss) adds additional security and encrypts connections coming to your node. ```admonish info Since SSL certificates can only be issued for a domain name and not an IP address, it is essential for you to register a new domain name and configure a domain record pointing to your node's IP address @@ -12,206 +12,505 @@ Since SSL certificates can only be issued for a domain name and not an IP addres This guide contains several variables. Substitute them with your own value, without `<>` brackets. Here is a list of variables we used below. -| Variable | Description | Syntax example | -| :-------------------- | :------------------------------------------------------------------------------------------ | :-------------------------------------------------------- | -| `` | Your registered DNS domain, asigned to the VPS with `nym-node` | exit-gateway1.squad.nsl | -| `` | Port listening to WSS, default is `9001` | 9001 | -| `` | Any text you want to show on the landing page | Welcome to Nym Node, operator contact is example@email.me | -| `` | A sub-directory located at `/var/www/` containing html configuration files | `/var/www/exit-gateway1.squad.nsl` | -| `` | A local only `nym-node` identifier, specified by flag `--id`, default is `default-nym-node` | alice_super_node | -| `` | Specify a full path to the given file, directory or binary behind this variable | `/root/src/nym/target/release/` | +| Variable | Description | Syntax example | +| :--------------------------- | :------------------------------------------------------------------------------------------ | :-------------------------------------------------------- | +| `` | Your registered DNS domain, asigned to the VPS with `nym-node` | exit-gateway1.squad.nsl | +| `` | Port listening to WSS, default is `9001` | 9001 | +| `` | Any text you want to show on the landing page | Welcome to Nym Node, operator contact is example@email.me | +| `` | A sub-directory located at `/var/www/` containing html configuration files | `/var/www/exit-gateway1.squad.nsl` | +| `` | A local only `nym-node` identifier, specified by flag `--id`, default is `default-nym-node` | alice_super_node | +| `` | Specify a full path, where you want to store your docker compose conf | `$HOME/reverse-proxy` | +| `` | Specify a full path to your nginx main configuration | `/nginx/nginx.conf` | +| `` | Specify a full path to your nginx sites-enabled default conf | `/nginx/sites-enabled` | ```admonish warning title="" The commands in this setup need to be run with root permission. Either add a prefix `sudo` or execute them from a root shell. ``` -## Reverse Proxy Setup +## Setup ```admonish info -This guide was created by a Nym node operator, [Avril 14th](https://avril14th.org) as a part of [Nym Operators Community Counsel](../legal/community-counsel.md), edited by Nym. +This setup requires `Docker` and `Docker Compose` on your server. Follow the setup instructions on [Docker Installation for Ubuntu](https://docs.docker.com/engine/install/ubuntu/) or [other linux distros](https://docs.docker.com/engine/install/) before you continue with this guide. ``` -The following snippet needs be modified as described below according to the public identity that you may want to show on this public notice, i.e. your graphics and your email. -It would allow you to serve it as a landing page resembling the one proposed by [Tor](https://gitlab.torproject.org/tpo/core/tor/-/raw/HEAD/contrib/operator-tools/tor-exit-notice.html) but with all the changes needed to adhere to the Nym's operators case. +### Firewall Rules for WSS & Nginx + +If you setup firewall with `ufw`, `ufw` has three profiles pre-configured for `nginx`. We will need the first one for `nym-node`: +- `Nginx Full`: This profile opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL encrypted traffic) +- `Nginx HTTP`: This profile opens only port 80 (normal, unencrypted web traffic) +- `Nginx HTTPS`: This profile opens only port 443 (TLS/SSL encrypted traffic) +For WSS, make sure to open all [needed ports](vps-setup.md#configure-your-firewall), adding your ``. -### HTML File Customization +```sh +ufw allow 'Nginx Full' + +ufw allow /tcp +# for example +# ufw allow 9001/tcp -File for html configuration are by convention located at `/var/www/` directory and it's subdirectories. We refer to this directory as ``. +# you can verify by +ufw status + +# possibly reload ufw by +ufw reload +``` + +### Compose And Traefik Configuration + +1. Create the conf directories for the compose file & nginx content: -1. Start by creating this directory: ```sh -mkdir -p /var/www/ +mkdir -p +cd +mkdir -p ``` -2. Use your own html code or copy the template below to a new file called `index.html` located in `/var/www/` directory. -~~~admonish example collapsible=true title="An example template for `/var/www//index.html` page" -```html - - - - -This is a NYM Exit Gateway - - - +2. Create the `compose.yml`: - - -
-

This is a NYM Exit Gateway

-

- -

+```sh +nano compose.yml +``` + +This template configures the webserver ([Nginx](https://nginx.org/en/docs)) and reverse proxy ([Traefik](https://doc.traefik.io/traefik/)). Traefik will handle all incoming HTTPS/WSS requests and forwards them to Nginx. It also issues/renews certificate requests via [ACME/Let's Encrypt](https://doc.traefik.io/traefik/https/acme/) based on the `` you will specify below. + +~~~admonish example collapsible=true title="Docker Compose for proxy and webserver `reverse-proxy/compose.yml`" + +```yaml +services: + traefik: + image: traefik:3.1 + security_opt: + - no-new-privileges=true + read_only: true + ports: + - "80:80" + - "443:443" + - ":" + command: + - "--log.level=INFO" + - "--providers.docker=true" + - "--providers.docker.exposedByDefault=false" + - "--entryPoints.port443.address=:443" + - "--entryPoints.port80.address=:80" + - "--entryPoints.port9001.address=:" + - "--certificatesResolvers.le-ssl.acme.tlsChallenge=true" + - "--certificatesResolvers.le-ssl.acme.email=" + - "--certificatesResolvers.le-ssl.acme.storage=/letsencrypt/acme.json" + volumes: + - traefik-data:/letsencrypt + - /var/run/docker.sock:/var/run/docker.sock + sysctls: + net.ipv6.conf.all.disable_ipv6: 0 + + nginx: + image: nginx:latest + security_opt: + - no-new-privileges=true + labels: + # HTTP endpoint redirect to SSL + - "traefik.enable=true" + - "traefik.http.routers.nginx.entrypoints=port80" + - "traefik.http.routers.nginx.rule=host(``)" + - "traefik.http.middlewares.nginx-redirect.redirectScheme.scheme=https" + - "traefik.http.middlewares.nginx-redirect.redirectScheme.permanent=true" + - "traefik.http.services.nginx.loadBalancer.passhostheader=true" + - "traefik.http.routers.nginx.service=nginx" + # SSL endpoint + - "traefik.http.routers.nginx-ssl.entryPoints=port443" + - "traefik.http.routers.nginx-ssl.rule=host(``)" + - "traefik.http.routers.nginx-ssl.tls=true" + - "traefik.http.routers.nginx-ssl.tls.certResolver=le-ssl" + - "traefik.http.services.nginx-ssl.loadBalancer.passhostheader=true" + - "traefik.http.services.nginx-ssl.loadBalancer.server.port=80" + - "traefik.http.routers.nginx-ssl.service=nginx-ssl" + # WSS endpoint + - "traefik.http.routers.nginx-wss.entrypoints=port" + - "traefik.http.routers.nginx-wss.rule=host(``)" + - "traefik.http.routers.nginx-wss.tls=true" + - "traefik.http.routers.nginx-wss.tls.certResolver=le-ssl" + - "traefik.http.services.nginx-wss.loadBalancer.server.port=" + - "traefik.http.routers.nginx-wss.service=nginx-wss" + volumes: + - :/etc/nginx/nginx.conf:ro + - :/etc/nginx/sites-enabled:ro + extra_hosts: + - "host.docker.internal:host-gateway" + expose: + - + +volumes: + traefik-data: +``` +~~~ -

-You are most likely accessing this website because you've had some issue with -the traffic coming from this IP. This router is part of the NYM project, which is -dedicated to create outstanding -privacy software that is legally compliant without sacrificing integrity or -having any backdoors. -This router IP should be generating no other traffic, unless it has been -compromised.

+Adapt the template in respect to [*variables*](#variables-explanation). -

-The Nym mixnet is operated by a decentralised community of node operators -and stakers. The Nym mixnet is trustless, meaning that no parts of the system -nor its operators have access to information that might compromise the privacy -of users. Nym software enacts a strict principle of data minimisation and has -no back doors. The Nym mixnet works by encrypting packets in several layers -and relaying those through a multi-layered network called a mixnet, eventually -letting the traffic exit the Nym mixnet through an exit gateway like this one. -This design makes it very hard for a service to know which user is connecting to it, -since it can only see the IP-address of the Nym exit gateway:

- -

- -Illustration showing how a user might connect to a service through the Nym network. The user first sends their data through three daisy-chained encrypted Nym nodes that exist on three different continents. Then the last Nym node in the chain connects to the target service over the normal internet. - - - - - - - - - - - - - - - - - - - - - -The user -This server -Your service -Nym network link -Unencrypted link - - - - - - -

+```admonish warning title="" +Make sure `` successfully resolves to your servers IPv4 or IPv6 address here. +``` -

-Read more about how Nym works.

+3. Start the reverse proxy server now: -

-Nym relies on a growing ecosystem of users, developers and researcher partners -aligned with the mission to make sure Nym software is running, remains usable -and solves real problems. While Nym is not designed for malicious computer -users, it is true that they can use the network for malicious ends. This -is largely because criminals and hackers have significantly better access to -privacy and anonymity than do the regular users whom they prey upon. Criminals -can and do build, sell, and trade far larger and more powerful networks than -Nym on a daily basis. Thus, in the mind of this operator, the social need for -easily accessible censorship-resistant private, anonymous communication trumps -the risk of unskilled bad actors, who are almost always more easily uncovered -by traditional police work than by extensive monitoring and surveillance anyway.

+```sh +docker compose up -d traefik +``` -

-In terms of applicable law, the best way to understand Nym is to consider it a -network of routers operating as common carriers, much like the Internet -backbone. However, unlike the Internet backbone routers, Nym mixnodes do not -contain identifiable routing information about the source of a packet and do -mix the user internet traffic with that of other users, making communications -private and protecting not just the user content but the metadata -(user's IP address, who the user talks to, when, where, from what device and -more) and no single Nym node can determine both the origin and destination -of a given transmission.

+4. Check if it started ok: -

-As such, there is little the operator of this Exit Gateway can do to help you -track the connection further. This Exit Gateway maintains no logs of any of the -Nym mixnet traffic, so there is little that can be done to trace either legitimate or -illegitimate traffic (or to filter one from the other). Attempts to -seize this router will accomplish nothing.

- - - + - - -

To decentralise and enable privacy for a broad range of services, this -Exit Gateway adopts an Exit Policy -in accordance with the Tor Null ‘deny’ list -and the Tor reduced policy, -which are two established safeguards. -

- -

-That being said, if you still have a complaint about the router, you may email the - maintainer. If complaints are related - to a particular service that is being abused, the maintainer will submit that to the - NYM Operators Community in order to add it to the Exit Policy cited above. -If approved, that would prevent this router from allowing that traffic to exit through it. -That can be done only on an IP+destination port basis, however. Common P2P ports are already blocked.

- -

-You also have the option of blocking this IP address and others on the Nym network if you so desire. - The Nym project provides a - web service to fetch a list of all IP addresses of Nym Gateway Exit nodes that allow exiting to a -specified IP:port combination. Please be considerate when using these options.

- -
- +

+ To decentralise and enable privacy for a broad range of services, this + Exit Gateway adopts an + Exit Policy + in accordance with the + Tor Null ‘deny’ list and the + Tor reduced policy, which are two established safeguards. +

+ +

+ That being said, if you still have a complaint about the router, you may + email the + maintainer. If complaints are + related to a particular service that is being abused, the maintainer + will submit that to the NYM Operators Community in order to add it to + the Exit Policy cited above. If approved, that would prevent this router + from allowing that traffic to exit through it. That can be done only on + an IP+destination port basis, however. Common P2P ports are already + blocked. +

+ +

+ You also have the option of blocking this IP address and others on the + Nym network if you so desire. The Nym project provides a + + web service + to fetch a list of all IP addresses of Nym Gateway Exit nodes that allow + exiting to a specified IP:port combination. Please be considerate when + using these options. +

+ + ``` ~~~ @@ -269,16 +583,19 @@ specified IP:port combination. Please be considerate when using these options. + ``` - Add your header logo on the line: + ``` ``` - By either setting the URl to the image (if you're hosting it publicly, i.e. on your web server) + ``` href="" @@ -288,6 +605,7 @@ src="" ``` - **or** by adding the image inline as base64 encoded image + ``` href="href="data:image/x-icon;base64,AAABAAMA...."" @@ -297,8 +615,9 @@ src="href="data:image/x-icon;base64,AAABAAMA...."" ``` - Add the email address you're willing to use for being contacted. + ``` -maintainer +maintainer ``` - If you're running the node within the US check the sections marked as `FIXME`, add your DNS name and un-comment those. @@ -310,229 +629,183 @@ Now your html page is configured. ### `nym-node` Configuration When done with the customization, you'll need to make sure your `nym-node` uploads the file and reference to it. This is done by opening your node configuration file located at `~/.nym/nym-nodes//config/config.toml` and changing the value of the line `landing_page_assets_path` on the `[http]` section: + ``` landing_page_assets_path = '' ``` -### Reverse Proxy Configuration +### Nginx Configuration for custom Landing-Page & Secure Web-Socket -You may set up a [reverse proxy](https://www.nginx.com/resources/glossary/reverse-proxy-server/) in order to serve this landing page with proper SSL and DNS management, i.e. to resolve it to https://. +This last steps will configure the [nginx reverse proxy](https://www.nginx.com/resources/glossary/reverse-proxy-server/) for serving: -**Configure Nginx** +- WSS => WS +- HTTP (80) => `nym-node` HTTP port (8080) -1. Install `nginx`: -```sh -sudo apt install nginx -``` +This section assumes that you have already done the `compose.yml` configuration and launched traefik. If not, head over to [the compose setup](#compose-and-traefik-configuration) and finish this first. -1. Setup firewall with `ufw`. `ufw` has three profile pre-configured for `nginx`, we will need the first one for `nym-node`: - -- `Nginx Full`: This profile opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL encrypted traffic) -- `Nginx HTTP`: This profile opens only port 80 (normal, unencrypted web traffic) -- `Nginx HTTPS`: This profile opens only port 443 (TLS/SSL encrypted traffic) +1. Create the nginx main conf (``): ```sh -ufw allow 'Nginx Full' - -# you can verify by -ufw status - -# possibly reload ufw by -ufw reload -``` - -3. Disable the default Nginx landing page +nano +# for example +# nano `nginx/nginx.conf` ``` -systemctl status nginx -unlink /etc/nginx/sites-enabled/default -systemctl restart nginx -``` +with content -4. Add your endpoint configuration to Nginx by creating file: +~~~admonish example collapsible=true title="Nginx Conf ``" -```sh -nano /etc/nginx/sites-available/ -``` -- and changing `` occurrences below with your domain name: +```bash +user nginx; +worker_processes auto; -``` -server { - listen 80; - listen [::]:80; +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; - # Replace with your domain name - server_name ; - location / { - proxy_pass http://127.0.0.1:8080; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } +events { + worker_connections 1024; } -``` -This guide assumes that the HTTP port used by you is `8080`. Adjust the configuration accordingly if you have defined -a custom port for your `nym-node` HTTP connections - -5. Activate the configuration by creating a symlink to `/etc/nginx/sites-enabled`: -```sh -ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled -``` -6. Test your configuration syntax: +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; -```sh -nginx -t -``` + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; -Nginx must report that the config is "ok" and the test was successful. + access_log /var/log/nginx/access.log main; -7. Restart `nginx`: + sendfile on; + #tcp_nopush on; -```sh -systemctl restart nginx -``` + keepalive_timeout 65; -8. Get an `SSL` certificate using certbot: - -```sh -apt install certbot python3-certbot-nginx -certbot --nginx --non-interactive --agree-tos --redirect -m -d -``` - -9. Restart your `nym-node` or if you're running your `nym-node` as a [`systemd` service](configuration.md#systemd), restart your service: -```sh -systemctl daemon-reload && systemctl restart nym-node -``` + #gzip on; -9. Check for the page being served reading the service logs -```sh -journalctl -u nym-node.service | grep 8080 + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} -# where you should see -... Started NymNodeHTTPServer on 0.0.0.0:8080 ``` -Now your `nginx` should be configured, up and running. Test it by inserting your `` as a URL in a browser. - - -## Web Secure Socket Setup - -This section assumes that you have already configured a reverse proxy and have set it up to work over https. If not, head over to [the reverse proxy section](#reverse-proxy-configuration) to configure it. - -We strongly recommend node operators to configure secure web sockets on their nodes. This will provide clients a more secure way to connect to your node. - -You can read more about *Secure Socket Layer* (SSL) in [here](https://www.geeksforgeeks.org/secure-socket-layer-ssl/). - +~~~ -Remember that there may be some unique variables and customization depending on the way your reverse proxy is setup which you may have to adjust when configuring WSS to ensure correct functionality +2. Finally, add your nginx `sites-enabled` conf (includes rules for serving landing-page & WSS proxying) by storing it in : -```admonish tip -To see description of used variables (noted in `<>` brackets), scroll to the top of this page, chapter [*Variables Explanation*](#variables-explanation). +```sh +nano /default ``` -#### Firewall configuration +and changing `` occurrences below with your domain name and `` with your selected WSS port: -Make sure to open all [needed ports](vps-setup.md#configure-your-firewall), adding your ``: -```sh -ufw allow /tcp +~~~admonish example collapsible=true title="Nginx default site configuration `/default`" -# for example -# ufw allow 9001/tcp ``` +server { + listen 80; + listen [::]:80; -#### WSS configuration - -This section assumes that you have already configured a reverse proxy and have set it up to work over https. If not, head over to [the reverse proxy section](#reverse-proxy) to configure it. - -1. Create a new Nginx configuration file called `/etc/nginx/sites-available/wss-config-nym` and paste the block below. Don't forget to insert your correct values. + server_name ; -~~~admonish example collapsible=true title="Site configuration `/etc/nginx/sites-available/wss-config-nym`" -```bash -##################################################### -# EXCHANGE ALL & VARIABLES ! # -#################################################### + location / { + proxy_pass http://host.docker.internal:8080; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} server { - listen ssl http2; - listen [::]: ssl http2; + listen ; + listen [::]:; server_name ; - ssl_certificate /etc/letsencrypt/live//fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live//privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; - # Ignore favicon requests - location /favicon.ico { - return 204; - access_log off; - log_not_found off; - } - location / { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Credentials' 'true'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD'; - add_header 'Access-Control-Allow-Headers' '*'; + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD'; + add_header 'Access-Control-Allow-Headers' '*'; - proxy_http_version 1.1; + proxy_http_version 1.1; + proxy_pass http://host.docker.internal:9000; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://localhost:9000; - proxy_intercept_errors on; + proxy_intercept_errors on; # Enable intercepting errors from the proxy } } ``` + ~~~ -4. Activate the configuration by creating a simlink to `/etc/nginx/sites-enabled`: -```sh -ln -s /etc/nginx/sites-available/wss-config-nym /etc/nginx/sites-enabled -``` +This guide assumes that the `nym-node` HTTP port used by you is `8080` and the WS port is `9000`. Adjust the configuration accordingly if you have defined custom ports for your `nym-node` HTTP & WS connections. + + +3. Start your nginx service via docker compose: -5. Test your configuration syntax: ```sh -nginx -t +docker compose up -d nginx ``` -6. Restart `nginx`: -```sh -systemctl restart nginx +Now your `nginx` should be configured, up and running. Test it with `docker compose ps nginx` & `docker compose logs -f nginx`. -``` -7. Finally, configure your `nym-node` to announce the port you have setup. This is done by opening your node configuration file located at `~/.nym/nym-nodes//config/config.toml` and changing the value of the line `announce_wss_port` in the `[entry_gateway]` section: +4. Configure your `nym-node` to announce the port you have setup. This is done by opening your node configuration file located at `~/.nym/nym-nodes//config/config.toml` and changing the value of the line `announce_wss_port` in the `[entry_gateway]` section: ``` -announce_wss_port = +announce_wss_port = # example # announce_wss_port = 9001 ``` -8. Restart your `nym-node` : +5. Restart your `nym-node`: + ```sh systemctl restart nym-node ``` -Your `nym-node` should be configured to run over WSS now. Test it using the steps in the chapter [below](#test-wss-setup). +Your `nym-node` should be configured to run over WSS now. Test it using the steps in the chapter [below](#test-wss) + +5. Restart your `nym-node` or if you're running your `nym-node` as a [`systemd` service](configuration.md#systemd), restart your service: + +```sh +systemctl daemon-reload && systemctl restart nym-node +``` + +## Test Setup + +You can do a few quick checks to test that your setup worked out, that your reverse proxy is working and `nym-node` is running correctly via WSS. + +### Test Reverse Proxy +1. With `nym-node`, check for the page being served reading the service logs + +```sh +journalctl -u nym-node.service | grep 8080 + +# where you should see +... Started NymNodeHTTPServer on 0.0.0.0:8080 +``` + +Test it by inserting your `` as a URL in your local browser -### Test WSS Setup +### Swagger API -You can do a few quick checks to test that your installation worked out and your `nym-node` is running correctly using WSS: +- Check Swagger API of your node using the hostname: `https:///api/v1/swagger/#/` + +### Test WSS - Check out connection with `wscat` from another (local) machine: + ```sh # install sudo apt install node-ws @@ -540,5 +813,3 @@ sudo apt install node-ws # run wscat -c wss://: ``` - -- Check Swagger API of your node using the hostname: `https:///api/v1/swagger/#/`