After setting up your nginx proxy to make the RT View content available, you’ll need some very basic mean of authentication to prevent everybody to be able to view all your internals. (This does not cover encryption using TLS to prevent man-in-the-middle attacks)
Prerequisites
- You are using systemd to manage your services
- You have installed cardano-rt-view (0.1.0). It runs and listens for connection on 127.0.0.1:[RTVIEW_PRIVATE_PORT]
- You have installed nginx. You configured it to proxy requests on your [PUBLIC_IP]:[NGINX_PUBLIC_PORT] to 127.0.0.1:[RTVIEW_PRIVATE_PORT]
Install htpasswd
Fedora Linux/CentOS: sudo dnf -y install httpd-tools
Ubunto/Debian: sudo apt install apache2-utils
Create password file
sudo htpasswd -5 -c /etc/nginx/conf.d/.htpasswd-cardano-rt-view [USERNAME]
Options:
-5
enforces SHA-512 instead of MD5 (unsafe)
-c
creates a new file (only use once, of course)
Add authentication to nginx configuration
Add the auth_basic
and auth_basic_user_file
parts to your nginx-configuration.
My /etc/nginx/nginx.conf
now contains this within the http{}
-block:
# Cardano RTView proxy
server {
listen [PUBLIC_IP]:[NGINX_PUBLIC_PORT];
server_name your.domain-name.com;
location / {
auth_basic "Cardano RT View Authorization";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd-cardano-rt-view;
proxy_pass http://127.0.0.1:[RTVIEW_PRIVATE_PORT]/;
}
}
Restart nginx
sudo systemctl restart nginx
You should be done now!
500 - Internal server error
If you encounter nginx’ internal server errors now (500), this might be due to storing your password-file in a different place. You can check this using
sudo tail -f /var/log/nginx/error.log
In combination with SELinux you’ll have to allow nginx to read other parts of the filesystem (not really good for security):
sudo setsebool httpd_read_user_content on -P