How to setup HTTPs for your IOTA full-node

This is a step-by-step guide on how to make your node more secure by using the HTTPs protocol instead of the standard HTTP for your node.

Why would you want to do this?

When you are making a transaction using a light-wallet on your device, it will send the details of said transaction to the associated full node. By default this communication is done via HTTP, which is unencrypted. 
If someone were to be sniffing around your network, they would be able to see the transactions that you are making. If you are using HTTPS, this data in encrypted and no one will know what you’re up to.

Approach

In order to encrypt the connection to your node, we need to obtain certificates, and handle https requests. As of writing this article, IRI has no built-in mechanism for handling https requests. So we will use the following tools to make it all work:

  • Nginx to run a reverse proxy, which acts as an intermediate layer between IRI and connecting clients
  • Letsencrypt for free and secure certificates

You may choose a different reverse proxy server over nginx, or use a different certificate authority, but the process will be very similar.

Disclaimer: I’m not an expert on any of the mentioned technologies. I’ll be more than happy to help if things are unclear, but I can’t fix all problems you might have.

Step 0: Prerequisites

In order to protect your wallet-node connection, you’ll need the following already setup:

  • A domain name
  • Your full-node, I’ll show you how to setup nginx assuming you run your iri api on port 14265
  • sudo privileges on your system

I’ll be showing you how to do all the setup on a server running Ubuntu server 16.04, however the process will be similar for other linux distros.

Step 1: Installing Nginx

First step is to install Nginx on your system.

sudo apt-get update
sudo apt-get install nginx

After nginx is done installing, let’s check if it’s working properly, run:

systemctl status nginx

you should see something along the lines of:

nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2018-01-29 16:20:50 CET; 4min 20s ago
Main PID: 1452 (nginx)
Tasks: 2
Memory: 8.4M
CPU: 1.952s
CGroup: /system.slice/nginx.service
├─1452 nginx: master process /usr/sbin/nginx -g daemon on; master_process on
─1453 nginx: worker process

You can verify nginx is working by going to http://server_domain_or_IP and be greeted with nginx’s welcome message. (don’t worry, we’ll remove this in a minute).

Step 2: Acquiring certificates

Now that nginx is running we will setup letsencrypt to get our certificates. In this step I will use the DNS TXT record verification method, however you can use other verification methods should you please to do so (certbot’s documentation is your friend).

Let’s firstly install certbot:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Now let’s make our certificates. We’ll do this by invoking the following command:

sudo certbot certonly --manual --preferred-challenges=dns

You will now be asked a couple of questions, read clearly what they ask at each question and enter the correct information. At some point certbot will ask you to make a text record at _acme-challenge.<your_domain> and give it a special value. This is done to make sure you own the domain for which you are registering your certificate.

After having registered the TXT record, go for a walk, grab a drink, or go swing around on your office chair for a few minutes to make sure that the update is published to the domain name servers (this can actually take up to 24 hours for very slow domain service operators, but in most cases it should be done in about 5 minutes). After you have had some fresh air, rehydrated or became dizzy it’s time to hit enter and let certbot check you have done it correctly.

When completed successfully, certbot will give you the following message, which also tells you where you can find your certificates

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
expire on 2018-04-29. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Step 3: Automatically renewing certificates

Letsencrypt certificates don’t last long. Luckily certbot v0.19.0 automatically creates a cron entry,which can be found at:/etc/cron.d/certbot. You can verify that it’s working by checking whether the certbot.timer is present when you execute systemctl list-timers — all

Step 4: Configuring nginx

Now that we have acquired our certificates, we can finally setup nginx. We do this by editing its configuration file:

sudo nano /etc/nginx/sites-available/default

You can now nuke all of it’s contents, as we won’t be needing it (you might want to leave the commented sections for future reference).
Once everything is removed, add the following, changing parameters as you go:

server {
listen your_preferred_port ssl http2 default_server;
listen [::]:your_preferred_port ssl http2 default_server;
        server_name your_domain;
error_page 497 https://$host:$server_port$request_uri;
        ssl_certificate your_cert_path/fullchain.pem;
ssl_certificate_key your_cert_path/privkey.pem;
location / {
proxy_pass http://localhost:your_IRI_port;
}
}

In the above configuration set the following:

  • your_preferred_port To the port you would like to access your node on (make sure this port is not yet used)
  • your_domain To your domain (e.g. node.example.com)
  • your_cert_path To the path where certbot placed all your certificates (e.g. /etc/letsencrypt/live/your_domain)
  • your_IRI_port to the port that IRI is running on (default 14265)

Make sure that your_preferred_portyour_IRI_port. If you really want to use port 14265 for your node, change the port in IRI to something else, then update this file accordingly.

Now that you have completed the configuration, hit ctrl + x when using nano, and hit Y if it asks you to save changes. 
Test your configuration by running sudo nginx -t , if there are any errors, go back and fix them. Otherwise reload your nginx configuration by running:

sudo systemctl reload nginx

Step 5: Check everything is working

Now that we have completed the setup it is time to check whether everything is working correctly. 
Open up your browser and go to https://your_domain:your_preferred_port It should show you a message saying {“error”:”Invalid API Version”,”duration”:1} but more importantly you should see a green padlock in the top left corner (at least when using chrome or firefox).
You can now setup your wallet using your new secured protocol!

Conclusion

Now that you have setup your node with https, you can be assured no one will be able to see that your device is using one of the most promising crypto-technologies out there. Should you have any questions, comments or remarks, feel free to ask me.