How to secure your ARK.io nodes with SSL and protect them from DDOS with Cloudflare and Nginx.

When I setup the delegate and failover nodes for arkoar.group, I wanted to have ddos protection from Cloudflare, but also ensure my API requests were made over secure SSL connection in order to not have mixed content issues when working with the APIs from the Client side.

Here’s how I did it using Ubuntu 16.04LTS and Nginx.

Install Nginx on your ark-node or ark-go-server

sudo apt-get install nginx

Edit your nginx config

sudo vim /etc/nginx/enabled-sites/default

Copy the following code and paste it in

Make sure to edit the server names.

# HTTPS
server {
listen 443;
server_name pool.yoursite.com;
ssl on;
ssl_certificate /etc/nginx/ssl/ark.crt;
ssl_certificate_key /etc/nginx/ssl/ark.key;
ssl_verify_client off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:54000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
# HTTPS
server {
listen 443;
server_name node.yoursite.com;
ssl on;
ssl_certificate /etc/nginx/ssl/ark.crt;
ssl_certificate_key /etc/nginx/ssl/ark.key;
ssl_verify_client off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4001/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}

Login to your Cloudflare dashboard and click on the DNS button

Add an A record for each API you would like to secure

Then click on Crypto

Scroll down to Origin Certificate and click create certificate

When it creates the two keys for you, make sure you don’t close the window.

Head back to your terminal

mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
touch ark.crt ark.key

The Private Key should be copied to ark.key and the Certificate should be in ark.crt

sudo service nginx start

If everything starts up properly you should be able to head to your browser now and hit your API’s behind SSL and get the added bonus of DDOS protection from Cloudflare.

If you get an error run the following command, it will help you troubleshoot nginx.

sudo nginx -t -c /etc/nginx/nginx.conf

If you appreciate this content and would like to see more vote for our delegate node arkoar.group to support and improve the ARK.io Ecosystem.