This project was created to help ICON's PRep-node. P-Rep node operator should have methods to enhance security. Setting throttle by using Nginx as Reserve Proxy, P-Reps can protect its network from DDoS attack and able to build a White IP list based network.
Nginx is a web server that optimizes security and speed that consists of one master process and several worker processes. Nginx functions in an event-driven way and processes events when a new event occurs asynchronously. It functions efficiently with a small number of threads, thus uses less CPU and requires less memory. Using nginx in reverse proxy mode prevents DDoS attacks by throttle setting and enables whitelist based networks.
The reverse proxy receives data from the internal server and sends it to the client. This prevents direct access to the internal server and acts as a relay for indirect access. The reverse proxy has many security advantages.
Build an image from a Dockerfile with following command. You can use the following command to build an image from a Dockerfile.
$ makeOpen docker-compose.yml in a text editor and add the following content:
version: '3'
services:
prep:
image: 'iconloop/prep-node:1912090356xb1e1fe-dev'
container_name: prep
restart: "always"
environment:
LOOPCHAIN_LOG_LEVEL: "SPAM"
ICON_LOG_LEVEL: "DEBUG"
DEFAULT_PATH: "/data/loopchain"
LOG_OUTPUT_TYPE: "file"
PRIVATE_PATH: "/cert/{==YOUR_KEYSTORE or YOUR_CERTKEY FILENAME==}"
PRIVATE_PASSWORD: "{==YOUR_KEY_PASSWORD==}"
CERT_PATH: "/cert"
SERVICE: "zicon"
FASTEST_START: "yes"
SWITCH_BH_VERSION4: 1587271
cap_add:
- SYS_TIME
volumes:
- ./data:/data
- ./cert:/cert:ro
nginx_throttle:
image: 'looploy/nginx:1.17.1-1a'
container_name: nginx_throttle
restart: "always"
environment:
NGINX_LOG_OUTPUT: 'file'
NGINX_LOG_TYPE: 'main'
NGINX_USER: 'root'
VIEW_CONFIG: "yes"
USE_NGINX_THROTTLE: "yes"
NGINX_THROTTLE_BY_IP_VAR: "$$binary_remote_addr"
NGINX_THROTTLE_BY_URI: "no"
NGINX_THROTTLE_BY_IP: "yes"
NGINX_RATE_LIMIT: "700r/s"
NGINX_BURST: "5"
NGINX_SET_NODELAY: "no"
GRPC_PROXY_MODE: "yes"
USE_VTS_STATUS: "yes"
TZ: "GMT-9"
SET_REAL_IP_FROM: "0.0.0.0/0"
PREP_MODE: "yes"
NODE_CONTAINER_NAME: "prep"
PREP_NGINX_ALLOWIP: "no"
#PREP_NODE_LIST_API: "https://zicon.net.solidwallet/api/v3"
NGINX_ALLOW_IP: "0.0.0.0/0"
NGINX_LOG_FORMAT: '$$realip_remote_addr $$remote_addr $$remote_user [$$time_local] $$request $$status $$body_bytes_sent $$http_referer "$$http_user_agent" $$http_x_forwarded_for $$request_body $$server_protocol $$request_time'
volumes:
- ./data/loopchain/nginx:/var/log/nginx
- ./manual_acl:/etc/nginx/manual_acl
ports:
- '7100:7100'
- '9000:9000'
run docker-compose
$ docker-compose up -d| Environment variable | Description | Default value | Allowed value |
|---|---|---|---|
| TRACKER_IPLIST | Required for tracker to monitor prep | 15.164.151.101 15.164.183.120 52.79.145.149 54.180.178.129 | |
| ENDPOINT_IPLIST | 18.176.140.116 3.115.235.90 15.164.9.144 52.79.53.18 100.20.198.12 100.21.153.11 3.232.240.113 35.173.107.66 18.162.69.96 18.162.80.224 18.140.251.111 18.141.27.125 58.234.156.141 58.234.156.140 210.180.69.103 | 18.176.140.116 3.115.235.90 15.164.9.144 52.79.53.18 100.20.198.12 100.21.153.11 3.232.240.113 35.173.107.66 18.162.69.96 18.162.80.224 18.140.251.111 18.141.27.125 58.234.156.141 58.234.156.140 210.180.69.103 | |
| PREP_NGINX_ALLOWIP | no : Set allow come to anyone. yes: Set nginx allow ip to whitelist accessible IPs from P |
no | |
| PREP_MODE | PREP_MODE mode whitelist based nginx usage | no | (yes/no) |
| NODE_CONTAINER_NAME | container name in order to connect to prep | prep | |
| PREP_LISTEN_PORT | Choose a prep | 9000 | |
| PREP_PROXY_PASS_ENDPOINT | prep's container name for RPC API (if you selected PREP\_MODE, Required input) |
http | |
| PREP_NODE_LIST_API | In order to get prep's white ip list, ENDPOINT API URL (Required input) | ${PREP_PROXY_PASS_ENDPOINT/api/v3 | |
| PREP_AVAIL_API | http://localhost:9000/api/v1/status/peer | http | |
| CONTAINER_GW | get container gateway, Required to call loopback | `ip route | grep default |
| USE_DOCKERIZE | go template usage ( yes/no ) |
yes | |
| VIEW_CONFIG | Config print at launch ( yes/no ) | no | |
| UPSTREAM | upstream setting | localhost | |
| DOMAIN | domain setting | localhost | |
| LOCATION | ADD_LOCATION | additional location setting | |
| WEBROOT | webroot setting | /var/www/public | |
| NGINX_EXTRACONF | additional conf settings | ||
| USE_DEFAULT_SERVER | nginx's default conf setting | no | |
| USE_DEFAULT_SERVER_CONF | nginx's default server conf setting | ||
| NGINX_USER | www | wwwdata | |
| NGINX_SET_NODELAY | Delay option if rate limit is exceeded | no | ( yes/no ) |
| WEB_SOCKET_URIS | URI for using nginx as a websocket proxy | /api/ws/* /api/node/* | |
| NUMBER_PROC | worker processes count | $(nproc) | max number of processes |
| WORKER_CONNECTIONS | setting WORKER_CONNECTIONS | 4096 | |
| GRPC_LISTEN_PORT | Used by gRPC Listen port | 7100 | |
| LISTEN_PORT | ${GRPC_LISTEN_PORT} | ${GRPC_LISTEN_PORT | |
| SENDFILE | on | on | |
| SERVER_TOKENS | off | off | |
| KEEPALIVE_TIMEOUT | 65 | 65 | |
| KEEPALIVE_REQUESTS | 15 | 15 | |
| TCP_NODELAY | on | on | |
| TCP_NOPUSH | on | on | |
| CLIENT_BODY_BUFFER_SIZE | 3m | 3m | |
| CLIENT_HEADER_BUFFER_SIZE | 16k | 16k | |
| CLIENT_MAX_BODY_SIZE | 100m | 100m | |
| FASTCGI_BUFFER_SIZE | 256K | 256K | |
| FASTCGI_BUFFERS | 8192 4k | 8192 4k | |
| FASTCGI_READ_TIMEOUT | 60 | 60 | |
| FASTCGI_SEND_TIMEOUT | 60 | 60 | |
| TYPES_HASH_MAX_SIZE | 2048 | 2048 | |
| NGINX_LOG_TYPE | output log format type | default | (json/default) |
| NGINX_LOG_FORMAT | '$realip_remote_addr $remote_addr | ||
| NGINX_LOG_OUTPUT | output log type | file | stdout or file or off |
| NGINX_LOG_OPTION | for json logging option | escape=none | escape=json, escape=none |
| USE_VTS_STATUS | vts monitoring usage | yes | (yes/no) |
| USE_NGINX_STATUS | nginx status monitoring usage | yes | (yes/no) |
| NGINX_STATUS_URI | nginx_status URI | nginx_status | |
| NGINX_STATUS_URI_ALLOWIP | nginx_status URI is only allow requests from this IP address | 127.0.0.1 | |
| USE_PHP_STATUS | no | no | |
| PHP_STATUS_URI | php_status | php_status | |
| PHP_STATUS_URI_ALLOWIP | 127.0.0.1 | 127.0.0.1 | |
| PRIORTY_RULE | allow | allow | |
| NGINX_ALLOW_IP | Administrator IP addr for detail monitoring | ||
| NGINX_DENY_IP | |||
| NGINX_LOG_OFF_URI | |||
| NGINX_LOG_OFF_STATUS | |||
| DEFAULT_EXT_LOCATION | extension setting ~/.jsp ~/.php | php | |
| PROXY_MODE | gRPC proxy mode usage | no | (yes/no) |
| GRPC_PROXY_MODE | gRPC proxy mode usage | no | (yes/no) |
| USE_NGINX_THROTTLE | rate limit usage | no | (yes/no) |
| NGINX_THROTTLE_BY_URI | URI based rate limit usage (yes/no) | no | |
| NGINX_THROTTLE_BY_IP | IP based rate limit usage (yes/no) | no | |
| NGINX_THROTTLE_BY_IP_VAR | IP variable to be used for rate limit | '$http_true_client_ip' | |
| PROXY_PASS_ENDPOINT | proxy endporint of gRPC | grpc | |
| NGINX_ZONE_MEMORY | Sets the shared memory zone for rate limit |
10m | |
| NGINX_RATE_LIMIT | rate limiting value | 100r/s | |
| NGINX_BURST | Excessive requests are delayed until their number exceeds the maximum burst size, maximum queue value ( If the value is 10, apply from 11) |
10 | |
| SET_REAL_IP_FROM | SET_REAL_IP_FROM | 0.0.0.0/0 | |
| IS_BAN_CTRL | false | false | |
| SLACK | |||
| NGINX_PROXY_TIMEOUT | 90 | 90 |