A small Web Application Firewall for Waves nodes
JavaScript
Permalink
Failed to load latest commit information.
README.md
app.js
filterConfig.json
package.json

README.md

Web Application Firewall for Waves nodes

This tool is a small and lightweight WAF for Waves nodes. Its main goal is to filter requests both to Web Service endpoints as well as the Swagger UI provided by nodes. Therefore, it could be configured so that requests to endpoints that are necessary for the administration and monitoring of the nodes, e.g., /blocks/height, could be executed, while other endpoints, e.g., /waves/payment, are not accessible anymore.

Be careful, the installation of this tool does not provide perfect security (as no tool can) you still need to take other security measures like (among others) secure passwords, a secure apiKey and a secure walletPassword.

The following describes both the installation and the configuration of the tool.

Installation of the WavesWAF

Since the tool is written in NodeJS, first a decent NodeJS version needs to be installed, along with some other necessary tools like npm (the NodeJS package manager). Under Debian/Ubuntu based distributions this could be achieved by:

$ sudo apt-get install git nodejs nodejs-legacy npm

Afterwards the repository of the WavesWAF needs to be cloned by:

$ git clone https://github.com/wavesplatform/waveswaf.git

After the respository is successfully cloned, you should change to the newly created directory waveswaf. In this directory a new subdirectory node_modules should be created in which the dependencies of the tool will be installed by the following commands:

$ mkdir node_modules
$ npm install

This step finalizes the installation of the tool.

Configuration of the WAF

The configuration of the tool is twofold. On the one hand, the WAF itself needs to be configured for opening the Web Service endpoints that should later on be reachable. On the other hand, the Waves node needs to be configure so that it is only reachable on localhost in order to prevent access from the outside world.

Configuration of accessable Web Service endpoints

The WavesWAF provides an easy to edit configuration file filterConfig.json. This file is a simple JSON array in which you can define the Web Service endpoints that should be reachable, along with the HTTP method. In the standard configuration, the WAF allows access to the /blocks/height and the /node/version endpoint via a HTTP GET request:

[
    {
        "method": "GET",
        "path": "/blocks/height"
    },
    {
        "method": "GET",
        "path": "/node/version"
    }
]

In order to open other Web Service endpoints, just follow the pattern of the examples in the config file and add new JSON Objects to the array. For example if you additionally want to allow to stop your node remotely, you could add an object with the path /node/stop and the method POST to the configuration file as followed:

[
    {
        "method": "GET",
        "path": "/blocks/height"
    },
    {
        "method": "GET",
        "path": "/node/version"
    },
    {
        "method": "POST",
        "path": "/node/stop"
    }
]

Finally, after the configuration of the WAF it could be started with (mind the & to move the process to the background):

node app.js &

Configuration of the Waves node

In order to ensure that the node is no longer available from the outside, some minor configuration changes need to be established. Basically, the following three steps should be performed in the waves-testnet.json file:

  • Change the RPC port the node is running on (this is not exactly necessary, only if the allowed Web Service endpoints should be available on the standard 6869 port (which is the default configuration of the WAF)): This is achieved by changing the rpcPort variable to port 6870.
  • Restrict the node to bind itself only to localhost for RPC requests: Here, the rpcAddress needs to be changed to "127.0.0.1".
  • Allow RPC requests only from localhost: Last but not least, the rpcAllowed variable need to be changed to ["127.0.0.1"].