Xahau submission node installation, utlising nginx to give webserver and endpoints, with lets encrypt TLS certificate.
This script uses the standard Xahau node install non-docker version, found here.
and supplements it with the necessary configuration to provide a TLS secured RPC and WSS endpoints using Nginx, with extra features of a landing page for easy checking, and diagnoses, all on the same domain.
- Install options for Mainnet (and Testnet)
- Supports the use of custom variables using the
xahl_node.varsfile, to adjust the setup - Saves all data from questions to .env file, so it can be used to check current settings, and also for the prompt if setup is ran again
- Detects UFW firewall & applies necessary firewall updates.
- Installs & configures Nginx
- sets up nginx so that it splits the incoming traffic to your supplied domain 5 ways
- 1.static website for allowed IPs
- 2.static website for blocked IPs
- 3.the main node websocket(accesed via the standard wss://)
- 4.any rpc traffic (when using POST for API use)
- 5.public access to .toml file
- TL;DR; you only need ONE (A record) domain pointing to this server (no need to any CNAME setups)
- Automatically detects the IPs of your ssh session, the node itself, and its local enviroment then adds them to the nginx_allowlist.conf file
- also now works behind another nginx/NPM front end see Nginx related section
- IPv6 support (auto detect by default, can be forced via .vars setting)
- adds a simple
updateto the command line, so you can update easily - Applies NIST security best practices
- sets up nginx so that it splits the incoming traffic to your supplied domain 5 ways
there is two main ways to use this script, one to clone the repo and run, and one is to run repo direct with a single commandline,
read over the following sections and when ready simply copy and paste the code snippets to your terminal window.
older versions, where the allow list needed 2 blocks, saved in /etc/nginx/sites-available/xahau WILL need backing up FIRST, (as we now have a unified allowlist file instead)
using this command, will allow you to access those, enabling you to save them else where, so you can re-input them later
sudo nano /etc/nginx/sites-available/xahau
which opens them with the nano program, or alternatively if you have MANY to save, this method can be useful as this can make scrolling/copying easier,
sudo cat /etc/nginx/sites-available/xahau
now you can either write down your ip allow list manually, or copy and paste them into another notepad,
if you only have a few, you are able to enter these within the setup script, but this is one at a time,
so if there are many, you can wait till after the setup has finished, and copy and paste them into the auto generated nginx_allowlist.conf file (using nano for example)
remembering to issue the command nginx -s reload after you alter that file
so in older versions, you would need two to three "domain names", comprising of 1 A record (using a IP) and 2 CNAMES (using names)
this build only needs ONE,
and that ONE domain can be a root domain, like youdomain.com, or a subdomain, like subdomain.yourdomain.com or say wss.yourdomain.com
this ONE domain does need to be a "A Record", so thats a domain that points to a specified IP, that IP being the public IP of your Xahau Node.
now if you have LOTS of evernodes that are already using the old sub-domain, you may choose to carry on and use the same domain as before wss.yourdomain.com
which you can of course, just make sure that it is an A Record, or its pointing to a A Record (and not another CNAME)
also, this ONE domain you use, will be the SAME domain you will then use in a browser to check your node, https://yourdomain.com, and the domain for the websocket for use in your evernode, wss://yourdomain.com
simpliest method, in a suitable enviroment, like debian or ubuntu, with at leat 2GB of RAM, and 5GB of HDD space
copy, and run this ...
sudo bash -c "$(wget -qLO - https://raw.githubusercontent.com/gadget78/xahl-node/main/setup.sh)"
setup will go through a serious of questions (in blue) and output all info along the way
one of the questions, for example, is to enter IPs that will form a "allow list" which you do one at a time, once finished, submit a blank entry to move on.
when setup is finished asking questions, and outputing progress, it will give a little info, on how to check its working etc,
also shows you where the new nginx_allowlist.conf file is. just in case you need to enter more in future (where you will need to issue command nginx -s reload after any edits)
alternative install method, so vars file can be edited before running ..
is to clone this repo, by doing these steps INSTEAD of the above...
apt install git
git clone https://github.com/gadget78/xahl-node
cd xahl-node
chmod +x *.sh
adjusting .vars file with node xahl_node.vars if needed. (see below for more details)
now install with;
`sudo ./setup.sh`
there is a xahl.node.vars file, to adjust how the setup.sh is configured, but this is only needed for advanced users
to adjust the default settings via this file, edit it using your preferred editor such as nano;
nano ~/xahl-node/xahl_node.vars
there are MANY things that can be adjusted, the main ones are;
ALWAYS_ASK- "true" true setting will force asking of questions, false will only ask questions if value is not set (in .vars or .env file) useful for re-generate files/settingINSTALL_UPDATES- "true" this setting can be used to turn off the checking/installing of linux updates, and default install packagesVARVAL_CHAIN_NAME- "mainnet" this is the main "mode" of setup, either mainnet, or testnetINSTALL_UFW- "true" chose to install or not (in enviroments that do not have UFW installed in as standard)INSTALL_CERTBOT_SSL- "true" VERY useful if you need SSL to be handled upstream, like Nginx Proxy Manager for example.INSTALL_LANDINGPAGE- "true" so you can switch off the landing page generation, if you have editing default one.INSTALL_TOML- "true" so you can switch of .toml file generation, if you have manually edited it
all the questions asked in setup, are saved in file called .env this is so they dont get altered by updateding the repo (git pull)
USER_DOMAIN- your server domain.CERT_EMAIL- email address for certificate renewals etc.TOML_EMAIL- email address for the PUBBLIC .toml file.XAHAU_NODE_SIZE- allows you to state the "size" of the node, this will change the amount of RAM, and HDD thats used.
All the domain specific config is contained in the file NGX_CONF_NEW/xahau (this and default are deleted, and recreated when running the script)
logs are held at /var/log/nginx/
and Although this works best as a dedicated host with no other nginx/proxy instances,
it can work behind another proxy instance, you may need to adjust the NGINX_PROXY_IP setting in xahl_node.vars file to the ip/subnet of your own proxy
the setup script adds 3 IPs by default to the nginx_allowlist.conf file, these are, the detected SSH IP, the external nodes IP, and the local enviroment IP.
In order to add/remove access to your node, you adjust the addresses within the nginx_allowlist.conf file
edit the nginx_allowlist.conf file with your preferred editor e.g. nano nginx_allowlist.conf.
start every line with allow, a space, and then the IP, and end the line with a semicolon.
for example
allow 127.0.0.0;
allow 192.168.0.1;
ADD : Simply add a new line with the same syntax as above,
REMOVE : Simply delete the a line.
THEN
RELOAD : for the changes to take effect you need to issue command sudo nginx -s reload
This can be done simply by entering the domain/URL into any browser.
great for diagnosis, or checking on Node remotely. as gives lots of info to check on your Nodes Health
there are two main landing pages;
one will give you either a notice that you IP is blocked, and which IP to put in the access list.
or the other if not IP blocked, will give more of a current live pull of your server details.
or following these next examples, you can test other aspects of it manually...
this option ONLY works LOCALLY on the xahau node, and is directly quering the node itself (type in the terminal;
xahaud server_info
Note: look for "server_state" : "full", and your xahaud should be working as expected.
it may be in a connected state, if just installed. Give it time.
a simple command from terminal, which can be locally on the xah node, or externally on a different terminal, a great way to test connection from your Evernode to your Xahau node,
curl -X POST -H "Content-Type: application/json" -d '{"method":"server_info"}' https://your.domain
if it works, will reply with your server info, if not, will reply with a raw html file (of your blocked page for example)
another tool to test websocket function is via node, first we check/install websocket function
npm install ws
now the command to perform, may be best to copy and paste this, then alter the wss://your.domain to the domain to test
node -e "const ws = new (require('ws'))('wss://**your.domain**'); ws.once('open', () => { console.log('WebSocket Working'); ws.close(); }).on('error', () => console.log('WebSocket Failed'));"
which will reply WebSocket working, or Websocket Failed
to test the Websocket function of your xahau node, we can use the wscat command, BUT this is not safe to install on a already exsisting/running evernode. only locally, or non-evernode terminals
Copy the following command replacing yourdomain.com with your domain you used in setup. (this can be found in the .env file)
wscat -c wss://yourdomain.com
This should open another session within your terminal, similar to the below;
Connected (press CTRL+C to quit)
>
and enter
{ "command": "server_info" }
which will return you xah node server info
from version 0.88, you can simply type
update
within the terminal to update...
any other version you can use the install method from here OK so HOW do we Install ?
OR, you can do it the older manual git method of ....
apply repo updates to your local clone,
cd ~/xahl-node
which changes your working directory to the directry where you cloned repo last time
git pull
checks for new repo updates, and pulls new updates if there is any.
if you HAVE chnaged the .vars file, you wll need to perferm a "stash" that override those setting..
git stash
then you can then perform git pull, and get the latest updates again ..
A special thanks & shout out to the following community members for their input & testing;
- This was original made possible by @inv4fee2020, which has now been Heavily modified
- @nixer89 helped with the websocket splitting
- @gadget78
- @realgo140point6
- @s4njk4n
- [Jan Žorž]{https://github.com/orgs/community/discussions/10539} for the IPv6 git hub proxy support
- @samsam
Please provide feedback on any issues encountered or indeed functionality by utilizing the relevant Github issues..