Cloudflare DDoS Protection

When running an Mainsail node, especially a Valdiator Node, you should consider your server’s security as your main priority.

Warning

During this guide, we will configure network and SSH parameters, which if improperly performed might permanently lock you out of your server. Ensure you fully understand each step before proceeding.

DDOS Protection With Cloudflare

In this section, we’re going to setup Cloudflare and SSL for DDoS protection and security using Nginx as a reverse proxy.

Install Nginx

1sudo apt-get install nginx

Edit Nginx Config

1sudo nano /etc/nginx/sites-enabled/default

Paste in the following config, making sure you edit the server_name and proxy_pass. You may need to change ssl_certificate and ssl_certificate_key if you name your files something different.

File: /etc/nginx/enabled-sites/default

1# HTTPS
2server {
3 listen 443 ssl;
4 server_name node.yoursite.com;
5 ssl_certificate /etc/nginx/ssl/mainsail.crt;
6 ssl_certificate_key /etc/nginx/ssl/mainsail.key;
7 ssl_verify_client off;
8 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
9 ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
10 ssl_prefer_server_ciphers on;
11 location / {
12 proxy_set_header X-Real-IP $remote_addr;
13 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
14 proxy_set_header X-NginX-Proxy true;
15 proxy_pass http://localhost:4001/;
16 proxy_ssl_session_reuse off;
17 proxy_set_header Host $http_host;
18 proxy_cache_bypass $http_upgrade;
19 proxy_redirect off;
20 }
21}

Press CTRL+X to exit the file, Y to save the file, and ENTER to write to the file and return to the command line.

Cloudflare / SSL Setup

Login to your Cloudflare dashboard and click on the DNS button.

Then go to Crypto.

Scroll down to Origin Certificates and click the Create Certificate button. Keep this window open after Cloudflare generates your two keys.

Open Terminal on your Mainsail node server

We need to create a new folder and copy our keys to our server.

1mkdir /etc/nginx/ssl
2cd /etc/nginx/ssl
3touch mainsail.crt mainsail.key

Copy the PRIVATE KEY to the file mainsail.key and the CERTIFICATE to mainsail.crt.

Start Nginx

1sudo service nginx start

If everything started fine, you should be able to access your Mainsail node APIs behind SSL. Giving you the bonus of Cloudflare DDOS protection.

Otherwise, if you get any errors run the following command to troubleshoot nginx.

1sudo nginx -t -c /etc/nginx/nginx.conf

Conclusion

Your node is now very secure. With this setup, you can open and close your SSH port remotely using a secret knocking technique as well as sign in using cryptographic keys.

Last updated 9 months ago
Edit Page
Share: