[Ethereum] How to one secure Web3 JSON-RPC API endpoint

dapp-developmentgo-ethereumprivate-blockchainSecurityweb3js

When using geth as client and web3(javascript api) to interact with it through a web browser, other nodes in the network can access the client given the IP and the port on which the client is running.

How can this be prevented?

How can the access be restricted to the node(computer) running the client and not the others in the same network?

the flow is as follows

Browser(user)—–>Server(running the node)——>GETH

the first link is http and the second link is rpc. the http link makes it possible for other computers to access my node which is to be stopped.

Only the node(computer) running the geth client should access the geth client.

Best Answer

This can be prevented by introducing a middleware, which will talk to your geth node and let your UI talk to the middleware instead of talking to geth node directly.

I faced a similar issue and I solved it by creating a middleware in Node.js

With this, your geth node won't be exposed to the public and that saves us from some security issues.

You can check this project for reference - https://github.com/Imaginea/lms

Related Solutions

[Ethereum] What are best practices for serving a DApp over HTTPS, connecting to an Ethereum node using JSON RPC / web3.js, which by default uses HTTP

The answer is you don't. Now I know you probably don't want to hear this but the HTTP JSON RPC was never meant to be used in such a way that it should be accessible from the outside. The RPC was brought in to existence so that you may develop against your own local node using your own browser.

What I suggest you do is that you setup a proxy that will proxy all requests to the locally running ethereum node instead of letting everyone directly interface with the ethereum node itself. This will give you controlled access and HTTPS.

[Ethereum] How to expose Geth’s RPC server to external connections

You can easily and securely create an SSH tunnel to your ETH Node from the application server. This way, the ETH node is fooled into believing that the connection is from localhost and you can ensure that only the holder of a private key can access.

This is a link to instructions on how to setup certificate based authentication

It is important to setup certificate authentication because else you can not automate the process.

Once you have set that up you can create a tunnel by running a command like:

ssh -f -N -L 9545:localhost:8545 remoteUser@remotehost.remotedomain.tld

The port numbers are different in my example, in order for the reader to be able to tell them apart. There is absolutely no other reason to make them different.

Once this command has been issued all traffic to port 9545 on localhost will be forwarded to remotehost.remotedomain.tld:8545 which will consider it to have originated from localhost and be targeted at localhost:8545

This way, you can keep your ETH node behind a firewall and not open it up to the world but still centralize the functionality.

In order to use this in production, you will have to solve the issue of disconnecting SSH sessions.

The simple solution is configuration
A more advanced solution is to run a script in an infinite loop as described here

Best Answer

Related Solutions

[Ethereum] What are best practices for serving a DApp over HTTPS, connecting to an Ethereum node using JSON RPC / web3.js, which by default uses HTTP

[Ethereum] How to expose Geth’s RPC server to external connections

Related Topic