Sample nginx config for HTTP to HTTPS proxying (#49)

rtilder · web-flow · commit 7ea34329f822 · 2021-09-07T16:18:13.000-04:00
Sample nginx config for HTTP to HTTPS proxying

Needed for validator providers who have authentication requirements to
use their services.
diff --git a/doc/https-for-rpc-providers.md b/doc/https-for-rpc-providers.md
@@ -0,0 +1,77 @@
+# HTTPS connections to RPC providers
+
+The pyth-client code does not have native TLS support to connect to various RPC providers that require HTTPS connections in order to safeguard authentication credentials that a customer requires to access their services.
+
+This lack will be remedied in a future release but in order to address the problem, we have provided some example `nginx` configurations for three providers as well as a wrapper configuration that will permit a developer or operations tech to run `nginx` locally without superuser privileges and on high numbered ports.  The configurations as provided expose the following ports and map to the following providers:
+
+| Port number | Provider | protocol notes |
+| ---- | ------------ | ------------------------------- |
+| 7800 | Blockdaemon | websocket only |
+| 7900 | Blockdaemon | HTTP RPC and websocket |
+| 7801 | Figment | websocket only |
+| 7901 | Figment | HTTP RPC and websocket |
+| 7802 | TritonOne | websocket only |
+| 7902 | TritonOne | HTTP RPC and websocket |
+
+## Running `nginx` as a standalone, unprivileged process
+
+1. Make sure `nginx` is installed on your machine, in your VM or, in your container.
+2. Clone a copy of this repository or copy the `nginx-configs` directory to the machine in question.
+3. `cd doc/nginx-configs`
+4. In `standalone-dev-nginx.conf` replace `127.0.0.1` with the appropriate DNS resolver for your network, if necessary.  This can usually be retrived via `grep nameserver /etc/resolv.conf`.
+5. For the RPC provider(s) which you are using, be sure to replace `YOUR_SERVER` and `REPLACE_ME_WITH_YOUR_AUTH_TOKEN` in the appropriate configuration file.
+6. You can then run `nginx` as with the command `nginx -c $(pwd)/standalone-dev-nginx.conf -g 'daemon off;'`
+
+An example follows.
+
+```
+[pyth@pyth-dev-vm nginx-configs]$ nginx -c $(pwd)/standalone-dev-nginx.conf -g 'daemon off;'
+nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
+
+^C
+[pyth@pyth-dev-vm nginx-configs]$ 
+```
+
+There are a few caveats.
+
+1. On most Linux distributions, the error shown above about `/var/log/nginx/error_log` failing to open is normal.  It's a hardcoded default for most builds.  It can be safely ignored.
+2. The full, absolute path must be provided for the configuration file.  Any relative paths are assumed to be relative to `nginx`'s application data directory (usually `/usr/share/nginx/...`).
+
+You can test any of the HTTP RPC interface for the providers with the following command line.  Replace `<PORT NUMBER>` with one of the port numbers in the table above.
+
+`curl http://localhost:<PORT NUMBER> -X POST -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","id":1,"method":"getHealth"}'`
+
+An example of the output expected:
+
+```
+[pyth@pyth-dev-vm nginx-configs]$ curl http://localhost:7901 -X POST -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","id":1,"method":"getHealth"}'
+{"jsonrpc":"2.0","result":"ok","id":1}
+[pyth@pyth-dev-vm nginx-configs]$ 
+```
+
+You can test any of the websocket interface for the providers with the following command line.  Replace `<PORT NUMBER>` with one of the port numbers in the table above.
+
+`curl --include --no-buffer --header "Connection: Upgrade" --header "Upgrade: websocket" --header "Host: api.mainnet-beta.solana.com" --header "Origin: https://api.mainnet-beta.solana.com" --header "Sec-WebSocket-Key: abcdefghijklmnop==" --header "Sec-WebSocket-Version: 13" http://localhost:<PORT NUMBER>/`
+
+An example to test the websocket interface:
+
+```
+[pyth@pyth-dev-vm nginx-configs]$ curl --include \
+    --no-buffer \
+    --header "Connection: Upgrade" \
+    --header "Upgrade: websocket" \
+    --header "Host: api.mainnet-beta.solana.com" \
+    --header "Origin: https://api.mainnet-beta.solana.com" \
+    --header "Sec-WebSocket-Key: abcdefghijklmnop==" \
+    --header "Sec-WebSocket-Version: 13" \
+    http://localhost:7801/
+HTTP/1.1 101 Switching Protocols
+upgrade: websocket
+connection: Upgrade
+sec-websocket-accept: FX/kNn6LL8gnqQea2uak6E6sPOU=
+
+^C
+[pyth@pyth-dev-vm nginx-configs]$ 
+```
+
+The virtual server configurations found in `nginx-configs/...` are meant as a sample to be used reference material.  Each `nginx` installation will require tweaking and fine tuning if it varies much from the software provided.
diff --git a/doc/nginx-configs/blockdaemon-virt-server-config.conf b/doc/nginx-configs/blockdaemon-virt-server-config.conf
@@ -0,0 +1,68 @@
+#
+# Blockdaemon configuration snippet
+#
+# Can be included directly in /etc/nginx/sites-available/ (Debian based distros)
+# or /etc/nginx/conf.d/ (Red Hat based distros)
+#
+# YOUR_SERVER and REPLACE_ME_WITH_YOUR_AUTH_TOKEN should be replaced with the
+# appropriate values for your organization
+#
+
+# Blockdaemon with bearer token authentication
+server {
+    listen 7900;
+
+    location / {
+        try_files /nonexistent-used-for-try-testing @$http_upgrade;
+    }
+
+    location @websocket {
+        # Cheat a little to make sure we don't have a trailing slash on the
+        # path or we get a 405 response (method not allowed)
+        proxy_pass https://YOUR_SERVER-solana-01.bdnodes.net/$http_upgrade;
+        proxy_http_version 1.1;
+        proxy_set_header Host $proxy_host;
+        # websocket requirements
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        # Blockdaemon specific authentication requirement
+        proxy_set_header Authorization "Bearer REPLACE_ME_WITH_YOUR_AUTH_TOKEN";
+        proxy_redirect https://$proxy_host http://$server_name:$server_port;
+        proxy_redirect https:// http://;
+    }
+
+    location @ {
+        proxy_pass https://YOUR_SERVER-solana-01.bdnodes.net$request_uri;
+        proxy_http_version 1.1;
+        proxy_set_header Host $proxy_host;
+        # HTTP v.1.1 keepalive requirements
+        proxy_set_header Connection "";
+        # Blockdaemon specific authentication requirement
+        proxy_set_header Authorization "Bearer REPLACE_ME_WITH_YOUR_AUTH_TOKEN";
+        proxy_redirect https://$proxy_host http://$server_name:$server_port;
+        proxy_redirect https:// http://;
+    }
+}
+
+#
+# This is a separate port for handling only websocket connections that some developers
+# have found greatly eases debugging.  It provides the same functionality as the first
+# location stanza in the virtual server above.
+#
+
+server {
+    listen 7800;
+
+    location / {
+        proxy_pass https://YOUR_SERVER-solana-01.bdnodes.net/websocket;
+        proxy_http_version 1.1;
+        proxy_set_header Host $proxy_host;
+        # websocket requirements
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        # Blockdaemon specific authentication requirement
+        proxy_set_header Authorization "Bearer REPLACE_ME_WITH_YOUR_AUTH_TOKEN";
+        proxy_redirect https://$proxy_host http://$server_name:$server_port;
+        proxy_redirect https:// http://;
+    }
+}
diff --git a/doc/nginx-configs/figment-virt-server-config.conf b/doc/nginx-configs/figment-virt-server-config.conf
@@ -0,0 +1,64 @@
+#
+# Figment configuration snippet
+#
+# Can be included directly in /etc/nginx/sites-available/ (Debian based distros)
+# or /etc/nginx/conf.d/ (Red Hat based distros)
+#
+# YOUR_SERVER and REPLACE_ME_WITH_YOUR_AUTH_TOKEN should be replaced with the
+# appropriate values for your organization
+#
+
+# Figment RPC & websocket with auth
+server {
+    listen 7901;
+
+    location / {
+        try_files /nonexistent-used-for-try-testing @$http_upgrade;
+    }
+
+    location @websocket {
+        proxy_pass https://solana--mainnet.datahub.figment.io$request_uri;
+        proxy_http_version 1.1;
+        proxy_set_header Host $proxy_host;
+        # websocket requirements
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        # Figment specific authentication requirement
+        proxy_set_header Authorization REPLACE_ME_WITH_YOUR_AUTH_TOKEN;
+        proxy_redirect https://$proxy_host http://$server_name:$server_port;
+        proxy_redirect https:// http://;
+    }
+
+    location @ {
+        proxy_pass https://solana--mainnet.datahub.figment.io$request_uri;
+        proxy_http_version 1.1;
+        proxy_set_header Host $proxy_host;
+        proxy_set_header Connection "";
+        # Figment specific authentication requirement
+        proxy_set_header Authorization REPLACE_ME_WITH_YOUR_AUTH_TOKEN;
+        proxy_redirect https://$proxy_host http://$server_name:$server_port;
+        proxy_redirect https:// http://;
+    }
+}
+
+#
+# This is a separate port for handling only websocket connections that some developers
+# have found greatly eases debugging.  It provides the same functionality as the first
+# location stanza in the virtual server above.
+#
+
+server {
+    listen 7801;
+    location / {
+        proxy_pass https://solana--mainnet.datahub.figment.io;
+        proxy_http_version 1.1;
+        proxy_set_header Host $proxy_host;
+        # websocket requirements
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        # Figment specific authentication requirement
+        proxy_set_header Authorization REPLACE_ME_WITH_YOUR_AUTH_TOKEN;
+        proxy_redirect https://$proxy_host http://$server_name:$server_port;
+        proxy_redirect https:// http://;
+    }
+}
diff --git a/doc/nginx-configs/standalone-dev-nginx.conf b/doc/nginx-configs/standalone-dev-nginx.conf
@@ -0,0 +1,41 @@
+#
+# This config file exists to be able to run nginx as an non-root user
+# on high numbered ports.  It will include the config files for the
+# individual RPC publishers located in this directory.
+#
+
+worker_processes  4;
+
+events {
+    worker_connections  1024;
+}
+
+pid /tmp/nginx.pid;
+# Replace error with debug if you want much more detailed information
+error_log /tmp/error_log error;
+
+http {
+    proxy_temp_path /tmp/proxy_temp;
+    client_body_temp_path /tmp/client_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    access_log /tmp/access_log;
+
+    default_type  application/octet-stream;
+    include /etc/nginx/mime.types;
+
+    sendfile on;
+
+    proxy_cache_path /tmp/proxy_cache_temp levels=1:2 keys_zone=one:10m;
+
+    # Maximum 32bit integer value
+    keepalive_requests 2147483647;
+    keepalive_timeout 65;
+
+    # FIXME   Replace with whatever your /etc/resolv.conf contains
+    resolver 127.0.0.1;
+
+    include ./*-virt-server-config.conf;
+}
diff --git a/doc/nginx-configs/triton-one-virt-server-config.conf b/doc/nginx-configs/triton-one-virt-server-config.conf
@@ -0,0 +1,71 @@
+#
+# TritonOne configuration snippet
+#
+# Can be included directly in /etc/nginx/sites-available/ (Debian based distros)
+# or /etc/nginx/conf.d/ (Red Hat based distros)
+#
+# YOUR_SERVER and REPLACE_ME_WITH_YOUR_AUTH_TOKEN should be replaced with the
+# appropriate values for your organization
+#
+
+# TritonOne RPC & websocket
+server {
+    listen 7902;
+
+    location / {
+        try_files /nonexistent-used-for-try-testing @$http_upgrade;
+    }
+
+    location @websocket {
+        # With authentication
+        proxy_pass https://YOUR_SERVER.rpcpool.com/REPLACE_ME_WITH_YOUR_AUTH_TOKEN$request_uri;
+
+        # Without authentication, i.e. IP allow listed
+        #proxy_pass https://YOUR_SERVER.rpcpool.com$request_uri;
+        proxy_http_version 1.1;
+        proxy_set_header Host $proxy_host;
+        # websocket requirements
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_redirect https://$proxy_host http://$server_name:$server_port;
+        proxy_redirect https:// http://;
+    }
+
+    location @ {
+        # With authentication
+        proxy_pass https://YOUR_SERVER.rpcpool.com/REPLACE_ME_WITH_YOUR_AUTH_TOKEN$request_uri;
+
+        # Without authentication, i.e. IP allow listed
+        #proxy_pass https://YOUR_SERVER.rpcpool.com$request_uri;
+        proxy_http_version 1.1;
+        proxy_set_header Host $proxy_host;
+        proxy_set_header Connection "";
+        proxy_redirect https://$proxy_host http://$server_name:$server_port;
+        proxy_redirect https:// http://;
+    }
+}
+
+#
+# This is a separate port for handling only websocket connections that some developers
+# have found greatly eases debugging.  It provides the same functionality as the first
+# location stanza in the virtual server above.
+#
+
+server {
+    listen 7802;
+
+    location / {
+        # With authentication
+        proxy_pass https://YOUR_SERVER.rpcpool.com/REPLACE_ME_WITH_YOUR_AUTH_TOKEN;
+
+        # Without authentication, i.e. IP allow listed
+        #proxy_pass https://YOUR_SERVER.rpcpool.com;
+        proxy_http_version 1.1;
+        proxy_set_header Host $proxy_host;
+        # websocket requirements
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_redirect https://$proxy_host http://$server_name:$server_port;
+        proxy_redirect https:// http://;
+    }
+}
