diff --git a/docs/integration-guides/websockets.md b/docs/integration-guides/websockets.md index da7d3f736..b7b7e1e2f 100644 --- a/docs/integration-guides/websockets.md +++ b/docs/integration-guides/websockets.md @@ -46,19 +46,8 @@ With the above configuration, localhost clients should connect to `ws://[::1]:70 ### Secure WebSockets -Support for `wss://` is available as of V23.0 by including the `NANO_SECURE_RPC` cmake cache flag set to `ON` when building the node and adding the `config-tls.toml` file with: - -```toml -enable_https=true -enable_wss=true -verbose_logging=true -server_cert_path="/node/server.cert.pem" -server_key_path="/node/server.key.pem" -server_key_passphrase="test" -server_dh_path="/node/dh1024.pem" -``` - -This configuration is related to HTTPS support for RPC, see [here for more details](../running-a-node/configuration-https.md#configuration). +Support for `wss://` is deprecated from V27. +Secure websockets can be achieved by using a reverse proxy. ## Acknowledgement diff --git a/docs/running-a-node/configuration-https.md b/docs/running-a-node/configuration-https.md deleted file mode 100644 index b62cb4ca9..000000000 --- a/docs/running-a-node/configuration-https.md +++ /dev/null @@ -1,105 +0,0 @@ -title: HTTPS Configuration -description: Learn how to enabled HTTPS for the nano node RPC server to better secure commands across the internet - -# HTTPS Support - -The RPC server supports TLS to allow HTTPS requests, as well as optional client certificates. To enable TLS, the node must first be built with the `NANO_SECURE_RPC` cmake cache flag set to `ON`. - -OpenSSL must be installed. When running cmake initially, you may need to set `-DOPENSSL_ROOT_DIR` as well, depending on your system. - -Support for secure WebSockets (`wss://`) is also available as of V23.0 with these build settings and configuration updates. See [Secure Websockets](../integration-guides/websockets.md#secure-websockets) for more details. - -## Configuration -The following section enables TLS in `config-rpc.toml` for V22.1 and earlier: - -```toml -[secure] -enable=true -verbose_logging=true -server_cert_path="tls/server.cert.pem" -server_key_path="tls/server.key.pem" -server_key_passphrase="test" -server_dh_path="tls/dh1024.pem" -client_certs_path="tls/clients" -``` - -or in `config-tls.toml` for V23.0 and later: - -```toml -enable_https=true -enable_wss=true -verbose_logging=true -server_cert_path="/node/server.cert.pem" -server_key_path="/node/server.key.pem" -server_key_passphrase="test" -server_dh_path="/node/dh1024.pem" -``` - -## Testing with a self-signed server certificate -The `server_cert_path` setting can be a single server certificate, or a chain file if using an intermediate CA. - -In this test, we'll generate a self-signed certificate. There are many ways to do this, but here we use openssl's `req` command to generate a certificate and a password protected keyfile: - -`openssl req -newkey rsa:2048 -keyout server.key.pem -x509 -days 3650 -out server.cert.pem` - -The passphrase must match the `server_key_passphrase` toml config setting. Pass `-nodes` if you don't want a password. - -OpenSSL will now ask you for certification details. For the server cert, only **Common Name** is important. Make sure you set it to the fully qualified domain name. While testing, you should add this domain name to your hosts file. -``` -Country Name (2 letter code) []:US -State or Province Name (full name) []: -Locality Name (eg, city) []: -Organization Name (eg, company) []:MyNanoRPCServer -Organizational Unit Name (eg, section) []:MyNanoThing -Common Name (eg, fully qualified host name) []:www.example.com -Email Address []: -``` - -We also need to generate a Diffie-Hellman params file: - -`openssl dhparam -out dh1024.pem 1024` - -## Test call - -Create a POST request to `https://www.example.com:7076` with the following body: -```json -{ - "action": "block_count" -} -``` - -If using `curl`, self-signed certificates requires the --insecure flag. - -## Client certificates (optional) -If a directory is specified in `client_certs_path`, only clients with trusted client certificates will be able to connect. By trusted, we mean any client with a client certificate that's also installed in `client_certs_path`. - -Revoking access can be done by removing the client certificate file from the node. - -### Generate and install client certificates -Repeat the following process for each client/user you want to grant access: - -`openssl req -newkey rsa:2048 -nodes -keyout rpcuser1.key.pem -x509 -days 365 -out rpcuser1.cert.pem` - -The Common Name **must** be unique and should be something descriptive, like "rpc.user.1" - -For efficiency reasons, the client certificate must be renamed to its subject hash (or use a softlink) - -``` -openssl x509 -in rpcuser1.cert.pem -noout -subject_hash - 0fb8533c -ln -s rpcuser1.cert.pem 0fb8533c.0 -``` - -Distribute the client certificate and key file to the RPC user. - -### Testing client certificates with Postman -Use the *full* version of Postman, not the Chrome extension. In settings, select the Certificates tab. Add the `cert.pem` and `key.pem` files. - -The hostname must be the same as the hostname used in Common Name when generating the server certificate. Add this hostname to your hosts file if it's different from the machine hostname. - -If you get an error, check the node log file. Make sure the client certificates are installed. - -### Single PEM file -Some clients may want a single PEM file: - -`cat rpcuser1.cert.pem rpcuser1.key.pem > rpcuser1.pem` diff --git a/docs/running-a-node/configuration.md b/docs/running-a-node/configuration.md index eb0c02694..62a161698 100644 --- a/docs/running-a-node/configuration.md +++ b/docs/running-a-node/configuration.md @@ -276,7 +276,8 @@ See the [Voting as a Representative guide](voting-as-a-representative.md). See the [Ledger Management guide](ledger-management.md). ### HTTPS support -See the [HTTPS Support guide](configuration-https.md). +Support for TLS is deprecated from V27. +Secure RPC/Websockets can be achieved by using a reverse proxy. ### HTTP callback