In the mainnet, we need to restrict access from some clients to ensure the security of the validator nodes. As mentioned in the “Port Settings” section of the “Node Requirements”, the validator node’s port 6181 should only be accessible to validator fullnode. How should it be configured?
There are various methods available, such as using iptables or firewall policies provided by cloud service providers. However, this guide will focus on achieving it through HAProxy configuration. Some recommendations before operating:
- Verify the following steps on the testnet before operating on the mainnet, to avoid unexpected issues.
- Backup the
docker-compose YAML fileandhaproxy.cfgfiles to quickly recover in case of unexpected issues.
Step 1: Add a whitelisted.ips file with this content:
your-vfn-ip
Step 2: Modify the docker-compose YAML file.
Find the section for haproxy and add the following:
- type: bind
source: ./whitelisted.ips
target: /usr/local/etc/haproxy/whitelisted.ips
The modified result is:
Step 3: Modify the haproxy.cfg configuration file.
Find the section for frontend fe-fullnode and replace the following:
# Deny requests from blocked IPs
tcp-request connection silent-drop if { src -n -f /usr/local/etc/haproxy/blocked.ips }
With:
# Deny requests from non-whitelisted IPs
tcp-request connection silent-drop if !{ src -n -f /usr/local/etc/haproxy/whitelisted.ips }
The modified result is:
Step 4: Restart your validator node
docker compose -f docker-compose-haproxy.yaml restart
After completing the startup, please make sure to check if your validator node is working properly.