How to protect validator node through HAProxy configuration

In the mainnet, we need to restrict access from some clients to ensure the security of the validator nodes. As mentioned in the “Port Settings” section of the “Node Requirements”, the validator node’s port 6181 should only be accessible to validator fullnode. How should it be configured?

There are various methods available, such as using iptables or firewall policies provided by cloud service providers. However, this guide will focus on achieving it through HAProxy configuration. Some recommendations before operating:

  1. Verify the following steps on the testnet before operating on the mainnet, to avoid unexpected issues.
  2. Backup the docker-compose YAML file and haproxy.cfg files to quickly recover in case of unexpected issues.

Step 1: Add a whitelisted.ips file with this content:


Step 2: Modify the docker-compose YAML file.

Find the section for haproxy and add the following:

      - type: bind
        source: ./whitelisted.ips
        target: /usr/local/etc/haproxy/whitelisted.ips

The modified result is:

Step 3: Modify the haproxy.cfg configuration file.

Find the section for frontend fe-fullnode and replace the following:

    # Deny requests from blocked IPs
    tcp-request connection silent-drop if { src -n -f /usr/local/etc/haproxy/blocked.ips }


    # Deny requests from non-whitelisted IPs
    tcp-request connection silent-drop if !{ src -n -f /usr/local/etc/haproxy/whitelisted.ips }

The modified result is:

Step 4: Restart your validator node

docker compose -f docker-compose-haproxy.yaml restart

After completing the startup, please make sure to check if your validator node is working properly.