Securing a node with Nginx and Certbot

This guide will help you to enable SSL on your node, making all HTTP communication encrypted. We will make use of Nginx and Certbot.

Nginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.

Certbot is an easy-to-use client that fetches a certificate from Let's Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.

PLEASE NOTE: This guide is made as easy as possible and does not go in-depth in regards to each individual topic. I highly recommend visiting the resources below to learn more about using Nginx and Certbot.


  • Fully synced XQR relay node
  • Registered domain name
  • DNS records of domain pointing to the public IP address of your node (both with and without www.)

Step 1: Installing Nginx

Update local packages:

sudo apt update

Install nginx:

sudo apt install nginx

Ignore any fail2ban errors.

Allow traffic on port 80 to be able to set things up:

sudo ufw allow 'Nginx HTTP'

Verify firewall rules:

sudo ufw status

Check if Nginx is running correctly by navigating to your node's public IP in a browser (http://your_server_ip). You should see the splash screen: Welcome to nginx!

Step 2: Installing Certbot

Add the repository:

sudo add-apt-repository ppa:certbot/certbot

If you're using 16.04, update first:

sudo apt-get update

Install Certbot Nginx package:

sudo apt install python-certbot-nginx

Step 3: Allow HTTPS through firewall

Allow HTTPS traffic:

sudo ufw allow 'Nginx Full'

Remove redundant HTTP profile:

sudo ufw delete allow 'Nginx HTTP'

Step 4: Obtaining an SSL certificate

Let certbot obtain the certificates for your domains (replace with your domain):

sudo certbot --nginx -d -d
  • Enter your email
  • Accept the terms of service
  • Decide on whether to share your email
  • Choose any of the 2 options (we'll overwrite this later, anyway)

Visit your domain via https to verify that everything works (for example:

Step 5: Redirect your domain to the node's API endpoint

Open the nginx config file with nano:

sudo nano /etc/nginx/sites-available/default

Remove all contents from the config and add the following (replacing all occurrences of with your own domain):

server {
  listen 443;
  ssl on;
  ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
  ssl_verify_client off;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:4103/;
    proxy_ssl_session_reuse off;
    proxy_set_header Host $http_host;
    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;

Save and exit with CTRL + X and confirm

Next, verify the syntax of the config file with:

sudo nginx -t

If the synthax is correct, reload Nginx to load the new configuration:

sudo systemctl reload nginx

Done ✅

Visit your domain via https and enjoy your secure API endpoint.


Parts of the steps above are taken from the excellent in-depth guides linked below. Check them out if you'd like to know more about these topics:

Last Updated: 5/24/2019, 8:03:37 PM