HTTPS for IRI
Consider enabling HTTPS on your IRI node for security. This will prevent man-in-the-middle (MITM) attacks where an attacker can alter the contents of messages sent between the client (wallets, devices, etc.) and the node. The new Trinity Wallet only communicates with nodes through HTTPS.
Prerequisites
To complete this tutorial, you will need the following:
- A server running Ubuntu 14.04+ or Debian 8+
- A functioning full node
- A domain name with DNS records set up
- If you do not have a domain name, you can purchase one from any domain registrar
- Documentation for your firewall
- Open a port for IRI (normally 14265)
- Open port 443 for HTTPS
Configuring HTTPS
- Run the following command:
curl -sL https://raw.githubusercontent.com/eukaryote31/auto-nginx-https/master/easyhttps | sudo bash
- Follow the prompts
- Congratulations! You can now connect to your node via https at port 443!
Validating Your Configuration
- Enter your domain name in the Qualys SSL Server Test
- It should receive an A rating
- Check Apple App Transport Security (ATS) compliance with apptransport.info
- Ensure that the "Apple ATS 9 / iOS 9" test passes on the Qualys SSL Server Test (look under "Handshake Simulations")
- Diagnose any issues with nscurl (macOS only) as shown here