Protecting Ethereum JSON-RPC API with password

Protecting Ethereum JSON-RPC API with password
Rate this post


This blog post is aimed to smart contract application developers and discusses how to securely run your Ethereum nodes behind a password for secure exposure over Internet.

Go Ethereum (geth) is the most popular software for Ethereum node. The other popular Ethereum implementations are Parity and cpp-ethereum. Distributed applications (Dapps) are JavaScript coded web pages that connect to any of these Ethereum node softwares over JSON-RPC API protocol that is self runs on the top of HTTP protocol.

geth or none of the node softwares themselves doesn’t provide secure networking. It is not safe to expose Ethereum JSON-RPC API to public Internet as even with private APIs disabled this opens a door for trivial denial of service attacks. Node softwares themselves don’t need to provide secure networking primitives, as this kind of built-in functionality would increase complexity and add attack surface to critical blockchain node software.

Dapps themselve are pure client side HTML and JavaScript, don’t need any servers and they can run in any web browser, including mobile and embedded ones, like one inside Mist wallet.

Using Nginx proxy as HTTP Basic Authenticator

There are several ways to protect access to a HTTP API. The most common methods include API token in the HTTP header, cookie based authentication or HTTP Basic Access Authentication.

HTTP Basic Authentication is a very old feature of HTTP protocol where a web browser opens a native pop dialog asking for username and password. It is limited in nature, but very easy to implement and perfect for use cases where one needs to expose a private Dapp for a limited Internet audience. These use cases include showing a Dapp demo, private and permissioned blockchain applications or exposing Ethereum functionality as a part of your software-as-a-service solution.


Nginx is one of the most popular

About no-reply

> 200 Articles