This blog post is aimed to smart contract application developers and discusses how to securely run your Ethereum nodes behind a password for secure exposure over Internet.
geth or none of the node softwares themselves doesn’t provide secure networking. It is not safe to expose Ethereum JSON-RPC API to public Internet as even with private APIs disabled this opens a door for trivial denial of service attacks. Node softwares themselves don’t need to provide secure networking primitives, as this kind of built-in functionality would increase complexity and add attack surface to critical blockchain node software.
Using Nginx proxy as HTTP Basic Authenticator
There are several ways to protect access to a HTTP API. The most common methods include API token in the HTTP header, cookie based authentication or HTTP Basic Access Authentication.
HTTP Basic Authentication is a very old feature of HTTP protocol where a web browser opens a native pop dialog asking for username and password. It is limited in nature, but very easy to implement and perfect for use cases where one needs to expose a private Dapp for a limited Internet audience. These use cases include showing a Dapp demo, private and permissioned blockchain applications or exposing Ethereum functionality as a part of your software-as-a-service solution.
Nginx is one of the most popular