Deploying Blockscout Explorer for Etho Protocol
I am writing this article as deploying blockscout turned out to be more complicated than I thought for our ETHO protocol project I am engaged in. ETHO protocol is an EVM blockchain with IPFS capability.
Blockscout is a robust explorer for EVM chains and it has been working for a lot of chains.
It works — does it?
Deploying blockscout in docker seems to be fairly easy. Spinning up a VPS with 6 cores, 200GB SSD and 8Gbps was thought to be good enough. However, after a while all 6 cores would run at 100% load and some strange processes seems to hog the CPUs.
Some research showed fast what is ongoing, the VPS gets highjacked by a Kinsing cryptocurrency miner. There are some good reads here showing how this is happening.
Docker has some implications on security, which we need to take into account to have a safe deployment:
- Docker should be run as a non root user
- Docker needs to be locked down not to mess with the UFW firewall, as it turned out that docker exposed the Postgres port externally and allowed then the miner to exploit the security weakness
What needs to be done to make it work
Here is a tutorial where we start from a clean VPS with Ubuntu 20. First, we start by creating a new user and provide sudo rights to that user
adduser fdm
usermod -aG sudo fdm
As we are on it we also enable the ufw firewall. We use port 4000 for the HTTP server.
ufw allow ssh
ufw allow http
ufw allow https
ufw enable
Logout as root and re-login as a user.
Step 1: Deploy ETHO protocol chain
We start with some basic preparations for the functionality needed. Therefore we issue the following and download screen and htop.
sudo apt update
sudo apt install htop
sudo apt install screen
Next, we create a local directory called geth and download the latest ETHO protocol release
mkdir geth
cd geth
curl -L https://github.com/Ether1Project/Ether1/releases/download/V2.0.0/etho-linux-2.0.0.tar.gz — output geth.tar.gz
tar xvfz geth.tar.gz
Also, create a file called start_geth containing all needed options with Your favorite editor and paste into the file the following:
#!/bin/bash
/home/fdm/geth/geth --rpc --rpcaddr 127.0.0.1 --rpcport 8451 --rpcapi "debug,net,eth,shh,web3,txpool" --syncmode=full --ethstats "explorer.ethoprotocol.com:ether1stats@stats.ethoprotocol.com" --gcmode=archive --rpcvhosts="*" --http.corsdomain "*" --rpccorsdomain "*"
Save the file and make it executable. Thereafter we run the script in screen
chmod u+x start_geth.sh
screen -S geth
A new session is started called geth where we then execute start_geth
./start_geth.sh
Press then control-ad, that pushes the screen session in the background
You can return to that session via
screen -D -r
geth will take several hours to sync, 12 hrs a minimum, depending on Your VPS and connectivity of the VPS. You will when the geth install is synced single block synching like here:
Step 2: Prepare docker
In the meantime, we can prepare docker.
sudo apt install docker.io
This step will be the most important and also a mind-boggling part. If You set up a UFW firewall, docker will be able to go around it. So if docker exposes a port, it is still exposed, even though You potentially have denied it in UFW. Docker is messing with ufw, so we need to prevent that. Luckily this is possible by creating a file /etc/docker/daemon.json with the following content:
{
“iptables”:false
}
When at it we also add a user to the docker group:
sudo usermod -aG docker fdm
sudo systemctl restart docker
Make sure You log out and re-login as a user.
Step 3: Deploy blockscout
Almost final step. This first can only be done when the ETHO protocol chain is in sync (check end of step 1). Back to home directory
cd
git clone https://github.com/Ether1Project/blockscout.git
We open a new session and start the container building and deploy process:
screen -S blockscout
chmod u+x start_blockscout.sh
./start_blockscout.sh
This will take 10–20 minutes to build and deploy the containers. After that process You can reach the explorer via http://<IP>:4000, as we block all ports except ssh, http and https we need to install Nginx as a reverse proxy.
cd
sudo apt install nginx
We install a config file at /etc/nginx/site-available/explorer.ethoprotocol.com with the following content.
server {
server_name explorer.ethoprotocol.com;location / {
proxy_pass http://localhost:4000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
# define buffers, necessary for proper communication to prevent 502s
}}
To load the config, we need to link it
cd /etc/nginx/sites-enabled
sudo ln -s ../sites-available/explorer.ethoprotocol.com explorer.ethoprotocol.com
sudo nginx -t
We test the config with the following and then restart:
sudo nginx -t
sudo systemctl restart nginx
After that we will deploy certbot to enable HTTPS:
sudo certbot --nginx -d explorer.ethoprotocol.com
Step 4: Full automation
To make this a bit more robust, we plan to enable supervisor to watch about the two processes for the chain and the containers:
sudo apt install supervisor
cd /etc/supervisor/conf
We create now two config files, one for geth and one for blockchain with our faviourite editor. For geth.conf:
[program:geth]
command=/home/fdm/geth/start_geth.sh
autostart=true
autorestart=true
user=fdm
stderr_logfile=/var/log/geth.err.log
stdout_logfile=/var/log/geth.out.log
environment=HOME=”/home/fdm”,USER=”fdm”
and for blockscout.conf
[program:blockscout]
command=/home/fdm/blockscout/docker//start_blockscout.sh
autostart=true
autorestart=true
user=fdm
stderr_logfile=/var/log/blockscout.err.log
stdout_logfile=/var/log/blockscout.out.log
environment=HOME=”/home/fdm”,USER=”fdm”
Now we have peace of mind. If anything goes down, supervisor will bring it back, including a reboot.