Deploying Blockscout Explorer for Etho Protocol

Ethoprotocol
4 min readMar 9, 2022

--

Updated 9th March 2022

I am writing this article as deploying blockscout turned out to be more complicated than I thought for our ETHO protocol project I am engaged in. ETHO protocol is an EVM blockchain with IPFS capability.

Blockscout is a robust explorer for EVM chains and it has been working for a lot of chains.

It works — does it?

Deploying blockscout in docker seems to be fairly easy. Spinning up a VPS with 6 cores, 200GB SSD and 8Gbps was thought to be good enough. However, after a while all 6 cores would run at 100% load and some strange processes seems to hog the CPUs.

The top processes from htop show /tmp/kevtmpfsi and some other scripts to occupy the VPS

Some research showed fast what is ongoing, the VPS gets highjacked by a Kinsing cryptocurrency miner. There are some good reads here showing how this is happening.

Docker has some implications on security, which we need to take into account to have a safe deployment:

  • Docker should be run as a non root user
  • Docker needs to be locked down not to mess with the UFW firewall, as it turned out that docker exposed the Postgres port externally and allowed then the miner to exploit the security weakness

What needs to be done to make it work

Here is a tutorial where we start from a clean VPS with Ubuntu 20. First, we start by creating a new user and provide sudo rights to that user

adduser fdm
usermod -aG sudo fdm

As we are on it we also enable the ufw firewall. We use port 4000 for the HTTP server.

ufw allow ssh
ufw allow http
ufw allow https
ufw enable

Logout as root and re-login as a user.

Step 1: Deploy ETHO protocol chain

We start with some basic preparations for the functionality needed. Therefore we issue the following and download screen and htop.

sudo apt update
sudo apt install htop
sudo apt install screen

Next, we create a local directory called geth and download the latest ETHO protocol release

mkdir geth
cd geth
curl -L https://github.com/Ether1Project/Ether1/releases/download/V2.0.0/etho-linux-2.0.0.tar.gz — output geth.tar.gz
tar xvfz geth.tar.gz

Also, create a file called start_geth containing all needed options with Your favorite editor and paste into the file the following:

#!/bin/bash
/home/fdm/geth/geth --rpc --rpcaddr 127.0.0.1 --rpcport 8451 --rpcapi "debug,net,eth,shh,web3,txpool" --syncmode=full --ethstats "explorer.ethoprotocol.com:ether1stats@stats.ethoprotocol.com" --gcmode=archive --rpcvhosts="*" --http.corsdomain "*" --rpccorsdomain "*"

Save the file and make it executable. Thereafter we run the script in screen

chmod u+x start_geth.sh
screen -S geth

A new session is started called geth where we then execute start_geth

./start_geth.sh

Press then control-ad, that pushes the screen session in the background
You can return to that session via

screen -D -r

geth will take several hours to sync, 12 hrs a minimum, depending on Your VPS and connectivity of the VPS. You will when the geth install is synced single block synching like here:

Blocksize is 1, so the chain is in sync.

Step 2: Prepare docker

In the meantime, we can prepare docker.

sudo apt install docker.io

This step will be the most important and also a mind-boggling part. If You set up a UFW firewall, docker will be able to go around it. So if docker exposes a port, it is still exposed, even though You potentially have denied it in UFW. Docker is messing with ufw, so we need to prevent that. Luckily this is possible by creating a file /etc/docker/daemon.json with the following content:

{
“iptables”:false
}

When at it we also add a user to the docker group:

sudo usermod -aG docker fdm
sudo systemctl restart docker

Make sure You log out and re-login as a user.

Step 3: Deploy blockscout

Almost final step. This first can only be done when the ETHO protocol chain is in sync (check end of step 1). Back to home directory

cd
git clone https://github.com/Ether1Project/blockscout.git

We open a new session and start the container building and deploy process:

screen -S blockscout
chmod u+x start_blockscout.sh
./start_blockscout.sh

This will take 10–20 minutes to build and deploy the containers. After that process You can reach the explorer via http://<IP>:4000, as we block all ports except ssh, http and https we need to install Nginx as a reverse proxy.

cd
sudo apt install nginx

We install a config file at /etc/nginx/site-available/explorer.ethoprotocol.com with the following content.

server {
server_name explorer.ethoprotocol.com;
location / {
proxy_pass http://localhost:4000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
# define buffers, necessary for proper communication to prevent 502s
}
}

To load the config, we need to link it

cd /etc/nginx/sites-enabled
sudo ln -s ../sites-available/explorer.ethoprotocol.com explorer.ethoprotocol.com
sudo nginx -t

We test the config with the following and then restart:

sudo nginx -t
sudo systemctl restart nginx

After that we will deploy certbot to enable HTTPS:

sudo certbot --nginx -d explorer.ethoprotocol.com

Step 4: Full automation

To make this a bit more robust, we plan to enable supervisor to watch about the two processes for the chain and the containers:

sudo apt install supervisor
cd /etc/supervisor/conf

We create now two config files, one for geth and one for blockchain with our faviourite editor. For geth.conf:

[program:geth]
command=/home/fdm/geth/start_geth.sh
autostart=true
autorestart=true
user=fdm
stderr_logfile=/var/log/geth.err.log
stdout_logfile=/var/log/geth.out.log
environment=HOME=”/home/fdm”,USER=”fdm”

and for blockscout.conf

[program:blockscout]
command=/home/fdm/blockscout/docker//start_blockscout.sh
autostart=true
autorestart=true
user=fdm
stderr_logfile=/var/log/blockscout.err.log
stdout_logfile=/var/log/blockscout.out.log
environment=HOME=”/home/fdm”,USER=”fdm”

Now we have peace of mind. If anything goes down, supervisor will bring it back, including a reboot.

--

--

Ethoprotocol

Etho Protocol is a Ethereum based storage solution, providing decentralized IPFS storage with full EVM compatibility