Specter over SSH-tunnel
If you want to have access to your wallet outside of your local network you can either use Tor, or make a reverse proxy from your node to a cheap VPS somewhere.
Here we will describe how to set up your VPS server to forward all requests to your Bitcoin node.
You can either have both Specter and Bitcoin Core on the same node and forward Specter interface to remote server, or you can only do it for Bitcoin Core and keep Specter on your laptop. The following guide assumes the first option, however, if you want to go with the second one just change the port from 25441
to 8334
or whatever port your Core is using.
Basic configuration
Update your remote server:
apt update && apt upgrade
Install nginx:
apt install nginx
Add a new server to your nginx configuration /etc/nginx/sites-enabled/default
:
server {
listen 80 default_server;
listen [::]:80 default_server;
# optinaly configure domain name
server_name specter.mydomain.com;
# set proxy pass
location / {
proxy_pass http://127.0.0.1:25441;
}
}
Restart nginx:
nginx -s reload
On your local computer (where Specter is running) start a reverse proxy:
ssh -nN -R 25441:localhost:25441 user@specter.mydomain.com
Check in your browser - when you navigate to http://specter.mydomain.com
you should see Specter already.
Incorporate SSH tunnel into Specter.service file
To launch specter automatically on system startup, see daemon.md. Whether you use the specter python package or the tar.gz release, you can incorporate an ssh port forward to your reverse proxy to start automatically with specter.
For the python approach, would use the following specter.service file:
[Unit]
Description=Specter Desktop Service
After=multi-user.target
Conflicts=getty@tty1.service
[Service]
User=myusername
Type=simple
ExecStart=/usr/bin/python3 -m cryptoadvance.specter server & ssh -nN -R 25441:localhost:25441 user@specter.mydomain.com && fg
StandardInput=tty-force
[Install]
WantedBy=multi-user.target
The approach for using the tarball is commented out in the example in daemon.md.
Adding HTTPS
HTTPS is very important, not only because it is secure, but also because without HTTPS we can't use camera to scan QR codes. We need to get secure connection.
Letsencrypt issues certificates for free, they just need to check that you control the domain. So it doesn't work for local network or for Tor addresses. In these cases you would need to create a self-signed certificate. But domains are cheap and probably everyone has a dozen that is not used. So we assume you have one.
Install certbot to issue certificate for us:
apt install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot
apt update
apt install certbot python-certbot-nginx
Run certbot
and answer it's questions:
certbot --nginx
Now Specter should be available over HTTPS: https://specter.mydomain.com
Authentication
We don't want random people to have access to our wallet, so we want to protect it with login and password. Specter has two methods of authentication built in.
You can configure the authentication method used by Specter at https://specter.mydomain.com/settings/auth
When authentication is enabled Specter rate limits attempts to login to frustrate brute force password guessing.
Password Protection
User defined password is used by Specter to login (default: admin).
RPC Password as PIN
The Bitcoin Core RPC password is used by Specter to login.
Multiple Users
With this method you can choose the username and password of the Specter admin user. You can also invite other (limited) users to register also.
Adding basic authentication via Nginx
Note: This part is only required if you do not want to use one of the built in Specter authentication methods. If you use Nginx basic authentication you should also think about rate limiting brute force attacks via software like fail2ban
.
Nginx has a nice documentation on the topic, but I will copy-paste main commands here.
Verify that apache2-utils
(Debian, Ubuntu) or httpd-tools
(RHEL/CentOS/Oracle Linux) is installed.
apt install apache2-utils
Create your user (let's call it specter
) and type the password:
htpasswd -c /etc/nginx/.htpasswd specter
Add two lines to the server block in the nginx config (/etc/nginx/sites-enabled/default
):
server {
# ...
auth_basic "You shall not pass!";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://127.0.0.1:25441;
}
# ...
}
Restart nginx:
nginx -s reload
Now when you try to access the server it will ask for credentials.