Skip to content

Latest commit

 

History

History
108 lines (58 loc) · 2.59 KB

README.md

File metadata and controls

108 lines (58 loc) · 2.59 KB

Ethereum Signed Message Service

  • ESMS was created to distribute GTC tokens to the Gitcoin ecosystem.

  • ESMS is a flask based HTTPS micro service that accepts token claim metadata and returns a signed claim message, merkle leaf, proofs, and original metadata that a user can broadcast to TokenDistributor contract to redeem token claim.

Features/Design

  • NGINX-->Gunincorn-->ESMS

  • HMAC authentication is used to verify the integrity of sender by requiring a valid HMAC signature in the HTTP headers of the request.

Setup & Config

First setup a server to run the ESMS on.

Reverse Proxy

  1. install Nginx

sudo apt install nginx

Nginx can easily be used to expose/proxy to one or more instances of the ESMS. Both of the examples below assume nginx.conf will have a line like:

include /etc/nginx/conf.d/*.conf;

Then your config file(s) live in: /etc/nginx/conf.d/

NGINX proxy config for dev and staging

Or:

NGINX proxy for config for production

  1. Install Certbot

Best to check Certbot official docs as install instructions seem to change frequently. https://certbot.eff.org/instructions

For reference, this guide for Ubuntu20 was used for our setup: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx

sudo snap install core; sudo snap refresh core

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

sudo certbot --nginx

ESMS Service

  1. create & activate Python virtual environment

sudo apt install python3-pip

sudo apt-get install python3-venv

python3 -m venv esms_venv

source esms_venv/bin/activate

  1. download the repository
  2. install requirements
  3. set environmental variables:
  • copy sample.env .env and configure accordingly

  • two envars are left to be set on the command line:

    PRIVATE_KEY & GTC_SIG_KEY

GTC_SIG_KEY is the HMAC secret/key

PRIVATE_KEY is the private key to the ETH account used to sign claims (pub key to this private key will be hardcoded into the token distribution contract)

Run app

testing/Dev: flask run

production: start screen session: screen -S esms_prod

run the app: gunicorn --workers=5 app:gtc_sig_app -b localhost:8000

detach from the screen session: ctrl a, d

when you want to reattach, just run: screen -ls

then reattach with: screen -R esms_prod

Security Considerations

  1. Restrict access to port 80/443 to only trusted app IP(s)
  2. Collect ESMS logs
  3. non-default SSH port
  4. user mgmt - no shared logins! ;), ssh keys et
  5. etc, todo