I hope that people can help me figure out how to enable SSL for Electrs on my Umbrel Home.
First I will present some background as a statement of what the problem is that needs solving, and I welcome corrections from people. Then I will talk about what AI suggests, which I think won’t actually work. Finally I welcome any solution that anybody can offer.
Why did I spend many hundreds of dollars to purchase this Umbrel Home? I did it:
- so that I could host my own full bitcoin node
- so that I could run my own mempool
- so that I could run my wallet (Sparrow, Trezor Suite) from Electrs on my own server
Item 1 is a success. I am now running my own full bitcoin node on my Umbrel Home.
Let’s talk through how I accomplished item 2:
- I installed Nginx proxy manager on my Umbrel Home.
- Within Nginx, I set up a proxy host that listens on TCP port 40443 for a particular domain name (mempool dot something dot com) and makes use of an SSL certificate and sends the traffic to port 3006 on the Umbrel Home.
- I set up port forwarding on my main router. It listens to the WAN at port 3006 and sends the traffic to port 40443 at the Umbrel Home server.
Keep in mind that the only reason that the Nginx proxy host works is that the inbound traffic is from a web browser that includes the target hostname (here, mempool dot something dot com) in the HTTP or HTTPS request. So when I am at a non-local location (somewhere outside of the house) and I visit https://mempool-dot-something-dot-com:3006, it is a web browser that makes this happen. The web browser explains to Nginx that the web site that it would like to visit is mempool-dot-something-dot-com, and Nginx uses this to disambiguate the visitor, so as to figure out which of the many configured proxy hosts is the correct one to use for this connection. Nginx figures out that this particular visit should be sent to port 50001 because the web browser said it was looking for mempool-dot-something-dot-com.
So now we turn to item 3. I would like to run my wallet (Sparrow, Trezor Suite) from Electrs on my own server. And yes, I do go outside of my house sometimes. So I am operating my wallet from somewhere in the wild. Meaning, of course, that I need to have SSL (or some other robust encryption) protecting that Electrs traffic.
An AI told me to use Nginx to provide the SSL. The AI said to set up port forwarding on my main router that listens on port 50002 and sends the traffic to the Nginx (which means sending the traffic to port 40443 at the Umbrel Home). The AI said to set up a proxy host in Nginx that uses an SSL certificate and sends the traffic to the non-SSL port (port 50001) of Electrs.
But that dog won’t hunt! The problem is that when my wallet (Sparrow, Trezor Suite) sends traffic to TCP port 50002, there is no target hostname being communicated! There is no web browser involved. Nginx has no way to know which of its configured proxy hosts is the correct one to use for this particular traffic.
Some commenter will, I expect, say:
Well, what did you expect? You were using Clearnet. Of course eavesdroppers can see that traffic. This is why Tor exists. Just tell your wallet to use Tor to reach your Electrs.
But there are at least two reasons why this is not a very helpful answer.
First, if I do this, Electrs still has SSL turned off, and its Tor connection is on port 50001 (the non-SSL port). If I set up my wallet to use the Tor address, the traffic is still unencrypted between my wallet and that first Tor node. My wallet is still on the clearnet all the way from my wallet to that first Tor node. So switching to Tor does not in any way solve the actual problem.
Second, in my experience, even the simplest transaction often takes forever in Tor compared with Clearnet. There is serious latency in most Tor connections.
But fundamentally the problem is that the only way to reach Tor (from, for example, my Android Trezor Suite) is on the clearnet.
Now what I don’t know is whether perhaps the Electrum standard includes some encryption in and of itself. Maybe the Electrum client (my wallet) negotiates a Diffie-Helman encryption session in real time with the Electrum server? But I have never heard that this is part of the defined Electrum client-server relationship.
I guess some other commenter who lives and breathes Linux world will tell me that the solution is to skip the Umbrel Home GUI and do some deep Linux hacking. Use a Linux CLI to carry out open-heart surgery on the guts of Electrs, to insert an SSL key and SSL cert into the guts of Electrs, and then set some configuration settings to tell Electrs to use that particular SSL key and SSL cert.
Which I don’t want to do. First, part of why I paid the big bucks for my Umbrel Home is so that I can do everything with just a few mouse clicks in the GUI. Part of why I paid the big bucks was that I don’t want to have to (learn how to) do a bunch of deep Linux hacking every time I need to accomplish something that I already paid for, like using my bitcoin wallet in the wild while connected to my own Electrs server in a secure way.
Not to mention, every time my SSL certificate expires, which nowadays is every seven months, I would need to somehow renew the SSL cert by hand and then do yet another deep Linux hack to install it in Electrs.
Keeping in mind as well that every time anybody does a deep Linux hack, there is the chance, however small, of making some mistake and corrupting the system or bricking it.
What am I doing now for my Electrs server connection? On my main router, I am simply listening on the WAN side for inbound traffic on port 50001 and I am forwarding the traffic to port 50001 on the Umbrel Home (which means it goes directly to the Electrs server, bypassing the Nginx proxy manager). Meaning that the wallet traffic passes through the Clearnet.
So I welcome any solution that anybody can offer. And I welcome any comments or corrections to my statement of the problem.