SSL/TLS for incoming connections

Requirements

  1. xmrig-proxy v2.9+ built with OpenSSL support.
  2. Valid TLS certificate with private key in the PEM format.
  3. At least one bind port with enabled TLS.

Certificate

Best option is obtain trusted certificate from Let's Encrypt , if it not possible you can use self-signed certificate.

Bind

Example bind configuration:

"bind": [
    {
        "host": "0.0.0.0",
        "port": 443,
        "tls": true
    }
],

Command line equivalent is --tls-bind 0.0.0.0:443.

TLS options

Example tls configuration:

"tls": {
    "cert": "/etc/letsencrypt/live/donate.ssl.xmrig.com/fullchain.pem",
    "cert_key": "/etc/letsencrypt/live/donate.ssl.xmrig.com/privkey.pem",
    "dhparam": "dhparam.pem",
    "protocols": null,
    "ciphers": null,
    "ciphersuites": null
},

Command line equivalent is --tls-cert /etc/letsencrypt/live/donate.ssl.xmrig.com/fullchain.pem --tls-cert-key /etc/letsencrypt/live/donate.ssl.xmrig.com/privkey.pem --tls-dhparam dhparam.pem.

Options cert and cert_key is required, you must property configure it to use TLS, dhparam is optional, but recommended to use for enhanced security. All other options for advanced usage only, usually don't need change it.

All available options list

load TLS certificate chain from a file in the PEM format.
Syntax"tls": { "cert": file } --tls-cert file
Defaultnull
Example"/etc/letsencrypt/live/<domain>/fullchain.pem"
OpenSSLSSL_CTX_use_certificate_chain_file
load TLS certificate private key from a file in the PEM format.
Syntax"tls": { "cert_key": file } --tls-cert-key file
Defaultnull
Example"/etc/letsencrypt/live/<domain>/privkey.pem"
OpenSSLSSL_CTX_use_PrivateKey_file
load DH parameters for DHE ciphers from a file in the PEM format.
Syntax"tls": { "dhparam": file } --tls-dhparam file
Defaultnull
Example"dhparam.pem"
OpenSSLSSL_CTX_set_tmp_dh

Optional, but recommended to use for enhanced security.
To generate your dhparam.pem file, run in the terminal: openssl dhparam -out dhparam.pem 2048

enable specified TLS protocols.
Syntax"tls": { "protocols": protocols } --tls-protocols protocols
Defaultnull
Example"TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"

If protocol list not specified, OpenSSL defaults will be use. SSLv2 and SSLv3 is always disabled as unsecure.

set list of available ciphers (TLSv1.2 and below).
Syntax"tls": { "ciphers": ciphers } --tls-ciphers ciphers
Defaultnull
Example"HIGH:!aNULL:!MD5"
OpenSSLSSL_CTX_set_cipher_list
set list of available TLSv1.3 ciphersuites.
Syntax"tls": { "ciphersuites": ciphersuites } --tls-ciphersuites ciphersuites
Defaultnull
Example"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
OpenSSLSSL_CTX_set_ciphersuites