...
This tunnel is useful for exposing the REST API (port 7743) required by:
Veriff,
Lightning’s LNURL (use with NGINX),
Onfido,
Morphis,
Operator Extensions.
...
| Tip |
|---|
The browser should display this simple line of text: “BATM LNURL REST Service" |
...
Use with NGINX
When the subdomain is exposed to the public, it should be protected by restricting the path of the URL. This is easily accomplished by implementing the NGINX reverse proxy. The cloudflared tunnel is then pointed towards the exposed internal port provided by NGINX.
This is recommended for endpoints like LNURL or PDF Wallets, where a link is sent to the customer. The public links should not include the /serverapi/ path, or any path that has room for manipulation. The NGINX server block can intercept and imply the path for a given subdomain, strengthening your security.
Example NGINX server block:
| Code Block |
|---|
server {
listen 8701 ssl;
server_name wallets;
ssl_certificate /etc/letsencrypt/live/yourcasdomain.com/fullchain.pem; # must be current for LE method
ssl_certificate_key /etc/letsencrypt/live/yourcasdomain.com/privkey.pem; # must be current for LE method
access_log /var/log/nginx/wallets_access.log;
error_log /var/log/nginx/wallets_error.log;
location / {
proxy_pass https://10.3.2.1:7743/api/v1/crypto-wallets/;
}
}
|
Exposes internal port https://127.0.0.1:8701 to the cloudflared tunnel, which
enables your pdf_wallet setting to point to the subdomain set by the cloudflared tunnel,
for example: https://wallets.yourcasdomain.com
NOTE: PDF wallets (when implemented this way) must not be proxied by Cloudflare. This just applies to PDF wallets, due to the way they are implemented (read once).
This configuration will protect CAS and simplify the links sent to your customers.
...
Troubleshooting
You may start the Cloudflared daemon in the foreground to watch live activity.
...