Update README.md

2019-11-11 11:15:11 -08:00 · 2019-11-11 11:15:11 -08:00 · e881e44e96
parent f217d20ca0
commit e881e44e96
1 changed files with 53 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -17,13 +17,8 @@ This version of Zecwallet lightwalletd extends lightwalletd and:

 #### 0. First, install [Go >= 1.11](https://golang.org/dl/#stable).

-#### 1. Generate a TLS self-signed certificate
-```
-openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
-```
-Answer the certificate questions to generate the self-signed certificate
-
-#### 2. You need to run a zcash full node with the following options in zcash.conf
+#### 1. Run a zcash node.
+Start a `zcashd` with the following options:
 ```
 server=1
 rpcuser=user
@ -35,13 +30,61 @@ txindex=1
 insightexplorer=1
 ```

-#### 3. Run the frontend:
-You'll need to use the certificate generated from step 1
+You might need to run with `-reindex` the first time if you are enabling the `txindex` or `insightexplorer` options for the first time. The reindex might take a while.
+
+#### 2. Get a TLS certificate
+##### a. Self-signed certificate if you are running a private instance just for yourself:
+
+Generate a TLS self-signed certificate
 ```
-go run cmd/server/main.go -bind-addr 127.0.0.1:9067 -conf-file ~/.zcash/zcash.conf  -tls-cert cert.pem -tls-key key.pem
+openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
+```
+Answer the certificate questions to generate the self-signed certificate
+##### b. "Let's Encrypt" certificate using NGINX as a reverse proxy
+If you running a public-facing server, the easiest way to obtain a certificate is to use a NGINX reverse proxy and get a Let's Encrypt certificate. [Instructions are here](https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/)
+
+Create a new section for the NGINX reverse proxy:
+```
+server {
+    listen 443 ssl http2;
+ 
+ 
+    ssl_certificate     ssl/cert.pem; # From certbot
+    ssl_certificate_key ssl/key.pem;  # From certbot
+    
+    location / {
+        # Replace localhost:9067 with the address and port of your gRPC server if using a custom port
+        grpc_pass grpc://localhost:9067;
+    }
+}
 ```

+##### c. Use your own TLS certificate
+If you have your own TLS certificate issued by a certificate authority, you can use it directly with the GRPC frontend, as described in the next section
+
+#### 3. Run the frontend:
+You can run the gRPC server with or without TLS, depending on how you configured step 2. If you are using NGINX as a reverse proxy and are letting NGINX handle the TLS authentication, then run the frontend with `-no-tls`
+
+```
+go run cmd/server/main.go -bind-addr 127.0.0.1:9067 -conf-file ~/.zcash/zcash.conf -no-tls
+```
+
+If you have a certificate that you want to use (either self signed, or from a certificate authority), pass the certificate to the frontend:
+
+```
+go run cmd/server/main.go -bind-addr 127.0.0.1:443 -conf-file ~/.zcash/zcash.conf  -tls-cert cert.pem -tls-key key.pem
+```
+
+You should start seeing the frontend ingest and cache the zcash blocks after ~15 seconds. 
+
 #### 4. Point the `zecwallet-cli` to this server
+Connect to your server!
+```
+./zecwallet-cli -server https://mylightwalletd.server.com
+```
+
+If you are using a self-signed certificate, then zecwallet will reject the connection by default (because the certificate isn't from a valid certificate authority. To override this, pass the `--dangerous` flag. Obviously, this is dangerous, so please only use if you are connecting to **your own** server.
+
 ```
 ./zecwallet-cli --server https://127.0.0.1:9067 --dangerous
 ```