Deploy: StackPath’s web application firewall to protect your Solana RPC

web3 security

In the friendly pastures of web3 builders lean far forward into whatever glass they’re chewing. Scaling comes with success and success from credibility. At any point in your execution into the global jungle of the mainstream an attack might damage your credibility. As a projects credibility can make or break it’s success, security must then be considered a domain problem in the ideation phase.

  • “Organic” DDoS attacks: legitimate users spamming requests that overwhelm your RPC node.
  • Bots performing massive amounts of requests in a short period of time such as during an NFT mint. Not only does this pose a risk to your RPC node, it also creates a situation where bots have an unfair advantage against legitimate users!
  • l3/l4/l7 DDoS attacks against your public facing URL. If someone buys a darknet DDoS attack against (or whatever URL your RPC is at), will your RPC stay up?

How WAF can protect your RPC

A firewall is a term so ubiquitous it’s lost some meaning. In this case, a web application firewall (WAF) is a hosted security component that protects web applications from attackers by analyzing and filtering traffic. A WAF should absolutely be used to be secure your projects web2.0 domain, but it can also be used to secure your RPC.

Typical Web2.0 deployment of WAF
  • Quick setup. Quickly configure and fine tune rate limiting to your projects needs.
  • Scale like you need to. Massively, globally, seamlessly.
  • Easy GUI management and analytics. Or use our developer friendly API back end.

Overview of WAF + RPC Architecture

This deployment provides an efficient application of rate limiting for RPC nodes. It also provides DDoS protection so long as your IP address remains private.

RPC protected by SP// WAF
  • The DNS request resolves to an anycast IP address. An anycast IP address resolve to the closest physical SP// location to the user. In most cases this resolves to a SP// WAF instance operating in an internet exchange within 5ms of distance of the user.
  • The WAF than makes a determination whether to approve the request. Is it part of a DDoS? Is the IP address rate limited? Does it violate a IP reputation rule? Etc.
  • If approved, the request travels across SP//’s private network backbone to the RPC node. The RPC node processes the request and responds, and the response flows backwards. There is a latency advantage in SP//’s private global network when compared to the request traversing the public internet.
  • In my testing this entire process has the same response time as using a public RPC node provided by the Solana foundation. Response times from my location in Dallas to my RPC in Miami are taking about 80–100ms round-trip.

Setup: WAF on the StackPath Portal

  1. Create a StackPath account.
  2. Create a site.
  3. Add WAF to site.
  4. Configure WAF with the following settings.
As configured this rule will allow from an IP address 50 requests in a 3 minute period and block any requests from an IP address that has made more than 50 requests within a 3 minute period. After 3 minutes is up the counter resets.

Setup: WAF on your RPC

If you’re setting up an RPC on StackPath, checkout my guide for setting up a node on StackPath first.

  1. Configure your infrastructure provider’s network policies.
In StackPath’s Solana portal I’ve opened up 8000-8020 for TCP/UDP for Solana and 8080–8081 for the RPC.
curl --request GET \--url '' \--header 'Authorization: Bearer yourtokenhere'###
for i in $(cat stackpathiplist.txt);
sudo ufw allow from "$i" to any port 8080
sudo ufw allow 8000:8020/udp
sudo ufw allow ssh
--rpc-port 8080 // The RPC port should be configured to 8080--dynamic-port-range 8000–8020 // There is flexibility here, but it should match what the ports you allowed in UFW and the infrastructure provider's network policies--public-rpc-address // I noticed when you use this as your public IP address it shows the RPC public address as "None" in Gossip even without the --private-rpc flag enabled--no-port-check // Otherwise it will attempt to check and cause an error


Now that it’s up, lets look at it in action.

❤ vscode
My home IP address redacted.
Personal information redacted.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store