* [Securing the communication between RPC daemon and TG instance via TLS and authentication](#securing-the-communication-between-rpc-daemon-and-tg-instance-via-tls-and-authentication)
* [Ethstats](#ethstats)
* [Allowing only specific methods (Allowlist)](#allowing-only-specific-methods--allowlist-)
This brings many benefits including easier development, the ability to run multiple daemons at once, and the ability to run the daemon remotely. It is possible to run the daemon locally as well (read-only) if both processes have access to the data folder.
## Getting Started
The `rpcdaemon` gets built as part of the main `turbo-geth` build process, but you can build it directly with this command:
If both `--chaindata` and `--private.api.addr` options are used for RPC daemon, it works in a "dual" mode. This only works when RPC daemon is on the same computer as turbo-geth. In this mode, most data transfer from turbo-geth to RPC daemon happens via shared memory, only certain things (like new header notifications) happen via TPC socket.
Also, there are [extensive instructions for using Postman](https://github.com/ledgerwatch/turbo-geth/wiki/Using-Postman-to-Test-TurboGeth-RPC) to test the RPC.
1. Generate key pair for the Certificate Authority (CA). The private key of CA will be used to authorise new turbo-geth instances as well as new RPC daemon instances, so that they can mutually authenticate.
2. Create CA certificate file that needs to be deployed on any turbo-geth instance and any RPC daemon. This CA cerf file is used as a "root of trust", whatever is in it, will be trusted by the participants when they authenticate their counterparts.
3. For each turbo-geth instance and each RPC daemon instance, generate a key pair. If you are lazy, you can generate one pair for all turbo-geth nodes, and one pair for all RPC daemons, and copy these keys around.
4. Using the CA private key, create cerificate file for each public key generated on the previous step. This effectively "inducts" these keys into the "cluster of trust".
5. On each instance, deploy 3 files - CA certificate, instance key, and certificate signed by CA for this instance key.
Following is the detailed description of how it can be done using `openssl` suite of tools.
Generate CA key pair using Elliptic Curve (as opposed to RSA). The generated CA key will be in the file `CA-key.pem`. Access to this file will allow anyone to later include any new instance key pair into the "cluster of trust", so keep it secure.
Create CA self-signed certificate (this command will ask questions, answers aren't important for now). The file created by this command is `CA-cert.pem`
When this is all done, these three files need to be placed on the machine where turbo-geth is running: `CA-cert.pem`, `TG-key.pem`, `TG.crt`. And turbo-geth needs to be run with these extra options:
On the RPC daemon machine, these three files need to be placed: `CA-cert.pem`, `RPC-key.pem`, and `RPC.crt`. And RPC daemon needs to be started with these extra options:
**WARNING** Normally, the "client side" (which in our case is RPC daemon), verifies that the host name of the server matches the "Common Name" attribute of the "server" cerificate. At this stage, this verification is turned off, and it will be turned on again once we have updated the instruction above on how to properly generate cerificates with "Common Name".
When running turbo-geth instance in the Google Cloud, for example, you need to specify the **Internal IP** in the `--private.api.addr` option. And, you will need to open the firewall on the port you are using, to that connection to the turbo-geth instances can be made.
Then update your `app.json` for ethstats-client like that:
```json
[
{
"name" : "ethstats",
"script" : "app.js",
"log_date_format" : "YYYY-MM-DD HH:mm Z",
"merge_logs" : false,
"watch" : false,
"max_restarts" : 10,
"exec_interpreter" : "node",
"exec_mode" : "fork_mode",
"env":
{
"NODE_ENV" : "production",
"RPC_HOST" : "localhost",
"RPC_PORT" : "8545",
"LISTENING_PORT" : "30303",
"INSTANCE_NAME" : "turbo-geth node",
"CONTACT_DETAILS" : <yourtwitterhandle>,
"WS_SERVER" : "wss://ethstats.net/api",
"WS_SECRET" : <putyoursecretkeythere>,
"VERBOSITY" : 2
}
}
]
```
Run ethstats-client through pm2 as usual.
You will see these warnings in the RPC daemon output, but they are expected
```
WARN [11-05|09:03:47.911] Served conn=127.0.0.1:59753 method=eth_newBlockFilter reqid=5 t="21.194µs" err="the method eth_newBlockFilter does not exist/is not available"
WARN [11-05|09:03:47.911] Served conn=127.0.0.1:59754 method=eth_newPendingTransactionFilter reqid=6 t="9.053µs" err="the method eth_newPendingTransactionFilter does not exist/is not available"
There are still many open issues with the TurboGeth tracing routines. Please see [this issue](https://github.com/ledgerwatch/turbo-geth/issues/1119#issuecomment-699028019) for the current open / known issues related to tracing.
### Clients getting timeout, but server load is low
In this case: increase default rate-limit -
amount of requests server handle simultaneously - requests over this limit will wait.
Increase it - if your 'hot data' is small or have much RAM or see "request timeout" while server load is low.
