Monero Logo

xmr.cryptostorm.is

NODE STATUS

Height
3381753
Syncing
False
Latest Block
020b1d...c775c4
Transactions
50190188
Difficulty
549860583022
Status
OK
sponsored by
cryptostorm logo
The VPN service provider for the truly paranoid
Clearnet | Tor | I2P

The monerod running on this server is from the Arch Linux monero package.
It uses this monerod.conf: 
data-dir=/var/lib/monero
log-level=0
log-file=/dev/null
rpc-bind-ip=127.0.0.1
rpc-bind-port=8088
restricted-rpc=1
confirm-external-bind=1
p2p-bind-ip=190.211.255.227
no-igd=1
public-node=true
enable-dns-blocklist=true
zmq-rpc-bind-ip=127.0.0.1
zmq-rpc-bind-port=8082
out-peers=128
in-peers=256
limit-rate-up=100000
limit-rate-down=100000
db-sync-mode=fastest:async
db-salvage=1
and is started with this systemd service file: 
[Unit]
Description=Monero node
After=network.target

[Service]
User=monero
Group=monero
WorkingDirectory=~
StateDirectory=monero
LogsDirectory=monero

Type=simple
ExecStart=/usr/bin/monerod --config-file /etc/monerod.conf --non-interactive
StandardOutput=null
StandardError=null

Restart=always

[Install]
WantedBy=multi-user.target
The reason monerod listens on 127.0.0.1:8088 is because we wanted this Monero node's RPC to be accessible on 190.211.255.227 port 18081 as well as port 443, and to do that we needed a frontend that can forward both ports to a single monerod.
The problem (at least with port 443) is we're already using it on 190.211.255.227 for a public DNSCrypt resolver/relay.
Fortunately, DNSCrypt has an option to forward TLS (non-DNSCrypt) traffic to an upstream: 
[tls]
upstream_addr = "127.0.0.1:7443"
On 127.0.0.1:7443 is a haproxy instance that acts as the frontend for the Monero RPC and this website.
That haproxy's config (with comments added) is: 
global
 pidfile /var/run/haproxy/monero.pid
 user haproxy
 group haproxy

defaults
 timeout connect 15000
 timeout client 15000
 timeout server 15000

frontend monerod
    mode http
    # The IP:port DNSCrypt points to.
    # The first SSL certificate (public.deepdns.net.pem) is for https://public.deepdns.net/
    # which is a subdomain that points to all the DNS server IPs our VPN clients would use.
    # Most of those IPs reverse resolve to public.deepdns.net, so we have it serve a web page
    # just in case someone decides to go to it in their browser for whatever reason.
    # That second SSL certificate (monero.crt) is for https://xmr.cryptostorm.is/
    bind 127.0.0.1:7443 ssl crt /var/sshfs/public.deepdns.net.pem crt /etc/haproxy/monero.crt
    # The IP that xmr.cryptostorm.is resolves to. 
    # We can listen on this port directly since there's no other services using the port.
    bind 190.211.255.227:18081 ssl crt /etc/haproxy/monero.crt
    # Add CORS to RPC requests
    http-response add-header Access-Control-Allow-Origin "*"

    # Separate web requests from Monero RPC requests
    acl is_deepdns_request ssl_fc_sni -m reg -i ^public.deepdns.net$
    acl is_browser_request ssl_fc_sni -m reg -i ^xmr.cryptostorm.is$
    # Paths for the image/css/etc. files loaded by this page, none of which are used in 
    # the Monero RPC, so it shouldn't conflict with that.
    acl is_homepage_request path -f /etc/haproxy/monero_paths.lst
    # For renewing the xmr.cryptostorm.is SSL certificate
    acl is_homepage_request path_reg ^/.well-known/acme-challenge/.+

    # Serve https://public.deepdns.net/ if that was the request
    use_backend apache_deepdns_backend if is_deepdns_request
    # Serve this website if the request was for https://xmr.cryptostorm.is/ 
    # (or https://xmr.cryptostorm.is:18081/)
    use_backend static_page_backend-CLEARNET if is_browser_request is_homepage_request
    # Serve the Monero RPC if the request wasn't from a web browser
    use_backend monerod_backend if is_browser_request !is_homepage_request
    # Default to Monero RPC
    default_backend monerod_backend

backend apache_deepdns_backend
    mode http
    # An Apache <VirtualHost> serving https://public.deepdns.net/
    # which, for now, just redirects to https://cryptostorm.is/
    server deepdns_apache 127.0.0.1:4345 check

backend static_page_backend-CLEARNET
    mode http
    # An Apache <VirtualHost> serving this page
    server static_page 127.0.0.1:8085 check

backend static_page_backend-ONION
    mode http
    # A separate Apache <VirtualHost> serving this page,
    # just in case I wanted to serve a different page for .onion visitors.
    # For now, just rendering the same thing as the clearnet page.
    server static_page 127.0.0.1:8086 check

# Instead of pointing Tor directly to monerod on localhost, sending it to this IP:port
# so we can add CORS, and serve this web page if the request isn't for the Monero RPC.
frontend monerod_fe_for_onion
    # /etc/tor/torrc:
    #  HiddenServiceDir /var/lib/tor/csxmritzk2qdgqmou2vwyrwu65xabimvmeniestaartks4fhlocfoeyd.onion/
    #  HiddenServiceVersion 3
    #  HiddenServicePort 80 127.0.0.1:8084
    #  HiddenServicePort 18081 127.0.0.1:8084
    # which allows this website and the Monero RPC to be accessible at
    # csxmritzk2qdgqmou2vwyrwu65xabimvmeniestaartks4fhlocfoeyd.onion
    # on port 80 or 18081
    bind 127.0.0.1:8084
    mode http
    http-response add-header Access-Control-Allow-Origin "*"
    acl is_homepage_request path -f /etc/haproxy/monero_paths.lst
    use_backend static_page_backend-ONION if is_homepage_request
    default_backend monerod_backend

backend monerod_backend
    mode http
    server monerod 127.0.0.1:8088 check

As you can see, none of the software involved has logging enabled, but just in case something does somehow write to /var/log/, that directory is mounted as a tmpfs so that it gets wiped if the server reboots: 
$ mount | grep /var/log
tmpfs on /var/log type tmpfs (rw,nosuid,nodev,noexec,noatime,size=512000k,mode=1755,inode64)