Hello,
I recently take a quite big server where I'm running Bitcoind with txindex=1 and I think it can be interesting for people to have access to this.
In order to make it accessible I activated rpcbindaddress=0.0.0.0. For now I whitelisted two IPs but my idea is to put accessible to everyone. But it seems to be very dangerous according to every documentations and help.
I put here my conf and I'm very interested to understand how to give endpoints accessible by anyone to have Bitcoin info. I removed some unused options.
I own the server and can modify everything.
Hope to understand all of this and don't make too many mistakes in order to do this.
##
## bitcoin.conf configuration file.
## Generated by contrib/devtools/gen-bitcoin-conf.sh.
##
## Lines beginning with # are comments.
## All possible configuration options are provided. To use, copy this file
## to your data directory (default or specified by -datadir), uncomment
## options you would like to change, and save the file.
##
### Options
# Execute command when an alert is raised (%s in cmd is replaced by
# message)
#alertnotify=<cmd>
# For backwards compatibility, treat an unused bitcoin.conf file in the
# datadir as a warning, not an error.
#allowignoredconf=1
# If this block is in the chain assume that it and its ancestors are valid
# and potentially skip their script verification (0 to verify all,
# default:
# 000000000000000000026811d149d4d261995ec5b3f64f439a0a10e1a464af9a,
# testnet:
# 000000000001323071f38f21ea5aae529ece491eadaccce506a59bcc2d968917,
# signet:
# 0000000870f15246ba23c16e370a7ffb1fc8a3dcf8cb4492882ed4b0e3d4cd26)
#assumevalid=<hex>
# Maintain an index of compact filters by block (default: 0, values:
# basic). If <type> is not supplied or if <type> = 1, indexes for
# all known types are enabled.
#blockfilterindex=<type>
# Execute command when the best block changes (%s in cmd is replaced by
# block hash)
#blocknotify=<cmd>
# Extra transactions to keep in memory for compact block reconstructions
# (default: 100)
#blockreconstructionextratxn=<n>
# Specify directory to hold blocks subdirectory for *.dat files (default:
# <datadir>)
#blocksdir=<dir>
# Whether to reject transactions from network peers. Disables automatic
# broadcast and rebroadcast of transactions, unless the source peer
# has the 'forcerelay' permission. RPC transactions are not
# affected. (default: 0)
#blocksonly=1
# Maintain coinstats index used by the gettxoutsetinfo RPC (default: 0)
coinstatsindex=1
# Maintain a full transaction index, used by the getrawtransaction rpc
# call (default: 0)
txindex=1
# Print version and exit
#version=1
### Connection options
# Add a node to connect to and attempt to keep the connection open (see
# the addnode RPC help for more info). This option can be specified
# multiple times to add multiple nodes; connections are limited to
# 8 at a time and are counted separately from the -maxconnections
# limit.
#addnode=<ip>
# Specify asn mapping used for bucketing of the peers (default:
# ip_asn.map). Relative paths will be prefixed by the net-specific
# datadir location.
#asmap=<file>
# Default duration (in seconds) of manually configured bans (default:
# 86400)
#bantime=<n>
# Bind to given address and always listen on it (default: 0.0.0.0). Use
# [host]:port notation for IPv6. Append =onion to tag any incoming
# connections to that address and port as incoming Tor connections
# (default: 127.0.0.1:8334=onion, testnet: 127.0.0.1:18334=onion,
# signet: 127.0.0.1:38334=onion, regtest: 127.0.0.1:18445=onion)
#bind=<addr>[:<port>][=onion]
# If set, then this host is configured for CJDNS (connecting to fc00::/8
# addresses would lead us to the CJDNS network, see doc/cjdns.md)
# (default: 0)
#cjdnsreachable=1
# Connect only to the specified node; -noconnect disables automatic
# connections (the rules for this peer are the same as for
# -addnode). This option can be specified multiple times to connect
# to multiple nodes.
#connect=<ip>
# Discover own IP addresses (default: 1 when listening and no -externalip
# or -proxy)
#discover=1
# Allow DNS lookups for -addnode, -seednode and -connect (default: 1)
#dns=1
# Query for peer addresses via DNS lookup, if low on addresses (default: 1
# unless -connect used or -maxconnections=0)
#dnsseed=1
# Specify your own public address
externalip=94.16.123.98
# Allow fixed seeds if DNS seeds don't provide peers (default: 1)
#fixedseeds=1
# Always query for peer addresses via DNS lookup (default: 0)
#forcednsseed=1
# Whether to accept inbound I2P connections (default: 1). Ignored if
# -i2psam is not set. Listening for inbound I2P connections is done
# through the SAM proxy, not by binding to a local address and
# port.
#i2pacceptincoming=1
# I2P SAM proxy to reach I2P peers and accept I2P connections (default:
# none)
#i2psam=<ip:port>
# Accept connections from outside (default: 1 if no -proxy, -connect or
# -maxconnections=0)
listen=1
# Automatically create Tor onion service (default: 1)
#listenonion=1
# Maintain at most <n> automatic connections to peers (default: 125). This
# limit does not apply to connections manually added via -addnode
# or the addnode RPC, which have a separate limit of 8.
#maxconnections=<n>
# Maximum per-connection receive buffer, <n>*1000 bytes (default: 5000)
#maxreceivebuffer=<n>
# Maximum per-connection memory usage for the send buffer, <n>*1000 bytes
# (default: 1000)
#maxsendbuffer=<n>
# Maximum allowed median peer time offset adjustment. Local perspective of
# time may be influenced by outbound peers forward or backward by
# this amount (default: 4200 seconds).
#maxtimeadjustment=1
# Tries to keep outbound traffic under the given target per 24h. Limit
# does not apply to peers with 'download' permission or blocks
# created within past week. 0 = no limit (default: 0M). Optional
# suffix units [k|K|m|M|g|G|t|T] (default: M). Lowercase is 1000
# base while uppercase is 1024 base
#maxuploadtarget=<n>
# Use NAT-PMP to map the listening port (default: 0)
#natpmp=1
# Enable all P2P network activity (default: 1). Can be changed by the
# setnetworkactive RPC command
networkactive=1
# Use separate SOCKS5 proxy to reach peers via Tor onion services, set
# -noonion to disable (default: -proxy). May be a local file path
# prefixed with 'unix:'.
#onion=<ip:port|path>
# Make automatic outbound connections only to network <net> (ipv4, ipv6,
# onion, i2p, cjdns). Inbound and manual connections are not
# affected by this option. It can be specified multiple times to
# allow multiple networks.
#onlynet=<net>
# Serve compact block filters to peers per BIP 157 (default: 0)
#peerblockfilters=1
# Support filtering of blocks and transaction with bloom filters (default:
# 0)
#peerbloomfilters=1
# Listen for connections on <port>. Nodes not using the default ports
# (default: 8333, testnet: 18333, signet: 38333, regtest: 18444)
# are unlikely to get incoming connections. Not relevant for I2P
# (see doc/i2p.md).
#port=<port>
# Connect through SOCKS5 proxy, set -noproxy to disable (default:
# disabled). May be a local file path prefixed with 'unix:' if the
# proxy supports it.
#proxy=<ip:port|path>
# Randomize credentials for every proxy connection. This enables Tor
# stream isolation (default: 1)
#proxyrandomize=1
# Connect to a node to retrieve peer addresses, and disconnect. This
# option can be specified multiple times to connect to multiple
# nodes.
#seednode=<ip>
# Specify socket connection timeout in milliseconds. If an initial attempt
# to connect is unsuccessful after this amount of time, drop it
# (minimum: 1, default: 5000)
#timeout=<n>
# Tor control host and port to use if onion listening enabled (default:
# 127.0.0.1:9051). If no port is specified, the default port of
# 9051 will be used.
#torcontrol=<ip>:<port>
# Tor control port password (default: empty)
#torpassword=<pass>
# Use UPnP to map the listening port (default: 1 when listening and no
# -proxy)
#upnp=1
# Support v2 transport (default: 1)
#v2transport=1
# Bind to the given address and add permission flags to the peers
# connecting to it. Use [host]:port notation for IPv6. Allowed
# permissions: bloomfilter (allow requesting BIP37 filtered blocks
# and transactions), noban (do not ban for misbehavior; implies
# download), forcerelay (relay transactions that are already in the
# mempool; implies relay), relay (relay even in -blocksonly mode,
# and unlimited transaction announcements), mempool (allow
# requesting BIP35 mempool contents), download (allow getheaders
# during IBD, no disconnect after maxuploadtarget limit), addr
# (responses to GETADDR avoid hitting the cache and contain random
# records with the most up-to-date info). Specify multiple
# permissions separated by commas (default:
# download,noban,mempool,relay). Can be specified multiple times.
#whitebind=<[permissions@]addr>
# Add permission flags to the peers using the given IP address (e.g.
# 1.2.3.4) or CIDR-notated network (e.g. 1.2.3.0/24). Uses the same
# permissions as -whitebind. Additional flags "in" and "out"
# control whether permissions apply to incoming connections and/or
# manual (default: incoming only). Can be specified multiple times.
#whitelist=<[permissions@]IP address or network>
### Wallet options
# What type of addresses to use ("legacy", "p2sh-segwit", "bech32", or
# "bech32m", default: "bech32")
#addresstype=1
# Group outputs by address, selecting many (possibly all) or none, instead
# of selecting on a per-output basis. Privacy is improved as
# addresses are mostly swept with fewer transactions and outputs
# are aggregated in clean change addresses. It may result in higher
# fees due to less optimal coin selection caused by this added
# limitation and possibly a larger-than-necessary number of inputs
# being used. Always enabled for wallets with "avoid_reuse"
# enabled, otherwise default: 0.
#avoidpartialspends=1
# What type of change to use ("legacy", "p2sh-segwit", "bech32", or
# "bech32m"). Default is "legacy" when -addresstype=legacy, else it
# is an implementation detail.
#changetype=1
# The maximum feerate (in BTC/kvB) at which transaction building may use
# more inputs than strictly necessary so that the wallet's UTXO
# pool can be reduced (default: 0.0001).
#consolidatefeerate=<amt>
# Do not load the wallet and disable wallet RPC calls
#disablewallet=1
# The fee rate (in BTC/kvB) that indicates your tolerance for discarding
# change by adding it to the fee (default: 0.0001). Note: An output
# is discarded if it is dust at this rate, but we will always
# discard up to the dust relay fee and a discard fee above that is
# limited by the fee estimate for the longest target
#discardfee=<amt>
# A fee rate (in BTC/kvB) that will be used when fee estimation has
# insufficient data. 0 to entirely disable the fallbackfee feature.
# (default: 0.00)
#fallbackfee=<amt>
# Set key pool size to <n> (default: 1000). Warning: Smaller sizes may
# increase the risk of losing funds when restoring from an old
# backup, if none of the addresses in the original keypool have
# been used.
#keypool=<n>
# Spend up to this amount in additional (absolute) fees (in BTC) if it
# allows the use of partial spend avoidance (default: 0.00)
#maxapsfee=<n>
# Fee rates (in BTC/kvB) smaller than this are considered zero fee for
# transaction creation (default: 0.00001)
#mintxfee=<amt>
# Fee rate (in BTC/kvB) to add to transactions you send (default: 0.00)
#paytxfee=<amt>
# External signing tool, see doc/external-signer.md
#signer=<cmd>
# Spend unconfirmed change when sending transactions (default: 1)
#spendzeroconfchange=1
# If paytxfee is not set, include enough fee so transactions begin
# confirmation on average within n blocks (default: 6)
#txconfirmtarget=<n>
# Specify wallet path to load at startup. Can be used multiple times to
# load multiple wallets. Path is to a directory containing wallet
# data and log files. If the path is not absolute, it is
# interpreted relative to <walletdir>. This only loads existing
# wallets and does not create new ones. For backwards compatibility
# this also accepts names of existing top-level data files in
# <walletdir>.
#wallet=<path>
# Make the wallet broadcast transactions (default: 1)
#walletbroadcast=1
# Specify directory to hold wallets (default: <datadir>/wallets if it
# exists, otherwise <datadir>)
#walletdir=<dir>
# Execute command when a wallet transaction changes. %s in cmd is replaced
# by TxID, %w is replaced by wallet name, %b is replaced by the
# hash of the block including the transaction (set to 'unconfirmed'
# if the transaction is not included) and %h is replaced by the
# block height (-1 if not included). %w is not currently
# implemented on windows. On systems where %w is supported, it
# should NOT be quoted because this would break shell escaping used
# to invoke the command.
#walletnotify=<cmd>
# Send transactions with full-RBF opt-in enabled (RPC only, default: 1)
walletrbf=1
### Node relay options
# Equivalent bytes per sigop in transactions for relay and mining
# (default: 20)
#bytespersigop=1
# Relay and mine data carrier transactions (default: 1)
#datacarrier=1
# Relay and mine transactions whose data-carrying raw scriptPubKey is of
# this size or less (default: 83)
#datacarriersize=1
# Accept transaction replace-by-fee without requiring replaceability
# signaling (default: 0)
mempoolfullrbf=1
# Fees (in BTC/kvB) smaller than this are considered zero fee for
# relaying, mining and transaction creation (default: 0.00001)
#minrelaytxfee=<amt>
# Relay non-P2SH multisig (default: 1)
#permitbaremultisig=1
# Add 'forcerelay' permission to whitelisted peers with default
# permissions. This will relay transactions even if the
# transactions were already in the mempool. (default: 0)
#whitelistforcerelay=1
# Add 'relay' permission to whitelisted peers with default permissions.
# This will accept relayed transactions even when not relaying
# transactions (default: 1)
#whitelistrelay=1
### Block creation options
# Set maximum BIP141 block weight (default: 3996000)
#blockmaxweight=<n>
# Set lowest fee rate (in BTC/kvB) for transactions to be included in
# block creation. (default: 0.00001)
#blockmintxfee=<amt>
### RPC server options
# Accept public REST requests (default: 0)
rest=1
# Allow JSON-RPC connections from specified source. Valid values for <ip>
# are a single IP (e.g. 1.2.3.4), a network/netmask (e.g.
# 1.2.3.4/255.255.255.0), a network/CIDR (e.g. 1.2.3.4/24), all
# ipv4 (0.0.0.0/0), or all ipv6 (::/0). This option can be
# specified multiple times
rpcallowip=MY_IP_1
rpcallowip=MY_IP_2
# Username and HMAC-SHA-256 hashed password for JSON-RPC connections. The
# field <userpw> comes in the format: <USERNAME>:<SALT>$<HASH>. A
# canonical python script is included in share/rpcauth. The client
# then connects normally using the
# rpcuser=<USERNAME>/rpcpassword=<PASSWORD> pair of arguments. This
# option can be specified multiple times
rpcauth=USER:0949c0b552d208e24608d4896e706422$15b778b47156bc76545a262452a6475db8d78a8a3639c2d044ee2a6a73675ea7
# Bind to given address to listen for JSON-RPC connections. Do not expose
# the RPC server to untrusted networks such as the public internet!
# This option is ignored unless -rpcallowip is also passed. Port is
# optional and overrides -rpcport. Use [host]:port notation for
# IPv6. This option can be specified multiple times (default:
# 127.0.0.1 and ::1 i.e., localhost)
rpcbind=0.0.0.0:8332
# Location of the auth cookie. Relative paths will be prefixed by a
# net-specific datadir location. (default: data dir)
#rpccookiefile=<loc>
# Password for JSON-RPC connections
#rpcpassword=<pw>
# Listen for JSON-RPC connections on <port> (default: 8332, testnet:
# 18332, signet: 38332, regtest: 18443)
#rpcport=<port>
# Set the number of threads to service RPC calls (default: 4)
rpcthreads=1000
# Username for JSON-RPC connections
#rpcuser=<user>
# Set a whitelist to filter incoming RPC calls for a specific user. The
# field <whitelist> comes in the format: <USERNAME>:<rpc 1>,<rpc
# 2>,...,<rpc n>. If multiple whitelists are set for a given user,
# they are set-intersected. See -rpcwhitelistdefault documentation
# for information on default whitelist behavior.
#rpcwhitelist=<whitelist>
# Sets default behavior for rpc whitelisting. Unless rpcwhitelistdefault
# is set to 0, if any -rpcwhitelist is set, the rpc server acts as
# if all rpc users are subject to empty-unless-otherwise-specified
# whitelists. If rpcwhitelistdefault is set to 1 and no
# -rpcwhitelist is set, rpc server acts as if all rpc users are
# subject to empty whitelists.
#rpcwhitelistdefault=1
# Accept command line and JSON-RPC commands
server=1
