After the MiniBolt runs your own fully validated node, and even acts as a backend for your hardware wallet with Fulcrum, the last important puzzle piece to improve privacy and financial sovereignty is your own Blockchain Explorer. It lets you query transactions, addresses, and blocks of your choice. You no longer need to leak information by querying a third-party blockchain explorer that can be used to get your location and cluster addresses.
BTC RPC Explorer provides a lightweight and easy to use web interface to accomplish just that. It's a database-free, self-hosted Bitcoin blockchain explorer, querying Bitcoin Core and Fulcrum via RPC.
Preparations
Install Node + NPM
With user admin, check if you have already installed Node
$node-v
Example of expected output:
> v18.16.0
Check if you have already installed NPM
$npm-v
Example of expected output:
> 9.5.1
If the version is >=18, you can move to the next section. If Nodejs is not installed, follow this Node + NPM bonus guide to install it
Install the next dependency package. Press "y" and enter when the prompt asks you
$sudoaptinstallbuild-essential
Reverse proxy & Firewall
In the security section, we set up Nginx as a reverse proxy. Now we can add the BTC RPC Explorer configuration.
Enable the Nginx reverse proxy to route external encrypted HTTPS traffic internally to the BTC RPC Explorer. The error_page 497 directive instructs browsers that send HTTP requests to resend them over HTTPS.
With user admin, create the reverse proxy configuration
> nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
> nginx: configuration file /etc/nginx/nginx.conf test is successful
Reload the Nginx configuration to apply changes
$sudosystemctlreloadnginx
Configure the firewall to allow incoming HTTPS requests
$sudoufwallow4000/tcpcomment'allow BTC RPC Explorer SSL from anywhere'
Installation
For improved security, we will create a new user btcrpcexplorer that will run the block explorer. Using a dedicated user limits potential damage in case there's a security vulnerability in the code. An attacker would not be able to do much within this user's permission settings.
gpg: Signature made Wed Jun 14 15:18:11 2023 CEST
gpg: using EDDSA key 4D841E6E6B1B68EBFAB4A9E670C0B166321C0AF8
gpg: Good signature from "Dan Janosik <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4D84 1E6E 6B1B 68EB FAB4 A9E6 70C0 B166 321C 0AF8
Install all dependencies using NPM
$npminstall
Installation can take some time, be patient. There might be a lot of confusing output, but if you see something similar to the following, the installation was successful
Example of expected output:
> Installed to /home/btcrpcexplorer/btc-rpc-explorer/node_modules/node-sass/vendor/linux-amd64-83/binding.node
> added 480 packages from 307 contributors and audited 482 packages in 570.14s
>
> 43 packages are looking for funding
> run `npm fund` for details
>
> found 12 vulnerabilities (8 moderate, 4 high)
> run `npm audit fix` to fix them, or `npm audit` for details
Check the correct installation by requesting the version
Edit the .env file. Activate any setting by removing the # at the beginning of the line or editing directly
$nano.env
Instruct the BTC RPC Explorer to connect to the local Bitcoin Core
# replace this line
BTCEXP_BITCOIND_COOKIE=/data/bitcoin/.cookie
To get address balances, either an Electrum server or an external service is necessary. Your local Electrum server can provide address transaction lists, balances, and more
# replace these lines
BTCEXP_ADDRESS_API=electrum
BTCEXP_ELECTRUM_SERVERS=tcp://127.0.0.1:50001
Uncomment this line
BTCEXP_SLOW_DEVICE_MODE=false
You can set additional features of Privacy / Security and customize the Theme at this moment by going to the Extra section
Save and exit
Exit the btcrpcexplorer user session to return to the "admin" user session
$exit
Create systemd service
Now we'll make sure our blockchain explorer starts as a service on the PC so that it's always running.
# MiniBolt: systemd unit for BTC RPC Explorer
# /etc/systemd/system/btcrpcexplorer.service
[Unit]
Description=BTC RPC Explorer
After=bitcoind.service fulcrum.service
[Service]
WorkingDirectory=/home/btcrpcexplorer/btc-rpc-explorer
ExecStart=/usr/bin/npm start
User=btcrpcexplorer
Group=btcrpcexplorer
# Hardening Measures
####################
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
Enable autoboot (optional)
$sudosystemctlenablebtcrpcexplorer
Prepare "btcrpcexplorer" monitoring by the systemd journal and check log logging output. You can exit monitoring at any time with Ctrl-C
$journalctl-f-ubtcrpcexplorer
Run
To keep an eye on the software movements, start your SSH program (eg. PuTTY) a second time, connect to the MiniBolt node, and log in as "admin". Commands for the second session start with the prompt $2 (which must not be entered).
Start the service
$2 sudo systemctl start btcrpcexplorer
Example of expected output on the first terminal with $ journalctl -f -u btcrpcexplorer ⬇️
Now point your browser to the secure access point provided by the NGINX web proxy, for example, "https://minibolt.local:4000" (or your node IP address) like "https://192.168.x.xxx:4000". You should see the home page of BTC RPC Explorer
Your browser will display a warning because we use a self-signed SSL certificate. We can do nothing about that because we would need a proper domain name (e.g. https://yournode.com) to get an official certificate that browsers recognize. Click on "Advanced" and proceed to the Block Explorer web interface
If you see a lot of errors on the MiniBolt command line, then Bitcoin Core might still be indexing the blockchain. You need to wait until reindexing is done before using the BTC RPC Explorer
Ensure the service is working and listening at the default 3002 port and the HTTPS 4000 port
More information mode, including Bitcoin exchange rates
# replace these lines
BTCEXP_PRIVACY_MODE=false
BTCEXP_NO_RATES=false
More privacy mode, no external queries
# uncomment these lines
BTCEXP_PRIVACY_MODE=true
BTCEXP_NO_RATES=true
Save and exit
Security
You can add password protection to the web interface. Simply add your password [D] for the following option, for which the browser will then prompt you. You can enter any user name; only the password is checked.
With user admin user, edit the .env configuration file
Comment this line if it is uncommented (default value is true). Save and exit
#BTCEXP_SLOW_DEVICE_MODE=false
Sharing your explorer
You may want to share your BTC RPC Explorer onion address with confident people and limited Bitcoin Core RPC access requests (sensitive data requests will be kept disabled, don't trust, verify. Enabling DEMO mode, you will not have to provide a password, and RPC requests will be allowed (discarding rpcBlacklist commands)
With user admin user, edit the .env configuration file
You will need to set password authentication following the Security section, if not, a banner shows you this:
RPC Terminal / Browser require authentication. Set an authentication password via the 'BTCEXP_BASIC_AUTH_PASSWORD' environment variable (see .env-sample file for more info).
--> Remember to give them the password [D] if you added password protection in the reference step
With DEMO mode enabled, the user will see the next message:
"Sorry, that RPC command is blacklisted. If this is your server, you may allow this command by removing it from the 'rpcBlacklist' setting in config.js."
Remote access over Tor
Do you want to access your personal blockchain explorer remotely? You can easily do so by adding a Tor hidden service on the MiniBolt and accessing the BTC RPC Explorer with the Tor browser from any device.
With the user admin , edit the torrc file
$ sudo nano /etc/tor/torrc
Add the following lines in the "location hidden services" section, below "## This section is just for location-hidden services ##" in the torrc file. Save and exit
# Hidden Service BTC RPC Explorer
HiddenServiceDir /var/lib/tor/hidden_service_btcrpcexplorer/
HiddenServiceVersion 3
HiddenServicePoWDefensesEnabled 1
HiddenServicePort 80 127.0.0.1:3002
Ensure you are logged in with the user admin. Delete the btcrpcexplorer user.
Don't worry about userdel: btcrpcexplorer mail spool (/var/mail/btcrpcexplorer) not found output, the uninstall has been successful
$ sudo userdel -rf btcrpcexplorer
Uninstall Tor hidden service
Ensure that you are logged in with the user admin and delete or comment on the following lines in the "location hidden services" section, below "## This section is just for location-hidden services ##" in the torrc file. Save and exit
$ sudo nano /etc/tor/torrc
# Hidden Service BTC RPC Explorer
#HiddenServiceDir /var/lib/tor/hidden_service_btcrpcexplorer/
#HiddenServiceVersion 3
#HiddenServicePoWDefensesEnabled 1
#HiddenServicePort 80 127.0.0.1:3002
Reload the tor to apply changes
$ sudo systemctl reload tor
Uninstall reverse proxy & FW configuration
Ensure you are logged in with the user admin, delete the reverse proxy config file