However, in many cases it may be preferable to control the Broker remotely without directly accessing the machine that it is running on. This may be particularly important as part of a strategy to increase security through the principle of least privilege.
To control a remote broker, follow the steps below.
Open RPC port
To control your Broker remotely, your client must have access to the Broker's RPC port, which by default is:
You may want to limit incoming connections to this port to a known IP or IP range to increase the security of your Broker.
Generating TLS Certificates
You need to generate TLS certificates that contain your remote IP address, so that your Broker CLI can communicate securely with your remote Broker.
On your remote machine, in the
sparkswap/broker folder, run the following command
bash scripts/build.sh --no-identity --no-docker --force-certs --external-address=<remote.ip.address>
You will need to restart your broker for the new certs to take effect. You can restart the broker by navigating to your remote machine's
sparkswap/broker folder and running:
WARNING: Restarting all docker containers will cause all open orders to be cancelled by the relayer, due to connection loss. Only restart your Broker after all orders have been completed or cancelled.
docker-compose restart sparkswapd
Your local machine will need the certificate of the Broker that was created as part of the build process. During the build, this certificate is stored on the machine that the Broker was built on (e.g. your server) at
~/.sparkswap/certs/broker-rpc-tls.cert. You'll need it in the same location on your local machine to use the CLI (and it's recommended to keep it there even when running a custom Broker client).
To copy it from the remote machine using
scp, try the following:
mkdir -p ~/.sparkswap/certs && scp <your user>@<remote.ip.address>:~/.sparkswap/certs/broker-rpc-tls.cert ~/.sparkswap/certs/broker-rpc-tls.cert
Configure your client
You'll need to configure your client with the
RPC_PASS from the Broker's
.env file as well as the address where your broker can be reached.
It is important that the RPC address you use for your client is the same as the remote IP address that you had supplied when generating TLS certificates. Using another hostname will result in a failure to connect to the Broker RPC.
If you're using the CLI, you'll need to update the
~/.sparkswap/config.js file on your local machine, and you'll need to update the:
If you're using a custom client, be sure that the username, password, and host location are configured properly.
Your local machine should now be set up as a client of your remote Broker. The connection will be secured with TLS, and requests will be authenticated with the username and password that you set up.
If you're having any issues with your remote setup, please ask for assistance on Discord.