Setting up a Mithril relay
The Mithril relay is a forward proxy that often runs on the Cardano relay machine and routes traffic between the Mithril signer (running on the block producer) and the external Mithril aggregator. It can also run on a separate host if desired. It ensures the block producer stays isolated from the public internet, preserving the standard stake pool security model.
The Mithril relay is required for the production deployment model on mainnet.
Overview
Setting up the relay involves four stages:
- Build Squid from source -- download, compile, and install the Squid proxy on the Cardano relay machine.
- Configure the Squid proxy -- set up Squid as a forward proxy that accepts traffic from the block producer's internal IP, routes HTTPS requests to
mithril.networkhosts, anonymizes all headers, and denies everything else. - Install the service -- create a dedicated
squidsystem user, set up asystemdservice unit, and enable it to start on boot. - Configure the firewall -- allow incoming traffic on the relay's listening port (recommended:
3132) from the block producer's internal IP only.
Key configuration points
The Squid proxy configuration controls which traffic is allowed through the relay:
- Listening port -- port
3132is recommended - Source restriction -- only the internal IP of the block producer is allowed
- Destination restriction -- only HTTPS traffic to
.mithril.networkdomain hosts is permitted - Anonymization -- the proxy strips and anonymizes request headers to avoid disclosing information about the block producer
- Caching -- disabled, since the relay only forwards traffic
After configuring the relay, the Mithril signer on the block producer must be pointed to the relay by setting the RELAY_ENDPOINT environment variable (for example, http://192.168.1.50:3132).
For the complete step-by-step instructions, including build commands, configuration files, and service setup, see Set up the Mithril relay node in the Mithril documentation.