ic icon indicating copy to clipboard operation
ic copied to clipboard
verified publisher icon dfinity

feat: SOCKS proxy on the API BNs

Open r-birkner opened this issue 1 year ago • 0 comments

Context: Currently HTTPS outcalls are only supported to IPv6 destinations. Certain system canisters (e.g., XRC) have to make outcalls to destinations that only support IPv4. Until now, there was a SOCKS proxy on all boundary nodes. With the new boundary node architecture, the SOCKS proxy has to be moved to the API boundary nodes.

This Change: This change consists of two parts:

  1. Setup dante: It installs dante and starts it. For now, I included dante both in the base image and the normal image (for fast testing).
  2. Open up the firewall: It adjusts the firewall such that port 1080 is only opened when the node is an API boundary node and is only opened for nodes that are part of a system subnet.

Note: Before we merge, I will create a separate PR #2231 to install dante in the base image only and bump the base image in this PR.

r-birkner avatar Oct 22 '24 17:10 r-birkner