rchain
rchain copied to clipboard
rchain
Reverse proxy with RNode API (gRPC/HTTP, TLS)
Overview
The purpose of this issue is to document the current state of gRPC/HTTP API and testing with reverse proxy. Using nginx proxy for HTTP (external 40403, admin 40405) and non protocol ports (external 40401, admin 40402) works without problems as with any web exposed application.
The problem starts with protocol (40400) and discovery (40404) ports which are used as part of RNode address e.g. rnode://[email protected]?protocol=41400&discovery=41404.
This limits the way how proxy and RNode can be configured. In addition, the protocol port uses TLS automatically (by default with auto-generated self signed certificates), so configuring a proxy with nginx does not work at all.
Binding and external host/port parameters
RNode configuration currently allows only one parameter for the host and one for the port per API. This means that binding and external port must be the same. This unnecessary complicates configuration when RNode is run inside container.
RNode address (auto-generated TLS certificates)
RNode generates address from auto-generated certificate, external host (if configured or auto detected) and protocol (40400) and discovery (40404) ports. The reason why this is done in this way is not clear and what kind of security this provides.
Here is the reference to Jira documentation about transport layer TLS connection. Public key is used to identify the node and encrypt the message - Transport layer change to GRPC over TCP.
There is also an open issue to remove auto-generated self signed certificate - Get rid of self-signed TLS.
Re-design RNode address, TLS and related configuration
Remove auto-generated TLS certificate and remove the code which internally uses this certificate to manually encrypt messages. Encryption can be done in a standard way with reverse proxy if RNode user wants to do this. Configuration parameters can be added to require encryption and to differentiate binding and external ports. RNode address can be simplified without generated part related to TLS certificate and other parts of the address can be part of the configuration also. Investigate if there are security concerns for this approach.
