api: add --http-host to restrict RPC bind address

± ./build/ava --http-host localhost --public-ip <redacted> ___ ________ __ ___ / _ \_/\ / _____/ ____ ____ | | ______ / _ \_/\ \/ \___/ / \ ____/ __ \_/ ___\| |/ / _ \ \/ \___/ \ \_\ \ ___/\ \___| < <_> ) \______ /\___ >\___ >__|_ \____/ \/ \/ \/ \/ ... INFO [05-14|21:09:54] /api/server.go#53: API server listening on "localhost:9650" INFO [05-14|21:09:54] /api/server.go#106: adding route /ext/vm/jvYyfQTxGMJLuGWa55kdP2p2zSUYsQ5Raupu4TW34ZAUBAbtq ... The node continues to partcipate in consensus, but RPC calls are restricted to the localhost interface $ ss -lnt | grep 965 LISTEN 0 4096 127.0.0.1:9650 0.0.0.0:* LISTEN 0 10 0.0.0.0:9651 0.0.0.0:* $ curl -X POST --data '{ > "id": '$(date +%s)', > "jsonrpc": "2.0", > "method": "admin.getNodeID", > "params":{} > }' -H 'content-type:application/json;' 127.0.0.1:9650/ext/admin {"jsonrpc":"2.0","result":{"nodeID":"2iEwniZihec5S2anxDpKGenZB7Cs112Ap"},"id":1589486853} $ curl -X POST --data '{ > "id": '$(date +%s)', > "jsonrpc": "2.0", > "method": "admin.getNodeID", > "params":{} > }' -H 'content-type:application/json;' 192.168.43.60:9650/ext/admin curl: (7) Failed to connect to 192.168.43.60 port 9650: Connection refused
2020-05-13 21:57:17 +01:00 · 2020-05-13 21:57:17 +01:00 · b9ceddd052
parent f290f7377e
commit b9ceddd052
5 changed files with 25 additions and 11 deletions
--- a/api/server.go
+++ b/api/server.go
@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"sync"
@ -28,30 +29,40 @@ var (

 // Server maintains the HTTP router
 type Server struct {
-	log     logging.Logger
-	factory logging.Factory
-	router  *router
-	portURL string
+	log           logging.Logger
+	factory       logging.Factory
+	router        *router
+	listenAddress string
 }

-// Initialize creates the API server at the provided port
-func (s *Server) Initialize(log logging.Logger, factory logging.Factory, port uint16) {
+// Initialize creates the API server at the provided host and port
+func (s *Server) Initialize(log logging.Logger, factory logging.Factory, host string, port uint16) {
 	s.log = log
 	s.factory = factory
-	s.portURL = fmt.Sprintf(":%d", port)
+	s.listenAddress = fmt.Sprintf("%s:%d", host, port)
 	s.router = newRouter()
 }

 // Dispatch starts the API server
 func (s *Server) Dispatch() error {
 	handler := cors.Default().Handler(s.router)
-	return http.ListenAndServe(s.portURL, handler)
+	listener, err := net.Listen("tcp", s.listenAddress)
+	if err != nil {
+		return err
+	}
+	s.log.Info("API server listening on %q", s.listenAddress)
+	return http.Serve(listener, handler)
 }

 // DispatchTLS starts the API server with the provided TLS certificate
 func (s *Server) DispatchTLS(certFile, keyFile string) error {
 	handler := cors.Default().Handler(s.router)
-	return http.ListenAndServeTLS(s.portURL, certFile, keyFile, handler)
+	listener, err := net.Listen("tcp", s.listenAddress)
+	if err != nil {
+		return err
+	}
+	s.log.Info("API server listening on %q", s.listenAddress)
+	return http.ServeTLS(listener, handler, certFile, keyFile)
 }

 // RegisterChain registers the API endpoints associated with this chain That
--- a/api/server_test.go
+++ b/api/server_test.go
@ -30,7 +30,7 @@ func (s *Service) Call(_ *http.Request, args *Args, reply *Reply) error {

 func TestCall(t *testing.T) {
 	s := Server{}
-	s.Initialize(logging.NoLog{}, logging.NoFactory{}, 8080)
+	s.Initialize(logging.NoLog{}, logging.NoFactory{}, "localhost", 8080)

 	serv := &Service{}
 	newServer := rpc.NewServer()
--- a/main/params.go
+++ b/main/params.go
@ -93,6 +93,7 @@ func init() {
 	consensusIP := fs.String("public-ip", "", "Public IP of this node")

 	// HTTP Server:
+	httpHost := fs.String("http-host", "", "Address of the HTTP server")
 	httpPort := fs.Uint("http-port", 9650, "Port of the HTTP server")
 	fs.BoolVar(&Config.EnableHTTPS, "http-tls-enabled", false, "Upgrade the HTTP server to HTTPs")
 	fs.StringVar(&Config.HTTPSKeyFile, "http-tls-key-file", "", "TLS private key file for the HTTPs server")
@ -269,6 +270,7 @@ func init() {
 	}

 	// HTTP:
+	Config.HTTPHost = *httpHost
 	Config.HTTPPort = uint16(*httpPort)

 	// Logging:
--- a/node/config.go
+++ b/node/config.go
@ -42,6 +42,7 @@ type Config struct {
 	BootstrapPeers []*Peer

 	// HTTP configuration
+	HTTPHost      string
 	HTTPPort      uint16
 	EnableHTTPS   bool
 	HTTPSKeyFile  string
--- a/node/node.go
+++ b/node/node.go
@ -477,7 +477,7 @@ func (n *Node) initChains() error {
 func (n *Node) initAPIServer() {
 	n.Log.Info("Initializing API server")

-	n.APIServer.Initialize(n.Log, n.LogFactory, n.Config.HTTPPort)
+	n.APIServer.Initialize(n.Log, n.LogFactory, n.Config.HTTPHost, n.Config.HTTPPort)

 	go n.Log.RecoverAndPanic(func() {
 		if n.Config.EnableHTTPS {