RPC HTTP: Add a more safe default ACL.
Context
Following !2942 (merged), which introduced ACLs for tezos-node
RPC, now we change the default policy so that for hostnames other than localhost
it only exposes the endpoints that either:
- can't be abused to harm the node or
- are absolutely necessary for the node to be usable to clients (allowing them to make use of their Tez).
On localhost
listening address still all endpoints will be open. Also the default policy can be changed by editing the config.
The default ACL is a whitelist enumerating all safe endpoints. That means that from now on most new RPC endpoints will be by default blocked for external clients and must be explicitly enabled (or the default ACL must be updated). Thanks to @vbotbol, @pirbo and the P2P team, who helped me create this list. It should be roughly complete, but there are some controversies:
-
PATCH /chains/*
-
GET /chains/*/invalid_blocks/*
Are these safe? Are they necessary?
Manually testing the MR
Launch the node and try making some transactions using tezos-client
. If any of them gets blocked, that probably means some more endpoints should be open.
Checklist
-
Document the interface of any function added or modified (see the coding guidelines) -
Provide automatic testing (see the testing guide). -
For new features and bug fixes, add an item in the appropriate changelog ( docs/protocols/alpha.rst
for the protocol and the environment, theDevelopment Version
section ofCHANGES.md
for everything else). -
Select suitable reviewers using the Reviewers
field below.