diff --git a/cmd/lncli/main.go b/cmd/lncli/main.go index d114226b..9a62f973 100644 --- a/cmd/lncli/main.go +++ b/cmd/lncli/main.go @@ -14,6 +14,7 @@ import ( macaroon "gopkg.in/macaroon.v2" + "github.com/lightningnetwork/lnd/lncfg" "github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/macaroons" "github.com/roasbeef/btcutil" @@ -26,6 +27,8 @@ import ( const ( defaultTLSCertFilename = "tls.cert" defaultMacaroonFilename = "admin.macaroon" + defaultRpcPort = "10009" + defaultRpcHostPort = "localhost:" + defaultRpcPort ) var ( @@ -143,6 +146,13 @@ func getClientConn(ctx *cli.Context, skipMacaroons bool) *grpc.ClientConn { opts = append(opts, grpc.WithPerRPCCredentials(cred)) } + // We need to use a custom dialer so we can also connect to unix sockets + // and not just TCP addresses. + opts = append( + opts, grpc.WithDialer( + lncfg.ClientAddressDialer(defaultRpcPort), + ), + ) conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...) if err != nil { fatal(err) @@ -159,7 +169,7 @@ func main() { app.Flags = []cli.Flag{ cli.StringFlag{ Name: "rpcserver", - Value: "localhost:10009", + Value: defaultRpcHostPort, Usage: "host:port of ln daemon", }, cli.StringFlag{ diff --git a/config.go b/config.go index 28118661..5b0779c3 100644 --- a/config.go +++ b/config.go @@ -22,6 +22,7 @@ import ( flags "github.com/jessevdk/go-flags" "github.com/lightningnetwork/lnd/brontide" "github.com/lightningnetwork/lnd/htlcswitch/hodl" + "github.com/lightningnetwork/lnd/lncfg" "github.com/lightningnetwork/lnd/lnwire" "github.com/lightningnetwork/lnd/tor" "github.com/roasbeef/btcd/btcec" @@ -165,26 +166,35 @@ type torConfig struct { type config struct { ShowVersion bool `short:"V" long:"version" description:"Display version information and exit"` - LndDir string `long:"lnddir" description:"The base directory that contains lnd's data, logs, configuration file, etc."` - ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"` - DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"` - TLSCertPath string `long:"tlscertpath" description:"Path to write the TLS certificate for lnd's RPC and REST services"` - TLSKeyPath string `long:"tlskeypath" description:"Path to write the TLS private key for lnd's RPC and REST services"` - TLSExtraIP string `long:"tlsextraip" description:"Adds an extra ip to the generated certificate"` - TLSExtraDomain string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"` - NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication"` - AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"` - ReadMacPath string `long:"readonlymacaroonpath" description:"Path to write the read-only macaroon for lnd's RPC and REST services if it doesn't exist"` - InvoiceMacPath string `long:"invoicemacaroonpath" description:"Path to the invoice-only macaroon for lnd's RPC and REST services if it doesn't exist"` - LogDir string `long:"logdir" description:"Directory to log output."` - MaxLogFiles int `long:"maxlogfiles" description:"Maximum logfiles to keep (0 for no rotation)"` - MaxLogFileSize int `long:"maxlogfilesize" description:"Maximum logfile size in MB"` - RPCListeners []string `long:"rpclisten" description:"Add an interface/port to listen for RPC connections"` - RESTListeners []string `long:"restlisten" description:"Add an interface/port to listen for REST connections"` - Listeners []string `long:"listen" description:"Add an interface/port to listen for peer connections"` - DisableListen bool `long:"nolisten" description:"Disable listening for incoming peer connections"` - ExternalIPs []string `long:"externalip" description:"Add an ip:port to the list of local addresses we claim to listen on to peers. If a port is not specified, the default (9735) will be used regardless of other parameters"` - NAT bool `long:"nat" description:"Toggle NAT traversal support (using either UPnP or NAT-PMP) to automatically advertise your external IP address to the network -- NOTE this does not support devices behind multiple NATs"` + LndDir string `long:"lnddir" description:"The base directory that contains lnd's data, logs, configuration file, etc."` + ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"` + DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"` + TLSCertPath string `long:"tlscertpath" description:"Path to write the TLS certificate for lnd's RPC and REST services"` + TLSKeyPath string `long:"tlskeypath" description:"Path to write the TLS private key for lnd's RPC and REST services"` + TLSExtraIP string `long:"tlsextraip" description:"Adds an extra ip to the generated certificate"` + TLSExtraDomain string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"` + NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication"` + AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"` + ReadMacPath string `long:"readonlymacaroonpath" description:"Path to write the read-only macaroon for lnd's RPC and REST services if it doesn't exist"` + InvoiceMacPath string `long:"invoicemacaroonpath" description:"Path to the invoice-only macaroon for lnd's RPC and REST services if it doesn't exist"` + LogDir string `long:"logdir" description:"Directory to log output."` + MaxLogFiles int `long:"maxlogfiles" description:"Maximum logfiles to keep (0 for no rotation)"` + MaxLogFileSize int `long:"maxlogfilesize" description:"Maximum logfile size in MB"` + + // We'll parse these 'raw' string arguments into real net.Addrs in the + // loadConfig function. We need to expose the 'raw' strings so the + // command line library can access them. + // Only the parsed net.Addrs should be used! + RawRPCListeners []string `long:"rpclisten" description:"Add an interface/port/socket to listen for RPC connections"` + RawRESTListeners []string `long:"restlisten" description:"Add an interface/port/socket to listen for REST connections"` + RawListeners []string `long:"listen" description:"Add an interface/port to listen for peer connections"` + RawExternalIPs []string `long:"externalip" description:"Add an ip:port to the list of local addresses we claim to listen on to peers. If a port is not specified, the default (9735) will be used regardless of other parameters"` + RPCListeners []net.Addr + RESTListeners []net.Addr + Listeners []net.Addr + ExternalIPs []net.Addr + DisableListen bool `long:"nolisten" description:"Disable listening for incoming peer connections"` + NAT bool `long:"nat" description:"Toggle NAT traversal support (using either UPnP or NAT-PMP) to automatically advertise your external IP address to the network -- NOTE this does not support devices behind multiple NATs"` DebugLevel string `short:"d" long:"debuglevel" description:"Logging level for all subsystems {trace, debug, info, warn, error, critical} -- You may also specify =,=,... to set the log level for individual subsystems -- Use show to list available subsystems"` @@ -419,15 +429,27 @@ func loadConfig() (*config, error) { } // Validate the Tor config parameters. - cfg.Tor.SOCKS = normalizeAddress( + socks, err := lncfg.ParseAddressString( cfg.Tor.SOCKS, strconv.Itoa(defaultTorSOCKSPort), ) - cfg.Tor.DNS = normalizeAddress( + if err != nil { + return nil, err + } + cfg.Tor.SOCKS = socks.String() + dns, err := lncfg.ParseAddressString( cfg.Tor.DNS, strconv.Itoa(defaultTorDNSPort), ) - cfg.Tor.Control = normalizeAddress( + if err != nil { + return nil, err + } + cfg.Tor.DNS = dns.String() + control, err := lncfg.ParseAddressString( cfg.Tor.Control, strconv.Itoa(defaultTorControlPort), ) + if err != nil { + return nil, err + } + cfg.Tor.Control = control.String() switch { case cfg.Tor.V2 && cfg.Tor.V3: return nil, errors.New("either tor.v2 or tor.v3 can be set, " + @@ -735,8 +757,8 @@ func loadConfig() (*config, error) { // Initialize logging at the default logging level. initLogRotator( - filepath.Join(cfg.LogDir, defaultLogFilename), cfg.MaxLogFileSize, - cfg.MaxLogFiles, + filepath.Join(cfg.LogDir, defaultLogFilename), + cfg.MaxLogFileSize, cfg.MaxLogFiles, ) // Parse, validate, and set debug log level(s). @@ -747,33 +769,39 @@ func loadConfig() (*config, error) { return nil, err } - // At least one RPCListener is required. - if len(cfg.RPCListeners) == 0 { + // At least one RPCListener is required. So listen on localhost per + // default. + if len(cfg.RawRPCListeners) == 0 { addr := fmt.Sprintf("localhost:%d", defaultRPCPort) - cfg.RPCListeners = append(cfg.RPCListeners, addr) + cfg.RawRPCListeners = append(cfg.RawRPCListeners, addr) } - // Listen on the default interface/port if no REST listeners were - // specified. - if len(cfg.RESTListeners) == 0 { + // Listen on localhost if no REST listeners were specified. + if len(cfg.RawRESTListeners) == 0 { addr := fmt.Sprintf("localhost:%d", defaultRESTPort) - cfg.RESTListeners = append(cfg.RESTListeners, addr) + cfg.RawRESTListeners = append(cfg.RawRESTListeners, addr) } // Listen on the default interface/port if no listeners were specified. - if len(cfg.Listeners) == 0 { + // An empty address string means default interface/address, which on + // most unix systems is the same as 0.0.0.0. + if len(cfg.RawListeners) == 0 { addr := fmt.Sprintf(":%d", defaultPeerPort) - cfg.Listeners = append(cfg.Listeners, addr) + cfg.RawListeners = append(cfg.RawListeners, addr) } // For each of the RPC listeners (REST+gRPC), we'll ensure that users // have specified a safe combo for authentication. If not, we'll bail // out with an error. - err := enforceSafeAuthentication(cfg.RPCListeners, !cfg.NoMacaroons) + err = lncfg.EnforceSafeAuthentication( + cfg.RPCListeners, !cfg.NoMacaroons, + ) if err != nil { return nil, err } - err = enforceSafeAuthentication(cfg.RESTListeners, !cfg.NoMacaroons) + err = lncfg.EnforceSafeAuthentication( + cfg.RESTListeners, !cfg.NoMacaroons, + ) if err != nil { return nil, err } @@ -787,27 +815,51 @@ func loadConfig() (*config, error) { // Add default port to all RPC listener addresses if needed and remove // duplicate addresses. - cfg.RPCListeners = normalizeAddresses( - cfg.RPCListeners, strconv.Itoa(defaultRPCPort), + cfg.RPCListeners, err = lncfg.NormalizeAddresses( + cfg.RawRPCListeners, strconv.Itoa(defaultRPCPort), ) + if err != nil { + return nil, err + } // Add default port to all REST listener addresses if needed and remove // duplicate addresses. - cfg.RESTListeners = normalizeAddresses( - cfg.RESTListeners, strconv.Itoa(defaultRESTPort), + cfg.RESTListeners, err = lncfg.NormalizeAddresses( + cfg.RawRESTListeners, strconv.Itoa(defaultRESTPort), ) + if err != nil { + return nil, err + } // Add default port to all listener addresses if needed and remove // duplicate addresses. - cfg.Listeners = normalizeAddresses( - cfg.Listeners, strconv.Itoa(defaultPeerPort), + cfg.Listeners, err = lncfg.NormalizeAddresses( + cfg.RawListeners, strconv.Itoa(defaultPeerPort), ) + if err != nil { + return nil, err + } // Add default port to all external IP addresses if needed and remove // duplicate addresses. - cfg.ExternalIPs = normalizeAddresses( - cfg.ExternalIPs, strconv.Itoa(defaultPeerPort), + cfg.ExternalIPs, err = lncfg.NormalizeAddresses( + cfg.RawExternalIPs, strconv.Itoa(defaultPeerPort), ) + if err != nil { + return nil, err + } + + // For the p2p port it makes no sense to listen to an Unix socket. + // Also, we would need to refactor the brontide listener to support + // that. + for _, p2pListener := range cfg.Listeners { + if lncfg.IsUnix(p2pListener) { + err := fmt.Errorf("unix socket addresses cannot be " + + "used for the p2p connection listener: %s", + p2pListener) + return nil, err + } + } // Finally, ensure that we are only listening on localhost if Tor // inbound support is enabled. @@ -815,7 +867,7 @@ func loadConfig() (*config, error) { for _, addr := range cfg.Listeners { // Due to the addresses being normalized above, we can // skip checking the error. - host, _, _ := net.SplitHostPort(addr) + host, _, _ := net.SplitHostPort(addr.String()) if host == "localhost" || host == "127.0.0.1" { continue } @@ -1199,75 +1251,6 @@ func extractBitcoindRPCParams(bitcoindConfigPath string) (string, string, string string(zmqPathSubmatches[1]), nil } -// normalizeAddresses returns a new slice with all the passed addresses -// normalized with the given default port and all duplicates removed. -func normalizeAddresses(addrs []string, defaultPort string) []string { - result := make([]string, 0, len(addrs)) - seen := map[string]struct{}{} - for _, addr := range addrs { - addr = normalizeAddress(addr, defaultPort) - if _, ok := seen[addr]; !ok { - result = append(result, addr) - seen[addr] = struct{}{} - } - } - return result -} - -// normalizeAddress normalizes an address by either setting a missing host to -// localhost or missing port to the default port. -func normalizeAddress(addr, defaultPort string) string { - if _, _, err := net.SplitHostPort(addr); err != nil { - // If the address is an integer, then we assume it is *only* a - // port and default to binding to that port on localhost. - if _, err := strconv.Atoi(addr); err == nil { - return net.JoinHostPort("localhost", addr) - } - - // Otherwise, the address only contains the host so we'll use - // the default port. - return net.JoinHostPort(addr, defaultPort) - } - - return addr -} - -// enforceSafeAuthentication enforces "safe" authentication taking into account -// the interfaces that the RPC servers are listening on, and if macaroons are -// activated or not. To project users from using dangerous config combinations, -// we'll prevent disabling authentication if the sever is listening on a public -// interface. -func enforceSafeAuthentication(addrs []string, macaroonsActive bool) error { - isLoopback := func(addr string) bool { - loopBackAddrs := []string{"localhost", "127.0.0.1", "[::1]"} - for _, loopback := range loopBackAddrs { - if strings.Contains(addr, loopback) { - return true - } - } - - return false - } - - // We'll now examine all addresses that this RPC server is listening - // on. If it's a localhost address, we'll skip it, otherwise, we'll - // return an error if macaroons are inactive. - for _, addr := range addrs { - if isLoopback(addr) { - continue - } - - if !macaroonsActive { - return fmt.Errorf("Detected RPC server listening on "+ - "publicly reachable interface %v with "+ - "authentication disabled! Refusing to start with "+ - "--no-macaroons specified.", addr) - } - } - - return nil -} - // normalizeNetwork returns the common name of a network type used to create // file paths. This allows differently versioned networks to use the same path. func normalizeNetwork(network string) string { diff --git a/lncfg/address.go b/lncfg/address.go new file mode 100644 index 00000000..c3c418e4 --- /dev/null +++ b/lncfg/address.go @@ -0,0 +1,161 @@ +package lncfg + +import ( + "time" + "net" + "fmt" + "crypto/tls" + "strings" +) + +var ( + loopBackAddrs = []string{"localhost", "127.0.0.1", "[::1]"} +) + +// NormalizeAddresses returns a new slice with all the passed addresses +// normalized with the given default port and all duplicates removed. +func NormalizeAddresses(addrs []string, + defaultPort string) ([]net.Addr, error) { + result := make([]net.Addr, 0, len(addrs)) + seen := map[string]struct{}{} + for _, strAddr := range addrs { + addr, err := ParseAddressString(strAddr, defaultPort) + if err != nil { + return nil, err + } + + if _, ok := seen[addr.String()]; !ok { + result = append(result, addr) + seen[addr.String()] = struct{}{} + } + } + return result, nil +} + +// EnforceSafeAuthentication enforces "safe" authentication taking into account +// the interfaces that the RPC servers are listening on, and if macaroons are +// activated or not. To protect users from using dangerous config combinations, +// we'll prevent disabling authentication if the sever is listening on a public +// interface. +func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive bool) error { + // We'll now examine all addresses that this RPC server is listening + // on. If it's a localhost address, we'll skip it, otherwise, we'll + // return an error if macaroons are inactive. + for _, addr := range addrs { + if IsLoopback(addr) || IsUnix(addr) { + continue + } + + if !macaroonsActive { + return fmt.Errorf("Detected RPC server listening on "+ + "publicly reachable interface %v with "+ + "authentication disabled! Refusing to start "+ + "with --no-macaroons specified.", addr) + } + } + + return nil +} + +// ListenOnAddress creates a listener that listens on the given +// address. +func ListenOnAddress(addr net.Addr) (net.Listener, error) { + return net.Listen(addr.Network(), addr.String()) +} + +// TlsListenOnAddress creates a TLS listener that listens on the given +// address. +func TlsListenOnAddress(addr net.Addr, + config *tls.Config) (net.Listener, error) { + return tls.Listen(addr.Network(), addr.String(), config) +} + +// IsLoopback returns true if an address describes a loopback interface. +func IsLoopback(addr net.Addr) bool { + for _, loopback := range loopBackAddrs { + if strings.Contains(addr.String(), loopback) { + return true + } + } + + return false +} + +// isUnix returns true if an address describes an Unix socket address. +func IsUnix(addr net.Addr) bool { + return strings.HasPrefix(addr.Network(), "unix") +} + +// ParseAddressString converts an address in string format to a net.Addr that is +// compatible with lnd. UDP is not supported because lnd needs reliable +// connections. +func ParseAddressString(strAddress string, + defaultPort string) (net.Addr, error) { + var parsedNetwork, parsedAddr string + + // Addresses can either be in network://address:port format or only + // address:port. We want to support both. + if strings.Contains(strAddress, "://") { + parts := strings.Split(strAddress, "://") + parsedNetwork, parsedAddr = parts[0], parts[1] + } else if strings.Contains(strAddress, ":") { + parts := strings.Split(strAddress, ":") + parsedNetwork = parts[0] + parsedAddr = strings.Join(parts[1:], ":") + } + + // Only TCP and Unix socket addresses are valid. We can't use IP or + // UDP only connections for anything we do in lnd. + switch parsedNetwork { + case "unix", "unixpacket": + return net.ResolveUnixAddr(parsedNetwork, parsedAddr) + case "tcp", "tcp4", "tcp6": + return net.ResolveTCPAddr(parsedNetwork, + verifyPort(parsedAddr, defaultPort)) + case "ip", "ip4", "ip6", "udp", "udp4", "udp6", "unixgram": + return nil, fmt.Errorf("only TCP or unix socket "+ + "addresses are supported: %s", parsedAddr) + default: + // There was no network specified, just try to parse as host + // and port. + return net.ResolveTCPAddr( + "tcp", verifyPort(strAddress, defaultPort), + ) + } +} + +// verifyPort makes sure that an address string has both a host and a port. +// If there is no port found, the default port is appended. +func verifyPort(strAddress string, defaultPort string) string { + host, port, err := net.SplitHostPort(strAddress) + if err != nil { + // If we already have an IPv6 address with brackets, don't use + // the JoinHostPort function, since it will always add a pair + // of brackets too. + if strings.HasPrefix(strAddress, "[") { + strAddress = strAddress + ":" + defaultPort + } else { + strAddress = net.JoinHostPort(strAddress, defaultPort) + } + } else if host == "" && port == "" { + // The string ':' is parsed as valid empty host and empty port. + // But in that case, we want the default port to be applied too. + strAddress = ":" + defaultPort + } + + return strAddress +} + +// ClientAddressDialer creates a gRPC dialer that can also dial unix socket +// addresses instead of just TCP addresses. +func ClientAddressDialer(defaultPort string) func(string, + time.Duration) (net.Conn, error) { + return func(addr string, timeout time.Duration) (net.Conn, error) { + parsedAddr, err := ParseAddressString(addr, defaultPort) + if err != nil { + return nil, err + } + return net.DialTimeout(parsedAddr.Network(), + parsedAddr.String(), timeout) + } +} diff --git a/lncfg/address_test.go b/lncfg/address_test.go new file mode 100644 index 00000000..8453a46a --- /dev/null +++ b/lncfg/address_test.go @@ -0,0 +1,99 @@ +// +build !rpctest + +package lncfg + +import "testing" + +// addressTest defines a test vector for an address that contains the non- +// normalized input and the expected normalized output. +type addressTest struct { + address string + expectedNetwork string + expectedAddress string + isLoopback bool + isUnix bool +} + +var ( + defaultTestPort = "1234" + addressTestVectors = []addressTest{ + {"tcp://127.0.0.1:9735", "tcp", "127.0.0.1:9735", true, false}, + {"tcp:127.0.0.1:9735", "tcp", "127.0.0.1:9735", true, false}, + {"127.0.0.1:9735", "tcp", "127.0.0.1:9735", true, false}, + {":9735", "tcp", ":9735", false, false}, + {"", "tcp", ":1234", false, false}, + {":", "tcp", ":1234", false, false}, + {"tcp4://127.0.0.1:9735", "tcp", "127.0.0.1:9735", true, false}, + {"tcp4:127.0.0.1:9735", "tcp", "127.0.0.1:9735", true, false}, + {"127.0.0.1", "tcp", "127.0.0.1:1234", true, false}, + {"[::1]", "tcp", "[::1]:1234", true, false}, + {"::1", "tcp", "[::1]:1234", true, false}, + {"tcp6://::1", "tcp", "[::1]:1234", true, false}, + {"tcp6:::1", "tcp", "[::1]:1234", true, false}, + {"localhost:9735", "tcp", "127.0.0.1:9735", true, false}, + {"localhost", "tcp", "127.0.0.1:1234", true, false}, + {"unix:///tmp/lnd.sock", "unix", "/tmp/lnd.sock", false, true}, + {"unix:/tmp/lnd.sock", "unix", "/tmp/lnd.sock", false, true}, + } + invalidTestVectors = []string{ + "some string", + "://", + "12.12.12", + "123", + } +) + +// TestAddresses ensures that all supported address formats can be parsed and +// normalized correctly. +func TestAddresses(t *testing.T) { + // First, test all correct addresses. + for _, testVector := range addressTestVectors { + addr := []string{testVector.address} + normalized, err := NormalizeAddresses(addr, defaultTestPort) + if err != nil { + t.Fatalf("unable to normalize address %s: %v", + testVector.address, err) + } + netAddr := normalized[0] + if err != nil { + t.Fatalf("unable to split normalized address: %v", err) + } + if netAddr.Network() != testVector.expectedNetwork || + netAddr.String() != testVector.expectedAddress { + t.Fatalf( + "mismatched address: expected %s://%s, got "+ + "%s://%s", + testVector.expectedNetwork, + testVector.expectedAddress, + netAddr.Network(), netAddr.String(), + ) + } + isAddrLoopback := IsLoopback(normalized[0]) + if testVector.isLoopback != isAddrLoopback { + t.Fatalf( + "mismatched loopback detection: expected "+ + "%v, got %v for addr %s", + testVector.isLoopback, isAddrLoopback, + testVector.address, + ) + } + isAddrUnix := IsUnix(normalized[0]) + if testVector.isUnix != isAddrUnix { + t.Fatalf( + "mismatched unix detection: expected "+ + "%v, got %v for addr %s", + testVector.isUnix, isAddrUnix, + testVector.address, + ) + } + } + + // Finally, test invalid inputs to see if they are handled correctly. + for _, testVector := range invalidTestVectors { + addr := []string{testVector} + _, err := NormalizeAddresses(addr, defaultTestPort) + if err == nil { + t.Fatalf("expected error when parsing %v", testVector) + } + } +} diff --git a/lnd.go b/lnd.go index 93bc48e8..b05bf6e4 100644 --- a/lnd.go +++ b/lnd.go @@ -38,6 +38,7 @@ import ( "github.com/lightningnetwork/lnd/autopilot" "github.com/lightningnetwork/lnd/channeldb" "github.com/lightningnetwork/lnd/keychain" + "github.com/lightningnetwork/lnd/lncfg" "github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnwallet" "github.com/lightningnetwork/lnd/lnwallet/btcwallet" @@ -522,9 +523,11 @@ func lndMain() error { // Next, Start the gRPC server listening for HTTP/2 connections. for _, listener := range cfg.RPCListeners { - lis, err := net.Listen("tcp", listener) + lis, err := lncfg.ListenOnAddress(listener) if err != nil { - ltndLog.Errorf("RPC server unable to listen on %s", listener) + ltndLog.Errorf( + "RPC server unable to listen on %s", listener, + ) return err } defer lis.Close() @@ -536,21 +539,25 @@ func lndMain() error { // Finally, start the REST proxy for our gRPC server above. mux := proxy.NewServeMux() - err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux, - cfg.RPCListeners[0], proxyOpts) + err = lnrpc.RegisterLightningHandlerFromEndpoint( + ctx, mux, cfg.RPCListeners[0].String(), proxyOpts, + ) if err != nil { return err } for _, restEndpoint := range cfg.RESTListeners { - listener, err := tls.Listen("tcp", restEndpoint, tlsConf) + lis, err := lncfg.TlsListenOnAddress(restEndpoint, tlsConf) if err != nil { - ltndLog.Errorf("gRPC proxy unable to listen on %s", restEndpoint) + ltndLog.Errorf( + "gRPC proxy unable to listen on %s", + restEndpoint, + ) return err } - defer listener.Close() + defer lis.Close() go func() { - rpcsLog.Infof("gRPC proxy started at %s", listener.Addr()) - http.Serve(listener, mux) + rpcsLog.Infof("gRPC proxy started at %s", lis.Addr()) + http.Serve(lis, mux) }() } @@ -735,6 +742,10 @@ func genCertPair(certFile, keyFile string) error { dnsNames = append(dnsNames, cfg.TLSExtraDomain) } + // Also add fake hostnames for unix sockets, otherwise hostname + // verification will fail in the client. + dnsNames = append(dnsNames, "unix", "unixpacket") + // Generate a private key for the certificate. priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { @@ -883,7 +894,7 @@ type WalletUnlockParams struct { // waitForWalletPassword will spin up gRPC and REST endpoints for the // WalletUnlocker server, and block until a password is provided by // the user to this RPC server. -func waitForWalletPassword(grpcEndpoints, restEndpoints []string, +func waitForWalletPassword(grpcEndpoints, restEndpoints []net.Addr, serverOpts []grpc.ServerOption, proxyOpts []grpc.DialOption, tlsConf *tls.Config) (*WalletUnlockParams, error) { @@ -916,17 +927,22 @@ func waitForWalletPassword(grpcEndpoints, restEndpoints []string, for _, grpcEndpoint := range grpcEndpoints { // Start a gRPC server listening for HTTP/2 connections, solely // used for getting the encryption password from the client. - lis, err := net.Listen("tcp", grpcEndpoint) + lis, err := lncfg.ListenOnAddress(grpcEndpoint) if err != nil { - ltndLog.Errorf("password RPC server unable to listen on %s", - grpcEndpoint) + ltndLog.Errorf( + "password RPC server unable to listen on %s", + grpcEndpoint, + ) return nil, err } defer lis.Close() wg.Add(1) go func() { - rpcsLog.Infof("password RPC server listening on %s", lis.Addr()) + rpcsLog.Infof( + "password RPC server listening on %s", + lis.Addr(), + ) wg.Done() grpcServer.Serve(lis) }() @@ -939,8 +955,9 @@ func waitForWalletPassword(grpcEndpoints, restEndpoints []string, mux := proxy.NewServeMux() - err := lnrpc.RegisterWalletUnlockerHandlerFromEndpoint(ctx, mux, - grpcEndpoints[0], proxyOpts) + err := lnrpc.RegisterWalletUnlockerHandlerFromEndpoint( + ctx, mux, grpcEndpoints[0].String(), proxyOpts, + ) if err != nil { return nil, err } @@ -948,17 +965,22 @@ func waitForWalletPassword(grpcEndpoints, restEndpoints []string, srv := &http.Server{Handler: mux} for _, restEndpoint := range restEndpoints { - lis, err := tls.Listen("tcp", restEndpoint, tlsConf) + lis, err := lncfg.TlsListenOnAddress(restEndpoint, tlsConf) if err != nil { - ltndLog.Errorf("password gRPC proxy unable to listen on %s", - restEndpoint) + ltndLog.Errorf( + "password gRPC proxy unable to listen on %s", + restEndpoint, + ) return nil, err } defer lis.Close() wg.Add(1) go func() { - rpcsLog.Infof("password gRPC proxy started at %s", lis.Addr()) + rpcsLog.Infof( + "password gRPC proxy started at %s", + lis.Addr(), + ) wg.Done() srv.Serve(lis) }() diff --git a/sample-lnd.conf b/sample-lnd.conf index 8d3e9262..3344bf18 100644 --- a/sample-lnd.conf +++ b/sample-lnd.conf @@ -14,7 +14,7 @@ ; Number of logfiles that the log rotation should keep. Setting it to 0 disables deletion of old log files. ; maxlogfiles=3 -; +; ; Max log file size in MB before it is rotated. ; maxlogfilesize=10 @@ -29,7 +29,7 @@ ; the line below. ; no-macaroons=true -; Path to write the admin macaroon for lnd's RPC and REST services if it +; Path to write the admin macaroon for lnd's RPC and REST services if it ; doesn't exist. This can be set if one wishes to store the admin macaroon in a ; distinct location. By default, it is stored within lnd's main home directory. ; Applications that are able to read this file, gains admin macaroon access @@ -38,11 +38,11 @@ ; Path to write the read-only macaroon for lnd's RPC and REST services if it ; doesn't exist. This can be set if one wishes to store the read-only macaroon ; in a distinct location. The read only macaroon allows users which can read -; the file to access RPC's which don't modify the state of the daemon. +; the file to access RPCs which don't modify the state of the daemon. ; readonlymacaroonpath=~/.lnd/readonly.macaroon - -; Specify the interfaces to listen on for p2p connections. One listen + +; Specify the interfaces to listen on for p2p connections. One listen ; address per line. ; All ipv4 on port 9735: ; listen=0.0.0.0:9735 @@ -50,25 +50,29 @@ ; listen=0.0.0.0:9735 ; listen=[::1]:9736 -; Disable listening for incoming p2p connections. This will override all +; Disable listening for incoming p2p connections. This will override all ; listeners. ; nolisten=1 -; Specify the interfaces to listen on for gRPC connections. One listen +; Specify the interfaces to listen on for gRPC connections. One listen ; address per line. ; Only ipv4 localhost on port 10009: ; rpclisten=localhost:10009 ; On ipv4 localhost port 10009 and ipv6 port 10010: ; rpclisten=localhost:10009 ; rpclisten=[::1]:10010 +; On an Unix socket: +; rpclisten=unix:///var/run/lnd/lnd-rpclistener.sock -; Specify the interfaces to listen on for REST connections. One listen +; Specify the interfaces to listen on for REST connections. One listen ; address per line. ; All ipv4 interfaces on port 8080: ; restlisten=0.0.0.0:8080 ; On ipv4 localhost port 80 and 443: ; restlisten=localhost:80 ; restlisten=localhost:443 +; On an Unix socket: +; restlisten=unix:///var/run/lnd-restlistener.sock ; Adding an external IP will advertise your node to the network. This signals @@ -135,7 +139,7 @@ bitcoin.active=1 ; Use Bitcoin's test network. ; bitcoin.testnet=1 -; +; ; Use Bitcoin's simulation test network bitcoin.simnet=1 @@ -146,7 +150,7 @@ bitcoin.simnet=1 bitcoin.node=btcd ; Use the bitcoind back-end -; bitcoin.node=bitcoind +; bitcoin.node=bitcoind ; Use the neutrino (light client) back-end ; bitcoin.node=neutrino @@ -163,7 +167,7 @@ bitcoin.node=btcd ; setting is assumed to be localhost with the default port for the current ; network. ; btcd.rpchost=localhost - + ; Username for RPC connections to btcd. By default, lnd will attempt to ; automatically obtain the credentials, so this likely won't need to be set ; (other than for simnet mode). @@ -181,7 +185,7 @@ bitcoin.node=btcd ; The raw bytes of the daemon's PEM-encoded certificate chain which will be used ; to authenticate the RPC connection. This only needs to be set if the btcd ; node is on a remote host. -; btcd.rawrpccert= +; btcd.rawrpccert= [Bitcoind] @@ -190,7 +194,7 @@ bitcoin.node=btcd ; setting is assumed to be localhost with the default port for the current ; network. ; bitcoind.rpchost=localhost - + ; Username for RPC connections to bitcoind. By default, lnd will attempt to ; automatically obtain the credentials, so this likely won't need to be set ; (other than for a remote bitcoind instance). @@ -205,7 +209,7 @@ bitcoin.node=btcd ; bitcoind. By default, lnd will attempt to automatically obtain this ; information, so this likely won't need to be set (other than for a remote ; bitcoind instance). -; bitcoind.zmqpath=tcp://127.0.0.1:28332 +; bitcoind.zmqpath=tcp://127.0.0.1:28332 [neutrino] @@ -232,7 +236,7 @@ bitcoin.node=btcd litecoin.node=ltcd ; Use the litecoind back-end -; litecoin.node=litecoind +; litecoin.node=litecoind [Ltcd] @@ -241,7 +245,7 @@ litecoin.node=ltcd ; setting is assumed to be localhost with the default port for the current ; network. ; ltcd.rpchost=localhost - + ; Username for RPC connections to ltcd. By default, lnd will attempt to ; automatically obtain the credentials, so this likely won't need to be set ; (other than for simnet mode). @@ -259,7 +263,7 @@ litecoin.node=ltcd ; The raw bytes of the daemon's PEM-encoded certificate chain which will be used ; to authenticate the RPC connection. This only needs to be set if the ltcd ; node is on a remote host. -; ltcd.rawrpccert= +; ltcd.rawrpccert= [Litecoind] @@ -268,7 +272,7 @@ litecoin.node=ltcd ; setting is assumed to be localhost with the default port for the current ; network. ; litecoind.rpchost=localhost - + ; Username for RPC connections to litecoind. By default, lnd will attempt to ; automatically obtain the credentials, so this likely won't need to be set ; (other than for a remote litecoind instance). @@ -305,7 +309,7 @@ litecoin.node=ltcd [tor] ; The port that Tor's exposed SOCKS5 proxy is listening on. Using Tor allows ; outbound-only connections (listening will be disabled) -- NOTE port must be -; between 1024 and 65535 +; between 1024 and 65535 ; tor.socks=9050 ; The DNS server as IP:PORT that Tor will use for SRV queries - NOTE must have diff --git a/server.go b/server.go index 743affb1..ebdd6e27 100644 --- a/server.go +++ b/server.go @@ -24,6 +24,7 @@ import ( "github.com/lightningnetwork/lnd/contractcourt" "github.com/lightningnetwork/lnd/discovery" "github.com/lightningnetwork/lnd/htlcswitch" + "github.com/lightningnetwork/lnd/lncfg" "github.com/lightningnetwork/lnd/lnpeer" "github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnwallet" @@ -85,7 +86,7 @@ type server struct { // listenAddrs is the list of addresses the server is currently // listening on. - listenAddrs []string + listenAddrs []net.Addr // torController is a client that will communicate with a locally // running Tor server. This client will handle initiating and @@ -207,17 +208,19 @@ func parseAddr(address string) (net.Addr, error) { // newServer creates a new instance of the server which is to listen using the // passed listener address. -func newServer(listenAddrs []string, chanDB *channeldb.DB, cc *chainControl, +func newServer(listenAddrs []net.Addr, chanDB *channeldb.DB, cc *chainControl, privKey *btcec.PrivateKey) (*server, error) { var err error listeners := make([]net.Listener, len(listenAddrs)) - for i, addr := range listenAddrs { + for i, listenAddr := range listenAddrs { // Note: though brontide.NewListener uses ResolveTCPAddr, it // doesn't need to call the general lndResolveTCP function // since we are resolving a local address. - listeners[i], err = brontide.NewListener(privKey, addr) + listeners[i], err = brontide.NewListener( + privKey, listenAddr.String(), + ) if err != nil { return nil, err } @@ -363,14 +366,17 @@ func newServer(listenAddrs []string, chanDB *channeldb.DB, cc *chainControl, // If we were requested to automatically configure port forwarding, // we'll use the ports that the server will be listening on. - externalIPs := cfg.ExternalIPs + externalIpStrings := make([]string, len(cfg.ExternalIPs)) + for idx, ip := range cfg.ExternalIPs { + externalIpStrings[idx] = ip.String() + } if s.natTraversal != nil { listenPorts := make([]uint16, 0, len(listenAddrs)) for _, listenAddr := range listenAddrs { // At this point, the listen addresses should have // already been normalized, so it's safe to ignore the // errors. - _, portStr, _ := net.SplitHostPort(listenAddr) + _, portStr, _ := net.SplitHostPort(listenAddr.String()) port, _ := strconv.Atoi(portStr) listenPorts = append(listenPorts, uint16(port)) @@ -385,23 +391,21 @@ func newServer(listenAddrs []string, chanDB *channeldb.DB, cc *chainControl, srvrLog.Infof("Automatically set up port forwarding "+ "using %s to advertise external IP", s.natTraversal.Name()) - externalIPs = append(externalIPs, ips...) + externalIpStrings = append(externalIpStrings, ips...) } } // If external IP addresses have been specified, add those to the list // of this server's addresses. - externalIPs = normalizeAddresses( - externalIPs, strconv.Itoa(defaultPeerPort), + externalIPs, err := lncfg.NormalizeAddresses( + externalIpStrings, strconv.Itoa(defaultPeerPort), ) + if err != nil { + return nil, err + } selfAddrs := make([]net.Addr, 0, len(externalIPs)) for _, ip := range cfg.ExternalIPs { - addr, err := parseAddr(ip) - if err != nil { - return nil, err - } - - selfAddrs = append(selfAddrs, addr) + selfAddrs = append(selfAddrs, ip) } // If we were requested to route connections through Tor and to @@ -881,7 +885,7 @@ func (s *server) watchExternalIP() { // them when detecting a new IP. ipsSetByUser := make(map[string]struct{}) for _, ip := range cfg.ExternalIPs { - ipsSetByUser[ip] = struct{}{} + ipsSetByUser[ip.String()] = struct{}{} } forwardedPorts := s.natTraversal.ForwardedPorts() @@ -1246,7 +1250,7 @@ func (s *server) initTorController() error { for _, listenAddr := range s.listenAddrs { // At this point, the listen addresses should have already been // normalized, so it's safe to ignore the errors. - _, portStr, _ := net.SplitHostPort(listenAddr) + _, portStr, _ := net.SplitHostPort(listenAddr.String()) port, _ := strconv.Atoi(portStr) listenPorts[port] = struct{}{} }