From 86d5facaa2d55594dee64e24d038ad1925461e32 Mon Sep 17 00:00:00 2001 From: yyforyongyu Date: Tue, 21 Jul 2020 18:12:13 +0800 Subject: [PATCH] docs: update no-macaroons option in macaroon --- config.go | 2 +- docs/macaroons.md | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/config.go b/config.go index 368661ba..77a0ea23 100644 --- a/config.go +++ b/config.go @@ -146,7 +146,7 @@ type Config struct { TLSExtraDomains []string `long:"tlsextradomain" description:"Adds an extra domain to the generated certificate"` TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed"` - NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication"` + NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication, can only be used if server is not listening on a public interface."` AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"` ReadMacPath string `long:"readonlymacaroonpath" description:"Path to write the read-only macaroon for lnd's RPC and REST services if it doesn't exist"` InvoiceMacPath string `long:"invoicemacaroonpath" description:"Path to the invoice-only macaroon for lnd's RPC and REST services if it doesn't exist"` diff --git a/docs/macaroons.md b/docs/macaroons.md index aae12d1d..b1ed988c 100644 --- a/docs/macaroons.md +++ b/docs/macaroons.md @@ -81,7 +81,14 @@ methods. This means a few important things: You can also run `lnd` with the `--no-macaroons` option, which skips the creation of the macaroon files and all macaroon checks within the RPC server. This means you can still pass a macaroon to the RPC server with a client, but -it won't be checked for validity. +it won't be checked for validity. Note that disabling authentication of a server +that's listening on a public interface is not allowed. This means the +`--no-macaroons` option is only permitted when the RPC server is in a private +network. In CIDR notation, the following IPs are considered private, +- [`169.254.0.0/16` and `fe80::/10`](https://en.wikipedia.org/wiki/Link-local_address). +- [`224.0.0.0/4` and `ff00::/8`](https://en.wikipedia.org/wiki/Multicast_address). +- [`10.0.0.0/8`, `172.16.0.0/12` and `192.168.0.0/16`](https://tools.ietf.org/html/rfc1918). +- [`fc00::/7`](https://tools.ietf.org/html/rfc4193). Since `lnd` requires macaroons by default in order to call RPC methods, `lncli` now reads a macaroon and provides it in the RPC call. Unless the path is