diff --git a/lnd.go b/lnd.go index 464d71de..f1445fcf 100644 --- a/lnd.go +++ b/lnd.go @@ -270,7 +270,7 @@ func Main(cfg *Config, lisCfg ListenerCfg, shutdownChan <-chan struct{}) error { defer cleanUp() // Only process macaroons if --no-macaroons isn't set. - tlsCfg, restCreds, restProxyDest, cleanUp, err := getTLSConfig(cfg) + serverOpts, restDialOpts, restListen, cleanUp, err := getTLSConfig(cfg) if err != nil { err := fmt.Errorf("unable to load TLS credentials: %v", err) ltndLog.Error(err) @@ -279,19 +279,20 @@ func Main(cfg *Config, lisCfg ListenerCfg, shutdownChan <-chan struct{}) error { defer cleanUp() - serverCreds := credentials.NewTLS(tlsCfg) - serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)} + // We use the first RPC listener as the destination for our REST proxy. + // If the listener is set to listen on all interfaces, we replace it + // with localhost, as we cannot dial it directly. + restProxyDest := cfg.RPCListeners[0].String() + switch { + case strings.Contains(restProxyDest, "0.0.0.0"): + restProxyDest = strings.Replace( + restProxyDest, "0.0.0.0", "127.0.0.1", 1, + ) - // For our REST dial options, we'll still use TLS, but also increase - // the max message size that we'll decode to allow clients to hit - // endpoints which return more data such as the DescribeGraph call. - // We set this to 200MiB atm. Should be the same value as maxMsgRecvSize - // in cmd/lncli/main.go. - restDialOpts := []grpc.DialOption{ - grpc.WithTransportCredentials(*restCreds), - grpc.WithDefaultCallOptions( - grpc.MaxCallRecvMsgSize(1 * 1024 * 1024 * 200), - ), + case strings.Contains(restProxyDest, "[::]"): + restProxyDest = strings.Replace( + restProxyDest, "[::]", "[::1]", 1, + ) } // Before starting the wallet, we'll create and start our Neutrino @@ -380,7 +381,7 @@ func Main(cfg *Config, lisCfg ListenerCfg, shutdownChan <-chan struct{}) error { if !cfg.NoSeedBackup { params, shutdown, err := waitForWalletPassword( cfg, cfg.RESTListeners, serverOpts, restDialOpts, - restProxyDest, tlsCfg, walletUnlockerListeners, + restProxyDest, restListen, walletUnlockerListeners, ) if err != nil { err := fmt.Errorf("unable to set up wallet password "+ @@ -730,7 +731,7 @@ func Main(cfg *Config, lisCfg ListenerCfg, shutdownChan <-chan struct{}) error { rpcServer, err := newRPCServer( cfg, server, macaroonService, cfg.SubRPCServers, serverOpts, restDialOpts, restProxyDest, atplManager, server.invoices, - tower, tlsCfg, rpcListeners, chainedAcceptor, + tower, restListen, rpcListeners, chainedAcceptor, ) if err != nil { err := fmt.Errorf("unable to create RPC server: %v", err) @@ -832,8 +833,8 @@ func Main(cfg *Config, lisCfg ListenerCfg, shutdownChan <-chan struct{}) error { // getTLSConfig returns a TLS configuration for the gRPC server and credentials // and a proxy destination for the REST reverse proxy. -func getTLSConfig(cfg *Config) (*tls.Config, *credentials.TransportCredentials, - string, func(), error) { +func getTLSConfig(cfg *Config) ([]grpc.ServerOption, []grpc.DialOption, + func(net.Addr) (net.Listener, error), func(), error) { // Ensure we create TLS key and certificate if they don't exist. if !fileExists(cfg.TLSCertPath) && !fileExists(cfg.TLSKeyPath) { @@ -844,7 +845,7 @@ func getTLSConfig(cfg *Config) (*tls.Config, *credentials.TransportCredentials, cfg.TLSDisableAutofill, cert.DefaultAutogenValidity, ) if err != nil { - return nil, nil, "", nil, err + return nil, nil, nil, nil, err } rpcsLog.Infof("Done generating TLS certificates") } @@ -853,7 +854,7 @@ func getTLSConfig(cfg *Config) (*tls.Config, *credentials.TransportCredentials, cfg.TLSCertPath, cfg.TLSKeyPath, ) if err != nil { - return nil, nil, "", nil, err + return nil, nil, nil, nil, err } // We check whether the certifcate we have on disk match the IPs and @@ -867,7 +868,7 @@ func getTLSConfig(cfg *Config) (*tls.Config, *credentials.TransportCredentials, cfg.TLSExtraDomains, cfg.TLSDisableAutofill, ) if err != nil { - return nil, nil, "", nil, err + return nil, nil, nil, nil, err } } @@ -879,12 +880,12 @@ func getTLSConfig(cfg *Config) (*tls.Config, *credentials.TransportCredentials, err := os.Remove(cfg.TLSCertPath) if err != nil { - return nil, nil, "", nil, err + return nil, nil, nil, nil, err } err = os.Remove(cfg.TLSKeyPath) if err != nil { - return nil, nil, "", nil, err + return nil, nil, nil, nil, err } rpcsLog.Infof("Renewing TLS certificates...") @@ -894,7 +895,7 @@ func getTLSConfig(cfg *Config) (*tls.Config, *credentials.TransportCredentials, cfg.TLSDisableAutofill, cert.DefaultAutogenValidity, ) if err != nil { - return nil, nil, "", nil, err + return nil, nil, nil, nil, err } rpcsLog.Infof("Done renewing TLS certificates") @@ -903,7 +904,7 @@ func getTLSConfig(cfg *Config) (*tls.Config, *credentials.TransportCredentials, cfg.TLSCertPath, cfg.TLSKeyPath, ) if err != nil { - return nil, nil, "", nil, err + return nil, nil, nil, nil, err } } @@ -911,20 +912,7 @@ func getTLSConfig(cfg *Config) (*tls.Config, *credentials.TransportCredentials, restCreds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "") if err != nil { - return nil, nil, "", nil, err - } - - restProxyDest := cfg.RPCListeners[0].String() - switch { - case strings.Contains(restProxyDest, "0.0.0.0"): - restProxyDest = strings.Replace( - restProxyDest, "0.0.0.0", "127.0.0.1", 1, - ) - - case strings.Contains(restProxyDest, "[::]"): - restProxyDest = strings.Replace( - restProxyDest, "[::]", "[::1]", 1, - ) + return nil, nil, nil, nil, err } // If Let's Encrypt is enabled, instantiate autocert to request/renew @@ -984,7 +972,28 @@ func getTLSConfig(cfg *Config) (*tls.Config, *credentials.TransportCredentials, tlsCfg.GetCertificate = getCertificate } - return tlsCfg, &restCreds, restProxyDest, cleanUp, nil + serverCreds := credentials.NewTLS(tlsCfg) + serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)} + + // For our REST dial options, we'll still use TLS, but also increase + // the max message size that we'll decode to allow clients to hit + // endpoints which return more data such as the DescribeGraph call. + // We set this to 200MiB atm. Should be the same value as maxMsgRecvSize + // in cmd/lncli/main.go. + restDialOpts := []grpc.DialOption{ + grpc.WithTransportCredentials(restCreds), + grpc.WithDefaultCallOptions( + grpc.MaxCallRecvMsgSize(1 * 1024 * 1024 * 200), + ), + } + + // Return a function closure that can be used to listen on a given + // address with the current TLS config. + restListen := func(addr net.Addr) (net.Listener, error) { + return lncfg.TLSListenOnAddress(addr, tlsCfg) + } + + return serverOpts, restDialOpts, restListen, cleanUp, nil } // fileExists reports whether the named file or directory exists. @@ -1109,7 +1118,7 @@ type WalletUnlockParams struct { // the user to this RPC server. func waitForWalletPassword(cfg *Config, restEndpoints []net.Addr, serverOpts []grpc.ServerOption, restDialOpts []grpc.DialOption, - restProxyDest string, tlsConf *tls.Config, + restProxyDest string, restListen func(net.Addr) (net.Listener, error), getListeners rpcListeners) (*WalletUnlockParams, func(), error) { chainConfig := cfg.Bitcoin @@ -1188,7 +1197,7 @@ func waitForWalletPassword(cfg *Config, restEndpoints []net.Addr, srv := &http.Server{Handler: allowCORS(mux, cfg.RestCORS)} for _, restEndpoint := range restEndpoints { - lis, err := lncfg.TLSListenOnAddress(restEndpoint, tlsConf) + lis, err := restListen(restEndpoint) if err != nil { ltndLog.Errorf("Password gRPC proxy unable to listen "+ "on %s", restEndpoint) diff --git a/rpcserver.go b/rpcserver.go index 8d39547f..eabd9ad1 100644 --- a/rpcserver.go +++ b/rpcserver.go @@ -3,12 +3,12 @@ package lnd import ( "bytes" "context" - "crypto/tls" "encoding/hex" "errors" "fmt" "io" "math" + "net" "net/http" "runtime" "sort" @@ -512,9 +512,10 @@ type rpcServer struct { // restProxyDest is the address to forward REST requests to. restProxyDest string - // tlsCfg is the TLS config that allows the REST server proxy to - // connect to the main gRPC server to proxy all incoming requests. - tlsCfg *tls.Config + // restListen is a function closure that allows the REST server proxy to + // connect to the main gRPC server to proxy all incoming requests, + // applying the current TLS configuration, if any. + restListen func(net.Addr) (net.Listener, error) // routerBackend contains the backend implementation of the router // rpc sub server. @@ -551,7 +552,8 @@ func newRPCServer(cfg *Config, s *server, macService *macaroons.Service, subServerCgs *subRPCServerConfigs, serverOpts []grpc.ServerOption, restDialOpts []grpc.DialOption, restProxyDest string, atpl *autopilot.Manager, invoiceRegistry *invoices.InvoiceRegistry, - tower *watchtower.Standalone, tlsCfg *tls.Config, + tower *watchtower.Standalone, + restListen func(net.Addr) (net.Listener, error), getListeners rpcListeners, chanPredicate *chanacceptor.ChainedAcceptor) (*rpcServer, error) { @@ -754,7 +756,7 @@ func newRPCServer(cfg *Config, s *server, macService *macaroons.Service, listenerCleanUp: []func(){cleanup}, restProxyDest: restProxyDest, subServers: subServers, - tlsCfg: tlsCfg, + restListen: restListen, grpcServer: grpcServer, server: s, routerBackend: routerBackend, @@ -901,7 +903,7 @@ func (r *rpcServer) Start() error { // Now spin up a network listener for each requested port and start a // goroutine that serves REST with the created mux there. for _, restEndpoint := range r.cfg.RESTListeners { - lis, err := lncfg.TLSListenOnAddress(restEndpoint, r.tlsCfg) + lis, err := r.restListen(restEndpoint) if err != nil { ltndLog.Errorf("gRPC proxy unable to listen on %s", restEndpoint)