Adding the ability to move the API from HTTP to HTTPS over TLS.

[Angelo-gh3990]

Design summary

The reasoning behind this is make sure no API data/commands are being read during a man-in-de-middle attack

• Change the API from /ip4/ip-address/tcp/port/http to something like /ip4/ip-address/tcp/port/https
• Make use of a public certificate or private (have the choice)
• Implement let's encrypt certbot on the edge node (lotus or market) for verification of auto verification every 3 month's
• Easy deployment of certificate from central/edge node to other nodes/workers.
• Built-in Certificate validation so it doesn't expire.

Just an idea because the other day when I was migrating my market node on a separate machine and started the dagstore migration I saw the miner API key going through my network in clear text. TLS/HTTPS would have protected my key in that case.

[Stebalien]

The lotus team may consider accepting a well-written and self-contained patch adding this feature, but it's not going to be a priority for the core team and there are some significant security concerns.

Users should use something like nginx as a reverse proxy to handle HTTPs as these tools are very carefully written to:

1. Handle network DoS attacks (slow loris, rate limit, etc.).
2. Protect TLS key material.
3. Etc.

The lotus API endpoint simply isn't designed to be exposed to the public internet unprotected. We're going to add some documentation to make that clear.

While this can be difficult to setup, exposing the lotus API to the internet without having the expertise to deploy something like this is a bad idea. Lotus nodes are a very juicy target.

[Angelo-gh3990]

@Stebalien , I agree with you completely. Myself I run it behind a Hardware Fortigate firewall with IPS,DOS and deep-inspection. But it doesn't change the fact that within the network if a malicious attacker was sniffing traffic (man-in-the -middle) the API key would have been exposed in plain text when the Market node was communicating to the Miner node. Therefore I think it should be possible and leave the choice up to the person implementation the Lotus solution within there network/infrastructure if they want http or http connecivity between Lotus, Market, Miner ...

Also, a little side note. I noticed that there are a lot of people that run Lotus routed over the internet with only a Linux firewall on the machine itself filtering ports but don't have anything that protects them against : (Handle network DoS attacks (slow loris, rate limit, etc..) - Like you mentioned.

@jennijuju @Stefaan-V , I think it's really imported to have a look on how people build there infrastructure with security in mind. Like we already discussed potentially setting up a workshop of some kind around security.

@Stebalien , thanks for you reply and insights 👍

[f8-ptrk]

you can always offload the TLS to a proxy - on both ends. in the end its just http traffic

we access lotus on the miners via vpn/ssh tunnels for example. that would work network internally too

[Angelo-gh3990]

@f8-ptrk , I agree that works too. I'm just trying to create awareness around that. It does involve a more complex setup on the infrastructure side running a proxy / vpn tunnel / or other between hosts for host-to-host http encryption. Would be nice if it's available in the software we are using ...

[f8-ptrk]

HA proxy offloads tls quite fine too

[f8-ptrk]

if you want more lightweight solutions, stuff like lighthttpd, tlsgatling should be able to proxy too

https://manpages.debian.org/testing/gatling/tlsgatling.1.en.html should work fine i think.

[Angelo-gh3990]

Thanks :-) ... I know of these solutions, I always think if the software itself can handle it ... You don't need to put anything in front of it .... But you're right; there are other ways of securing a http exposed API.

[f8-ptrk]

golang and the http server it provides is not strong at doing https :/

if you try it please report if you can just change the protocol of the multiaddr in the api string from http to https. i see no reason why it shouldn't work - but better be sure

[Angelo-gh3990]

I agree. If I have some tech feedback after trying I'll post it here

[Angelo-gh3990]

Yes, like we discussed on slack, Let's encrypt would help on the public side, internally that would involve self signed certs (more admin like you mentioned) or a way to use a wildcard Let's encrypt cert and distribute that (that's what I do sometimes for other app's (not lotus) - have a node request the wilcard cert publicly and then distribute to other nodes ). (All nodes internally have to be reachable on fqdn that way)