Add TLS capability to the beacon node HTTP API (#2668)

Currently, the beacon node has no ability to serve the HTTP API over TLS. Adding this functionality would be helpful for certain use cases, such as when you need a validator client to connect to a backup beacon node which is outside your local network, and the use of an SSH tunnel or reverse proxy would be inappropriate. ## Proposed Changes - Add three new CLI flags to the beacon node - `--http-enable-tls`: enables TLS - `--http-tls-cert`: to specify the path to the certificate file - `--http-tls-key`: to specify the path to the key file - Update the HTTP API to optionally use `warp`'s [`TlsServer`](https://docs.rs/warp/0.3.1/warp/struct.TlsServer.html) depending on the presence of the `--http-enable-tls` flag - Update tests and docs - Use a custom branch for `warp` to ensure proper error handling ## Additional Info Serving the API over TLS should currently be considered experimental. The reason for this is that it uses code from an [unmerged PR](https://github.com/seanmonstar/warp/pull/717). This commit provides the `try_bind_with_graceful_shutdown` method to `warp`, which is helpful for controlling error flow when the TLS configuration is invalid (cert/key files don't exist, incorrect permissions, etc). I've implemented the same code in my [branch here](https://github.com/macladson/warp/tree/tls). Once the code has been reviewed and merged upstream into `warp`, we can remove the dependency on my branch and the feature can be considered more stable. Currently, the private key file must not be password-protected in order to be read into Lighthouse.
2026-03-17 11:52:42 +00:00 · 2021-10-12 03:35:49 +00:00
parent 0aee7ec873
commit a73d698e30
12 changed files with 191 additions and 17 deletions
--- a/beacon_node/Cargo.toml
+++ b/beacon_node/Cargo.toml
@@ -38,3 +38,4 @@ hex = "0.4.2"
 slasher = { path = "../slasher" }
 monitoring_api = { path = "../common/monitoring_api" }
 sensitive_url = { path = "../common/sensitive_url" }
+http_api = { path = "http_api" }
--- a/beacon_node/http_api/Cargo.toml
+++ b/beacon_node/http_api/Cargo.toml
@@ -6,7 +6,7 @@ edition = "2018"
 autotests = false # using a single test binary compiles faster

 [dependencies]
-warp = { git = "https://github.com/paulhauner/warp ", branch = "cors-wildcard" }
+warp = { git = "https://github.com/macladson/warp", rev ="dfa259e", features = ["tls"] }
 serde = { version = "1.0.116", features = ["derive"] }
 tokio = { version = "1.10.0", features = ["macros","sync"] }
 tokio-stream = { version = "0.1.3", features = ["sync"] }
--- a/beacon_node/http_api/src/lib.rs
+++ b/beacon_node/http_api/src/lib.rs
@@ -36,6 +36,8 @@ use std::borrow::Cow;
 use std::convert::TryInto;
 use std::future::Future;
 use std::net::{Ipv4Addr, SocketAddr, SocketAddrV4};
+use std::path::PathBuf;
+use std::pin::Pin;
 use std::sync::Arc;
 use tokio::sync::mpsc::UnboundedSender;
 use tokio_stream::{wrappers::BroadcastStream, StreamExt};
@@ -61,6 +63,16 @@ const API_PREFIX: &str = "eth";
 /// finalized head.
 const SYNC_TOLERANCE_EPOCHS: u64 = 8;

+/// A custom type which allows for both unsecured and TLS-enabled HTTP servers.
+type HttpServer = (SocketAddr, Pin<Box<dyn Future<Output = ()> + Send>>);
+
+/// Configuration used when serving the HTTP server over TLS.
+#[derive(PartialEq, Debug, Clone, Serialize, Deserialize)]
+pub struct TlsConfig {
+    pub cert: PathBuf,
+    pub key: PathBuf,
+}
+
 /// A wrapper around all the items required to spawn the HTTP server.
 ///
 /// The server will gracefully handle the case where any fields are `None`.
@@ -81,6 +93,7 @@ pub struct Config {
    pub listen_port: u16,
    pub allow_origin: Option<String>,
    pub serve_legacy_spec: bool,
+    pub tls_config: Option<TlsConfig>,
 }

 impl Default for Config {
@@ -91,6 +104,7 @@ impl Default for Config {
            listen_port: 5052,
            allow_origin: None,
            serve_legacy_spec: true,
+            tls_config: None,
        }
    }
 }
@@ -218,7 +232,7 @@ pub fn prometheus_metrics() -> warp::filters::log::Log<impl Fn(warp::filters::lo
 pub fn serve<T: BeaconChainTypes>(
    ctx: Arc<Context<T>>,
    shutdown: impl Future<Output = ()> + Send + Sync + 'static,
-) -> Result<(SocketAddr, impl Future<Output = ()>), Error> {
+) -> Result<HttpServer, Error> {
    let config = ctx.config.clone();
    let log = ctx.log.clone();

@@ -2587,22 +2601,37 @@ pub fn serve<T: BeaconChainTypes>(
        .map(|reply| warp::reply::with_header(reply, "Server", &version_with_platform()))
        .with(cors_builder.build());

-    let (listening_socket, server) = {
-        warp::serve(routes).try_bind_with_graceful_shutdown(
-            SocketAddrV4::new(config.listen_addr, config.listen_port),
-            async {
-                shutdown.await;
-            },
-        )?
+    let http_socket: SocketAddrV4 = SocketAddrV4::new(config.listen_addr, config.listen_port);
+    let http_server: HttpServer = match config.tls_config {
+        Some(tls_config) => {
+            let (socket, server) = warp::serve(routes)
+                .tls()
+                .cert_path(tls_config.cert)
+                .key_path(tls_config.key)
+                .try_bind_with_graceful_shutdown(http_socket, async {
+                    shutdown.await;
+                })?;
+
+            info!(log, "HTTP API is being served over TLS";);
+
+            (socket, Box::pin(server))
+        }
+        None => {
+            let (socket, server) =
+                warp::serve(routes).try_bind_with_graceful_shutdown(http_socket, async {
+                    shutdown.await;
+                })?;
+            (socket, Box::pin(server))
+        }
    };

    info!(
        log,
        "HTTP API started";
-        "listen_address" => listening_socket.to_string(),
+        "listen_address" => %http_server.0,
    );

-    Ok((listening_socket, server))
+    Ok(http_server)
 }

 /// Publish a message to the libp2p pubsub network.
--- a/beacon_node/http_api/tests/common.rs
+++ b/beacon_node/http_api/tests/common.rs
@@ -131,6 +131,7 @@ pub async fn create_api_server<T: BeaconChainTypes>(
            listen_port: 0,
            allow_origin: None,
            serve_legacy_spec: true,
+            tls_config: None,
        },
        chain: Some(chain.clone()),
        network_tx: Some(network_tx),
--- a/beacon_node/http_metrics/Cargo.toml
+++ b/beacon_node/http_metrics/Cargo.toml
@@ -7,7 +7,7 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

 [dependencies]
-warp = { git = "https://github.com/paulhauner/warp ", branch = "cors-wildcard" }
+warp = { git = "https://github.com/macladson/warp", rev ="dfa259e" }
 serde = { version = "1.0.116", features = ["derive"] }
 slog = "2.5.2"
 beacon_chain = { path = "../beacon_chain" }
--- a/beacon_node/src/cli.rs
+++ b/beacon_node/src/cli.rs
@@ -217,6 +217,29 @@ pub fn cli_app<'a, 'b>() -> App<'a, 'b> {
                .help("Disable serving of legacy data on the /config/spec endpoint. May be \
                       disabled by default in a future release.")
        )
+        .arg(
+            Arg::with_name("http-enable-tls")
+                .long("http-enable-tls")
+                .help("Serves the RESTful HTTP API server over TLS. This feature is currently \
+                    experimental.")
+                .takes_value(false)
+                .requires("http-tls-cert")
+                .requires("http-tls-key")
+        )
+        .arg(
+            Arg::with_name("http-tls-cert")
+                .long("http-tls-cert")
+                .help("The path of the certificate to be used when serving the HTTP API server \
+                    over TLS.")
+                .takes_value(true)
+        )
+        .arg(
+            Arg::with_name("http-tls-key")
+                .long("http-tls-key")
+                .help("The path of the private key to be used when serving the HTTP API server \
+                    over TLS. Must not be password-protected.")
+                .takes_value(true)
+        )
        /* Prometheus metrics HTTP server related arguments */
        .arg(
            Arg::with_name("metrics")
--- a/beacon_node/src/config.rs
+++ b/beacon_node/src/config.rs
@@ -4,6 +4,7 @@ use client::{ClientConfig, ClientGenesis};
 use directory::{DEFAULT_BEACON_NODE_DIR, DEFAULT_NETWORK_DIR, DEFAULT_ROOT_DIR};
 use eth2_libp2p::{multiaddr::Protocol, Enr, Multiaddr, NetworkConfig, PeerIdSerialized};
 use eth2_network_config::{Eth2NetworkConfig, DEFAULT_HARDCODED_NETWORK};
+use http_api::TlsConfig;
 use sensitive_url::SensitiveUrl;
 use slog::{info, warn, Logger};
 use std::cmp;
@@ -111,6 +112,21 @@ pub fn get_config<E: EthSpec>(
        client_config.http_api.serve_legacy_spec = false;
    }

+    if cli_args.is_present("http-enable-tls") {
+        client_config.http_api.tls_config = Some(TlsConfig {
+            cert: cli_args
+                .value_of("http-tls-cert")
+                .ok_or("--http-tls-cert was not provided.")?
+                .parse::<PathBuf>()
+                .map_err(|_| "http-tls-cert is not a valid path name.")?,
+            key: cli_args
+                .value_of("http-tls-key")
+                .ok_or("--http-tls-key was not provided.")?
+                .parse::<PathBuf>()
+                .map_err(|_| "http-tls-key is not a valid path name.")?,
+        });
+    }
+
    /*
     * Prometheus metrics HTTP server
     */