node: implement --authrpc.vhosts flag

ethereum · Mar 14, 2022 · 0449ff5 · 0449ff5
1 parent 6f88cec
commit 0449ff5
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 1 deletion.
diff --git a/cmd/geth/main.go b/cmd/geth/main.go
@@ -167,6 +167,7 @@ var (
 		utils.HTTPCORSDomainFlag,
 		utils.AuthHostFlag,
 		utils.AuthPortFlag,
+		utils.AuthVirtualHostsFlag,
 		utils.JWTSecretFlag,
 		utils.HTTPVirtualHostsFlag,
 		utils.GraphQLEnabledFlag,

diff --git a/cmd/geth/usage.go b/cmd/geth/usage.go
@@ -152,6 +152,7 @@ var AppHelpFlagGroups = []flags.FlagGroup{
 			utils.JWTSecretFlag,
 			utils.AuthHostFlag,
 			utils.AuthPortFlag,
+			utils.AuthVirtualHostsFlag,
 			utils.GraphQLEnabledFlag,
 			utils.GraphQLCORSDomainFlag,
 			utils.GraphQLVirtualHostsFlag,

diff --git a/cmd/utils/flags.go b/cmd/utils/flags.go
@@ -533,6 +533,11 @@ var (
 		Usage: "Listening port for authenticated APIs",
 		Value: node.DefaultConfig.AuthPort,
 	}
+	AuthVirtualHostsFlag = cli.StringFlag{
+		Name:  "authrpc.vhosts",
+		Usage: "Comma separated list of virtual hostnames from which to accept requests (server enforced). Accepts '*' wildcard.",
+		Value: strings.Join(node.DefaultConfig.AuthVirtualHosts, ","),
+	}
 	JWTSecretFlag = cli.StringFlag{
 		Name:  "authrpc.jwtsecret",
 		Usage: "JWT secret (or path to a jwt secret) to use for authenticated RPC endpoints",
@@ -973,10 +978,15 @@ func setHTTP(ctx *cli.Context, cfg *node.Config) {
 	if ctx.GlobalIsSet(AuthHostFlag.Name) {
 		cfg.AuthHost = ctx.GlobalString(AuthHostFlag.Name)
 	}
+
 	if ctx.GlobalIsSet(AuthPortFlag.Name) {
 		cfg.AuthPort = ctx.GlobalInt(AuthPortFlag.Name)
 	}
 
+	if ctx.GlobalIsSet(AuthVirtualHostsFlag.Name) {
+		cfg.AuthVirtualHosts = SplitAndTrim(ctx.GlobalString(AuthVirtualHostsFlag.Name))
+	}
+
 	if ctx.GlobalIsSet(HTTPCORSDomainFlag.Name) {
 		cfg.HTTPCors = SplitAndTrim(ctx.GlobalString(HTTPCORSDomainFlag.Name))
 	}

diff --git a/node/config.go b/node/config.go
@@ -145,6 +145,10 @@ type Config struct {
 	// AuthPort is the port number on which authenticated APIs are provided.
 	AuthPort int `toml:",omitempty"`
 
+	// AuthVirtualHosts is the list of virtual hostnames which are allowed on incoming requests
+	// for the authenticated api. This is by default {'localhost'}.
+	AuthVirtualHosts []string `toml:",omitempty"`
+
 	// WSHost is the host interface on which to start the websocket RPC server. If
 	// this field is empty, no websocket API endpoint will be started.
 	WSHost string

diff --git a/node/defaults.go b/node/defaults.go
@@ -52,6 +52,7 @@ var DefaultConfig = Config{
 	HTTPPort:            DefaultHTTPPort,
 	AuthHost:            DefaultAuthHost,
 	AuthPort:            DefaultAuthPort,
+	AuthVirtualHosts:    DefaultAuthVhosts,
 	HTTPModules:         []string{"net", "web3"},
 	HTTPVirtualHosts:    []string{"localhost"},
 	HTTPTimeouts:        rpc.DefaultHTTPTimeouts,

diff --git a/node/node.go b/node/node.go
@@ -444,7 +444,7 @@ func (n *Node) startRPC() error {
 		}
 		if err := server.enableRPC(apis, httpConfig{
 			CorsAllowedOrigins: DefaultAuthCors,
-			Vhosts:             DefaultAuthVhosts,
+			Vhosts:             n.config.AuthVirtualHosts,
 			Modules:            DefaultAuthModules,
 			prefix:             DefaultAuthPrefix,
 			jwtSecret:          secret,