Skip to content

feat(l1): opt-in for plaintext RPC to trusted private hosts#21

Merged
GCdePaula merged 2 commits into
mainfrom
feature/allow-insecure
Jul 2, 2026
Merged

feat(l1): opt-in for plaintext RPC to trusted private hosts#21
GCdePaula merged 2 commits into
mainfrom
feature/allow-insecure

Conversation

@GCdePaula

Copy link
Copy Markdown
Collaborator

The provider rejected any non-HTTPS RPC whose host wasn't literal loopback, which broke reaching a node over a private container network (Docker/K8s service name, host.docker.internal, private-VPC IP) — e.g. http://anvil:8545. Plaintext there is normal and safe; anvil doesn't speak TLS at all.

Add --allow-insecure-rpc / CARTESI_SEQUENCER_ALLOW_INSECURE_RPC (default false) on setup/run/flush-mempool. The default stays secure — remote plaintext is refused — but an operator can explicitly opt in for a trusted private network. The opt-in is loud (warn!) and auditable (shows up in args/env), and is threaded through every provider constructor so no path can silently downgrade.

Also harden the loopback check: classify the parsed url::Host with Ipv4Addr/Ipv6Addr::is_loopback() instead of matching literal strings. This drops the [::1] bracket hack and fixes a latent bug where the whole 127.0.0.0/8 block except 127.0.0.1 was wrongly rejected.

The provider rejected any non-HTTPS RPC whose host wasn't literal
loopback, which broke reaching a node over a private container network
(Docker/K8s service name, host.docker.internal, private-VPC IP) — e.g.
`http://anvil:8545`. Plaintext there is normal and safe; anvil doesn't
speak TLS at all.

Add `--allow-insecure-rpc` / `CARTESI_SEQUENCER_ALLOW_INSECURE_RPC`
(default false) on setup/run/flush-mempool. The default stays secure —
remote plaintext is refused — but an operator can explicitly opt in for
a trusted private network. The opt-in is loud (warn!) and auditable
(shows up in args/env), and is threaded through every provider
constructor so no path can silently downgrade.

Also harden the loopback check: classify the parsed `url::Host` with
`Ipv4Addr/Ipv6Addr::is_loopback()` instead of matching literal strings.
This drops the `[::1]` bracket hack and fixes a latent bug where the
whole 127.0.0.0/8 block except 127.0.0.1 was wrongly rejected.
endersonmaia
endersonmaia previously approved these changes Jul 2, 2026

@endersonmaia endersonmaia left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Address PR review feedback: spell out that
`CARTESI_SEQUENCER_ALLOW_INSECURE_RPC` is not pinned into the DB at
`setup` — it must be set on every L1-dialing subcommand (`setup`, `run`,
`flush-mempool`), and omitting it on `run` after a successful `setup`
fails loud (`remote RPC must use https`) by design, not a bug. Add a
Docker Compose snippet showing it in the shared environment.

@stephenctw stephenctw left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@GCdePaula GCdePaula merged commit 993d331 into main Jul 2, 2026
8 checks passed
@GCdePaula GCdePaula deleted the feature/allow-insecure branch July 2, 2026 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants