btcpayserver: fix whitelist security issue
Whitelisting localhost implicitly whitelists all inbound onion connections. This prevents banning misbehaving inbound onion peers and enables message `mempool` which can cause privacy leaks. Instead, grant `download` as the single bitcoind whitelist permission, which should be safe for onion peers. Remove liquidd whitelisting because it doesn't support fine-grained permissions. After a cursory glance at the nbxplorer code I think that nbxplorer requires none of the other default whitelist permissions (noban, mempool, relay). Details: https://github.com/dgarage/NBXplorer/issues/344
This commit is contained in:
parent
df2070b44a
commit
ec4a4dbe41
@ -119,7 +119,7 @@ in {
|
||||
# Enable p2p connections
|
||||
listen = true;
|
||||
extraConfig = ''
|
||||
whitelist=${nbLib.address cfg.nbxplorer.address}
|
||||
whitelist=download@${nbLib.address cfg.nbxplorer.address}
|
||||
'';
|
||||
};
|
||||
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
|
||||
@ -128,9 +128,6 @@ in {
|
||||
enable = true;
|
||||
# Enable p2p connections
|
||||
listen = true;
|
||||
extraConfig = ''
|
||||
whitelist=${nbLib.address cfg.nbxplorer.address}
|
||||
'';
|
||||
};
|
||||
|
||||
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
|
||||
|
Loading…
Reference in New Issue
Block a user