From 511b827bf56b7d099afdba1db25d047bea24e050 Mon Sep 17 00:00:00 2001 From: junderw Date: Wed, 16 Aug 2023 00:44:06 -0700 Subject: [PATCH 1/5] Nginx: Ignore all internal-api paths --- nginx-mempool.conf | 5 +++++ production/nginx/location-api.conf | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/nginx-mempool.conf b/nginx-mempool.conf index 67cb15939..bc8efc59e 100644 --- a/nginx-mempool.conf +++ b/nginx-mempool.conf @@ -39,6 +39,11 @@ try_files $uri $uri/ /$1/index.html =404; } + # any path containing .*/internal-api/.* anywhere is ignored + location ~ ^/.*?/internal-api/ { + return 404; + } + # static API docs location = /api { try_files $uri $uri/ /en-US/index.html =404; diff --git a/production/nginx/location-api.conf b/production/nginx/location-api.conf index 2b2b85411..dba798719 100644 --- a/production/nginx/location-api.conf +++ b/production/nginx/location-api.conf @@ -2,6 +2,11 @@ # mempool # ########### +# any path containing .*/internal-api/.* anywhere is ignored +location ~ ^/.*?/internal-api/ { + return 404; +} + # websocket has special HTTP headers location /api/v1/ws { try_files /dev/null @mempool-api-v1-websocket; From d16773bfa02fa3a8ea2d34c820a95bf9723771a3 Mon Sep 17 00:00:00 2001 From: Mononaut Date: Wed, 16 Aug 2023 17:54:08 +0900 Subject: [PATCH 2/5] Switch backend to use internal-api paths --- backend/src/api/bitcoin/esplora-api.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/src/api/bitcoin/esplora-api.ts b/backend/src/api/bitcoin/esplora-api.ts index 0f3c6290d..368ff1978 100644 --- a/backend/src/api/bitcoin/esplora-api.ts +++ b/backend/src/api/bitcoin/esplora-api.ts @@ -214,11 +214,11 @@ class ElectrsApi implements AbstractBitcoinApi { } async $getMempoolTransactions(txids: string[]): Promise { - return this.failoverRouter.$post('/mempool/txs', txids, 'json'); + return this.failoverRouter.$post('/internal-api/mempool/txs', txids, 'json'); } async $getAllMempoolTransactions(lastSeenTxid?: string): Promise { - return this.failoverRouter.$get('/mempool/txs' + (lastSeenTxid ? '/' + lastSeenTxid : '')); + return this.failoverRouter.$get('/internal-api/mempool/txs' + (lastSeenTxid ? '/' + lastSeenTxid : '')); } $getTransactionHex(txId: string): Promise { From 502a1c021e9df76aae5ab281d98a5af1cf213a2b Mon Sep 17 00:00:00 2001 From: Jonathan Underwood Date: Mon, 28 Aug 2023 02:18:59 +0900 Subject: [PATCH 3/5] Add suggestions from wiz Co-authored-by: wiz --- backend/src/api/bitcoin/esplora-api.ts | 4 ++-- nginx-mempool.conf | 5 ----- production/nginx/location-api.conf | 7 ++++--- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/backend/src/api/bitcoin/esplora-api.ts b/backend/src/api/bitcoin/esplora-api.ts index 368ff1978..90da93d7e 100644 --- a/backend/src/api/bitcoin/esplora-api.ts +++ b/backend/src/api/bitcoin/esplora-api.ts @@ -214,11 +214,11 @@ class ElectrsApi implements AbstractBitcoinApi { } async $getMempoolTransactions(txids: string[]): Promise { - return this.failoverRouter.$post('/internal-api/mempool/txs', txids, 'json'); + return this.failoverRouter.$post('/internal/mempool/txs', txids, 'json'); } async $getAllMempoolTransactions(lastSeenTxid?: string): Promise { - return this.failoverRouter.$get('/internal-api/mempool/txs' + (lastSeenTxid ? '/' + lastSeenTxid : '')); + return this.failoverRouter.$get('/internal/mempool/txs' + (lastSeenTxid ? '/' + lastSeenTxid : '')); } $getTransactionHex(txId: string): Promise { diff --git a/nginx-mempool.conf b/nginx-mempool.conf index bc8efc59e..67cb15939 100644 --- a/nginx-mempool.conf +++ b/nginx-mempool.conf @@ -39,11 +39,6 @@ try_files $uri $uri/ /$1/index.html =404; } - # any path containing .*/internal-api/.* anywhere is ignored - location ~ ^/.*?/internal-api/ { - return 404; - } - # static API docs location = /api { try_files $uri $uri/ /en-US/index.html =404; diff --git a/production/nginx/location-api.conf b/production/nginx/location-api.conf index dba798719..333877630 100644 --- a/production/nginx/location-api.conf +++ b/production/nginx/location-api.conf @@ -2,11 +2,12 @@ # mempool # ########### -# any path containing .*/internal-api/.* anywhere is ignored -location ~ ^/.*?/internal-api/ { +location /api/internal/ { + return 404; +} +location /api/v1/internal/ { return 404; } - # websocket has special HTTP headers location /api/v1/ws { try_files /dev/null @mempool-api-v1-websocket; From 4972f00a9690c639f3b476212e15460e4a605570 Mon Sep 17 00:00:00 2001 From: junderw Date: Sun, 27 Aug 2023 10:28:51 -0700 Subject: [PATCH 4/5] Add internal endpoint blocking to all Nginx configs --- production/nginx/location-api.conf | 2 ++ production/nginx/location-liquid-api.conf | 8 ++++++++ production/nginx/location-liquidtestnet-api.conf | 8 ++++++++ production/nginx/location-signet-api.conf | 8 ++++++++ production/nginx/location-testnet-api.conf | 8 ++++++++ 5 files changed, 34 insertions(+) diff --git a/production/nginx/location-api.conf b/production/nginx/location-api.conf index 333877630..71afa295a 100644 --- a/production/nginx/location-api.conf +++ b/production/nginx/location-api.conf @@ -2,12 +2,14 @@ # mempool # ########### +# Block the internal APIs of esplora location /api/internal/ { return 404; } location /api/v1/internal/ { return 404; } + # websocket has special HTTP headers location /api/v1/ws { try_files /dev/null @mempool-api-v1-websocket; diff --git a/production/nginx/location-liquid-api.conf b/production/nginx/location-liquid-api.conf index e438d1cdc..6c222c469 100644 --- a/production/nginx/location-liquid-api.conf +++ b/production/nginx/location-liquid-api.conf @@ -2,6 +2,14 @@ # mempool # ########### +# Block the internal APIs of esplora +location /liquid/api/internal/ { + return 404; +} +location /liquid/api/v1/internal/ { + return 404; +} + # websocket has special HTTP headers location /liquid/api/v1/ws { rewrite ^/liquid/(.*) /$1 break; diff --git a/production/nginx/location-liquidtestnet-api.conf b/production/nginx/location-liquidtestnet-api.conf index 329b7e2e9..5d5be5d43 100644 --- a/production/nginx/location-liquidtestnet-api.conf +++ b/production/nginx/location-liquidtestnet-api.conf @@ -2,6 +2,14 @@ # mempool # ########### +# Block the internal APIs of esplora +location /liquidtestnet/api/internal/ { + return 404; +} +location /liquidtestnet/api/v1/internal/ { + return 404; +} + # websocket has special HTTP headers location /liquidtestnet/api/v1/ws { rewrite ^/liquidtestnet/(.*) /$1 break; diff --git a/production/nginx/location-signet-api.conf b/production/nginx/location-signet-api.conf index 54bdc3648..8469043a8 100644 --- a/production/nginx/location-signet-api.conf +++ b/production/nginx/location-signet-api.conf @@ -2,6 +2,14 @@ # mempool # ########### +# Block the internal APIs of esplora +location /signet/api/internal/ { + return 404; +} +location /signet/api/v1/internal/ { + return 404; +} + # websocket has special HTTP headers location /signet/api/v1/ws { rewrite ^/signet/(.*) /$1 break; diff --git a/production/nginx/location-testnet-api.conf b/production/nginx/location-testnet-api.conf index 656a705ff..9f0c41147 100644 --- a/production/nginx/location-testnet-api.conf +++ b/production/nginx/location-testnet-api.conf @@ -2,6 +2,14 @@ # mempool # ########### +# Block the internal APIs of esplora +location /testnet/api/internal/ { + return 404; +} +location /testnet/api/v1/internal/ { + return 404; +} + # websocket has special HTTP headers location /testnet/api/v1/ws { rewrite ^/testnet/(.*) /$1 break; From 2339a0771effdcb7efe446a6785d6a3cf64ed4d1 Mon Sep 17 00:00:00 2001 From: Mononaut Date: Wed, 6 Sep 2023 08:24:30 +0900 Subject: [PATCH 5/5] Use internal /block/:hash/txs endpoint --- backend/src/api/bitcoin/esplora-api.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/api/bitcoin/esplora-api.ts b/backend/src/api/bitcoin/esplora-api.ts index 90da93d7e..af021bf2e 100644 --- a/backend/src/api/bitcoin/esplora-api.ts +++ b/backend/src/api/bitcoin/esplora-api.ts @@ -238,7 +238,7 @@ class ElectrsApi implements AbstractBitcoinApi { } $getTxsForBlock(hash: string): Promise { - return this.failoverRouter.$get('/block/' + hash + '/txs'); + return this.failoverRouter.$get('/internal/block/' + hash + '/txs'); } $getBlockHash(height: number): Promise {