Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fill in init.remote_addr from front machines #2256

Closed
t-bast opened this issue May 5, 2022 · 3 comments · Fixed by #2285
Closed

Fill in init.remote_addr from front machines #2256

t-bast opened this issue May 5, 2022 · 3 comments · Fixed by #2285

Comments

@t-bast
Copy link
Member

t-bast commented May 5, 2022

When running in cluster mode, we shouldn't return the remote_addr of one of our front machines, this should be written by the front machines themselves and match the real sender's IP address.

See lightning/bolts#917 (comment)

This needs some investigation, maybe there is something else that messes things up (e.g. a load balancer's IP address being reported).
@m-schmoock
Copy link

F.y.i those are the addresses ACINQs main node (from03864ef025fde8fb587d989186ce6a4a186895ee44a926bfc370e2c366597a3f8f) reports as remote_addr

  • 13.248.123.158
  • 13.248.123.156
  • 13.248.123.155
  • 13.248.122.61
  • 13.248.122.58
  • 13.248.122.62

@pm47
Copy link
Member

pm47 commented May 13, 2022

We do preserve the client ip in cluster mode, this is actually due to us using a combination of AWS global accelerator and NLB, which is unfortunately not compatible with client ip preservation. Those ips are not internal ACINQ ips but internal AWS ips.

@m-schmoock if you use this uri: 03864ef025fde8fb587d989186ce6a4a186895ee44a926bfc370e2c366597a3f8f@34.239.230.56:9735 you will bypass AWS GA and should see your correct ip.

We can't fix that from within eclair, this is purely a deployment issue.

@m-schmoock
Copy link

m-schmoock commented May 13, 2022
edited
Loading

@pm47
Hi, good to know. That brings up two takeaways:

  • sending remote_addr should be 'turn off able' on your side if you already know that it will produce false results depending on infrastructure.
  • I need to improve CLN to ignore if some peers return 'arbitrary' remote_addr (from clients point of view). Meaning IP addresses the other peers don't report.

@m-schmoock m-schmoock mentioned this issue May 16, 2022
Merged
7 tasks
t-bast added a commit that referenced this issue May 25, 2022
@t-bast
Add option to disable sending remote addr in init
4a38cd1 
When running behind a load balancer that doesn't preserve the client source
IP address, it doesn't make sense to include the `remote-address` tlv in
our `init` message, it will contain an IP address that is completely
unrelated to our peer.

Fixes #2256
@t-bast t-bast mentioned this issue May 25, 2022
Merged
t-bast added a commit that referenced this issue May 31, 2022
@t-bast
Add option to disable sending remote addr in init (#2285)
749d92b 
When running behind a load balancer that doesn't preserve the client source
IP address, it doesn't make sense to include the `remote-address` tlv in
our `init` message, it will contain an IP address that is completely
unrelated to our peer.

Fixes #2256
evd0kim pushed a commit to standardsats/eclair that referenced this issue Jul 17, 2023
@t-bast @pm47
Add option to disable sending remote addr in init (ACINQ#2285)
d11ec5b 
When running behind a load balancer that doesn't preserve the client source
IP address, it doesn't make sense to include the `remote-address` tlv in
our `init` message, it will contain an IP address that is completely
unrelated to our peer.

Fixes ACINQ#2256
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add option to disable sending remote address in init ACINQ/eclair
3 participants
@pm47 @m-schmoock @t-bast