hyperledger
engine-jwt-disabled=true may bypass engine-host-allowlist
A remote (curl) client may be able to access the authenticated JSON-RPC endpoint event though the client's host should not be allowed to do so.
docker run --detach \
--name=besu \
--user=0:0 \
--restart=unless-stopped \
--network=ethnet \
-p 8545:8545 \
-p 8551:8551 \
-p 30303:30303/tcp \
-p 30303:30303/udp \
-v besu-data:/var/besu/data \
-v besu-config:/var/besu/config \
hyperledger/besu:${BESU_VERSION:-latest} \
--data-path=/var/besu/data \
--engine-jwt-secret=/var/besu/config/keys/jwt-token.txt \
--engine-host-allowlist="127.0.0.1, ${BESU_HOST_IP}, 172.*" \
--host-allowlist="127.0.0.1, ${BESU_HOST_IP}" \
--engine-jwt-disabled=true \
--rpc-http-enabled
curl --location --request POST 'http://x.x.x.x:8551' \
--header 'Authorization: Bearer 224xxx' \
--header 'Content-Type: application/json' \
--data-raw '{
"jsonrpc": "2.0",
"method": "eth_syncing",
"params": [],
"id": 1
}'
gives me ...
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"startingBlock": "0xd47c7a",
"currentBlock": "0xd49552",
"highestBlock": "0xec5e6d",
"pulledStates": "0x1744f",
"knownStates": "0x1f61d"
}
}
I would expect --engine-host-allowlist to take effect independent of --engine-jwt-disabled, hence expect to see Host not authorized
Versions (Add all that apply)
Docker image: hyperledger/besu-2.7.1
BTW, I'm using --engine-jwt-disabled=true because I can't (yet) get authorized access to to the JWT endpoint (8551) to work otherwise - it always gives me Unauthorized
what do you get when you curl an engine api endpoint? e.g.
curl --location --request POST 'http://x.x.x.x:8551' \
--header 'Authorization: Bearer 224xxx' \
--header 'Content-Type: application/json' \
--data-raw '{
"jsonrpc": "2.0",
"method": "engine_exchangeTransitionConfigurationV1",
"params": [],
"id": 1
}'
With besu-22.7.2, JWT authentication seems to work. I also used an incorrect JWT in the curl request. Would you know how to generate a valid the JWT - perhaps with this https://jwt.io/#debugger-io ?
