Connecting to FQDN peers with SNI is broken

Chia-Network / chia-blockchain

Chia blockchain python implementation (full node, farmer, harvester, timelord, and wallet)

Apache License 2.0

10.85k stars 2.03k forks source link

Connecting to FQDN peers with SNI is broken #17923

Open felixbrucker opened 2 months ago

felixbrucker commented 2 months ago

Currently when a FQDN is used to connect to a peer which requires SNI to correctly route the request to the host, no connection can be established. This is due to chia itself resolving the host and using the resulting ip to connect to it, breaking SNI.

wjblanke commented 2 months ago

3.9 aiohttp supports SNI so maybe it can be added

https://github.com/aio-libs/aiohttp/pull/7543

What feature are you trying to implement exactly felix?

felixbrucker commented 2 months ago

I wanted to connect to a full node behind cloudflare, but it would be the same for users trying to connect to one behind nginx, given that they host multiple servers on the same port, for example 443. This however is currently broken and does not work, as the correct endpoint to connect to can not be mapped as that info is missing (bc it connects to the resolved ip instead of connecting to the hostname in the config, and letting the library handle resolving and properly connecting to it).

felixbrucker commented 2 months ago

I did some testing, i think there are two approaches to solve this:

the normal way: pass in the host to ws_connect, for example: ws_connect("wss://some-fqdn.com/ws") instead of ws_connect("wss://1.2.3.4/ws"). In this case aiohttp already handles everything correctly and a connection can be established.
the ugly way: continue to pass in the resolved ip as url, but also pass through the server_name argument and Host header set to the fqdn, for example:
```
ws_connect(
"wss://1.2.3.4/ws",
server_hostname=unresolved_peer_info.host,
headers={
"Host": unresolved_peer_info.host,
},
)
```

Currently aiohttp can not set the server_hostname for ws_connect, see https://github.com/aio-libs/aiohttp/pull/7942 (has been on main for 6 months)

wjblanke commented 2 months ago

Is this just farmers trying to connect to a node or do you want node-node traffic working like this?

felixbrucker commented 2 months ago

I'd love to see it work for both, but primary is farmer to node

wjblanke commented 2 months ago

Looks like we need a new release of main aiohttp as well

wjblanke commented 2 months ago

we can probably get farmer to node working

felixbrucker commented 2 months ago

for the ugly way, yes

i'd much prefer the correct way

wjblanke commented 2 months ago

node - node gossip may be an issue. i think it only supports ip. the bigger issue is the current strategy for nodes is to resolve as early as possible, so this is opposite of that.

felixbrucker commented 2 months ago

Yeah resolving happens in chia-blockchain before connecting and it makes sense for network based configs, like determining if a peer is trusted/whitelisted etc, but i'm not sure for which other reasons this might happen, or is needed even.

wjblanke commented 4 days ago

In the interim would running a proxy work to map the IP connections to a domain name? Its kludgy but should work

felixbrucker commented 4 days ago

Nope, because if you map ip to domain in a proxy you could just host on the ip itself in the first place, which is not desired and possible in my case.

jack60612 commented 4 days ago

it is in our backlog as i mentioned in discord, not sure if this is an especially priority issue however.