ElementsProject / lightning-charge

A simple drop-in solution for accepting lightning payments
MIT License
554 stars 80 forks source link

Doubt with lightning-charge and nanotip #55

Open bitcoinoplomo opened 5 years ago

bitcoinoplomo commented 5 years ago

I don't know if this is the right place to ask for this. But the irc channel at freenode is kinda empty. I have the following set up: A full bitcoin node and lightning node running c-lightning. On top of my lighting node I have lightning charge and nanotip.

But in https://github.com/ElementsProject/lightning-charge it says the following

Note that Charge does not have TLS encryption and should not normally be exposed directly to the public internet. For remote access, you should setup an SSH tunnel or a TLS-enabled reverse proxy like nginx.

So a searched online and get my nanotip working using a ssh tunnel like this

$ ssh user@external_ip -R 9000:localhost:9112 -f -N

It is working and I think I did everything right! My nanotip can be reached from the web but to create a invoice it uses port 9000. And that port has a ssh tunnel to 9112 port of lighting charge. Is the correct approach?

shesek commented 5 years ago

Assuming your lightning charge and your nanotip are hosted on different servers, than yes, this seems like the correct approach!

I would also make sure that port 9112 was not unintentionally made public, which you can verify by running curl http://external_ip:9112/ and seeing that it fails.

bitcoinoplomo commented 5 years ago

The lightning charge and the nanotip are in the same server, a VPS. The idea was not to have the port 9112 reachable from the web, so I created a SSH tunnel between both ports (nanotip and charged) in the same server.

The output from the command you suggested is

$ curl http://external_ip:9112/
curl: (7) Failed to connect to external_ip port 9112:

And this one shows

$ curl http://external_ip:9000/
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /</pre>
</body>
</html>

In this way the port 9112 is not reachable from the web, like it says the ligthing-charge README.md

Note that Charge does not have TLS encryption and should not normally be exposed directly to the public internet. For remote access, you should setup an SSH tunnel or a TLS-enabled reverse proxy like nginx.

So, I think lightning charge is not exposed directly to the web. And nanotip can safely create invoices.