Websockets not connecting

[lnbc1QWFyb24]

Hey, I have tried connecting to my node in the browser via WebSocket and it refuses to connect for some reason. It works great via Node JS, but not in the browser.

I have also tried using lnlink and I get the same error. Is there anything special that needs to be done with port forwarding for the WS connection to work?

[jb55]

websockets requires you to add experimental-websocket-port=<portnumber>, you'll need to forward and connect to that port specifically if you want to connect over websockets. if you're accessing the page over https you'll need to use a secure websockets proxy.

here's what that looks like in nginx:

    server {                                                                        
      listen 443 ssl;                                                               
      listen [::]:443 ssl;                                                          

      server_name cln.jb55.com;                                                     

      ssl_certificate /var/lib/acme/cln.jb55.com/fullchain.pem;                     
      ssl_certificate_key /var/lib/acme/cln.jb55.com/key.pem;                       

      location / {                                                                  
        proxy_pass http://24.84.152.187:8324;                                       
        proxy_http_version 1.1;                                                     
        proxy_set_header Upgrade $http_upgrade;                                     
        proxy_set_header Connection "Upgrade";                                      
        proxy_set_header Host $host;                                                
      }                                                                             
    }                                                                               

this is the downside of using websockets, but it's just the nature of the web that forces us to do this :(

but if you're just using http then you don't need to do this.

[lnbc1QWFyb24]

Ah i see. If using http, is the traffic encrypted once the connection is established by using the lightning network for communication, or would you need to use https for that?

[jb55]

On Mon, Jul 11, 2022 at 03:49:50PM -0700, Aaron Barnard wrote:

Ah i see. If using http, is the traffic encrypted once the connection is established by using the lightning network for communication, or would you need to use https for that?

Yes all lightning connections are encrypted. This is Bolt 8.

[lnbc1QWFyb24]

So no real benefit to running https?

[lnbc1QWFyb24]

Got it working in the browser! Very cool man. I am thinking of building a browser SPA to control a CLN node directly for payments and node management. Could be a companion app to LN link 😉

[jb55]

On Tue, Jul 12, 2022 at 11:49:08PM -0700, Aaron Barnard wrote:

Got it working in the browser! Very cool man. I am thinking of building a browser SPA to control a CLN node directly for payments and node management. Could be a companion app to LN link 😉

awesome! I was going to do the same, but if I don't have to that would be even better :)

[jb55]

On Tue, Jul 12, 2022 at 08:54:58PM -0700, Aaron Barnard wrote:

So no real benefit to running https?

With http, there is a risk of getting man-in-the-middled by someone, so a targeted DNS hijack could swap out your js code for malicious code that steals funds. There is some value for a certificate authority here.

The web kinda sucks in this regard. In some sense https isn't required but in some sense it still is in the presence of powerful actors who control internet architecture. https still might not even save you since certs can be forged as well.

With lnlink.app you only have to trust me or apple employees to not upload malicious code to the appstore, so depending on your paranoia level it might make sense to only run opensource code locally and not have it served from anywhere.

A bigger concern is using a popular hosted lightning app that changes the code maliciously by sending the rune to their servers. I guess this is also a concern with any app that talks to lightning nodes in an authenticated manner (lnbits, etc).

For apps that require superadmin or pay rune permissions, I would be uneasy using hosted client code that can change at any time, and would prefer to host it myself on my own servers or locally. If it didn't have an option to do that I wouldn't trust it. For instance, you can host the js code to lnlink.org (a client lightning app, code: http://lnlink.org/index.js) on your own servers, so that I can't maliciously change the source and steal funds.

Well in this case it's not a concern because I only require invoice creation permissions in the rune, but it would be a bigger concern for admin apps.

So yeah there is no easy answer, it depends on your paranoia level. I am personally ok with running http but I can see why a larger node might want https.

When I find the time I was going to put together a free secure websockets proxy for cln nodes. You could encode the node info into the url and have it proxy automatically. No need to run any server code and it would be trustless.

Cheers, Will

[lnbc1QWFyb24]

Thanks for the detailed answer! Yeah I am trying to think through the easiest setup for an average person running a node at home and adding nginx in to the mix feels like it might be a little too much.

When I find the time I was going to put together a free secure websockets proxy for cln nodes. You could encode the node info into the url and have it proxy automatically. No need to run any server code and it would be trustless.

That sounds interesting. Is this something people would run on their own hardware?

[jb55]

On Wed, Jul 13, 2022 at 03:25:08PM -0700, Aaron Barnard wrote:

Thanks for the detailed answer! Yeah I am trying to think through the easiest setup for an average person running a node at home and adding nginx in to the mix feels like it might be a little too much.

When I find the time I was going to put together a free secure websockets proxy for cln nodes. You could encode the node info into the url and have it proxy automatically. No need to run any server code and it would be trustless.

That sounds interesting. Is this something people would run on their own hardware?

nope, you wouldn't need to. it's just a trampoline to make the websockets connection work out of the box when in an https context. It could also act as a secure vpn that hides the source node ip if configured that way.

eg:

wss://proxy.lnlink.org/P46ScyNPYO0

where you pay some sats to map P46ScyNPYO0 to your hidden nodeid+ip, alternatively it could proxy it outright from the url:

wss://proxy.lnlink.org/?nodeid=03f3c108ccd536b8526841f0a5c58212bb9e6584a1eb493080e7c1cc34f82dad71&ip=24.84.152.187:8324

I'll work on this soon. I'm about to push a new version to support setting the key.

[jb55]

@aaronbarnardsound I put together the proxy that I described above over here: https://github.com/jb55/ln-ws-proxy

example usage: https://tls.lnlink.org/?d=ASED88EIzNU2uFJoQfClxYISu55lhKHrSTCA58HMNPgtrXECcHJveHkubG5saW5rLm9yZy8yNC44NC4xNTIuMTg3AAMyzDYRBFhZxj9bA3kQrAYiBxmEEEGiS86PpPpTl8L9AdM9MzQmbWV0aG9kPWludm9pY2UEU2VjdXJlIEJhbmFuYQAFAAAnEAZJdCdzIHRhc3R5IGFuZCBtb3N0bHkgc2FmZSB0byBlYXQABwQ%3D&edit=1

it proxies websockets to plain-old lightning connections, it works with https, and you don't need to enable experimental-websockets-port so it should work with other lightning nodes as well. The only downside is that it's not a direct p2p connection...