Impact
The Mithril relay is implemented with Squid. If the Squid configuration is reset (e.g during an update of the software), the current recommended relay configuration could lead to block producer internal IP leakage.
If such a reset of the configuration occurs, the Squid default configuration will be applied.
This default configuration translates to: the proxy is listening on the port 3128 and is accepting traffic from local network only.
In that case, the proxy would still relay the traffic from the Cardano block producer to the aggregator, but the recommended privacy configuration would not exist anymore. This would lead to exposing the internal IP of the block producer node.
Here is the default configuration of the Squid:
$ cat /etc/squid/squid.conf.bak | grep '^[^#]'
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*.conf
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern . 0 20% 4320
Patches
The documentation that explains the setup of the Mithril signer and Mithril relay nodes for SPOs has been updated accordingly with the new recommended listening port for the Squid.
There is no need to update the Squid, only its configuration needs to be updated, as well as the configuration of the Mithril signer.
Workarounds
This problem is easily circumvented by using a different listening port in the Mithril Relay configuration than the 3128 port that was initially recommended: with this configuration, the Squid would simply not be accessible from the Mithril signer node and the Mithril signer node would trigger errors stating it can't reach the Mithril aggregator.
The recommended listening port is now 3132.
In order to fix the problem, here are the steps that need to be applied:
- In the
/etc/squid/squid.conf file of the Cardano relay machine, replace the http_port directive with:
# Listening port (port 3132 is recommended)
http_port 3132
- Restart the Mithril relay service with the command:
sudo systemctl restart squid
- In the
/opt/mithril/mithril-signer.env file of the Cardano block producer machine, replace the RELAY_ENDPOINT value with the updated listening port of the Mithril relay: if you have the value RELAY_ENDPOINT=http://192.168.1.50:3128, you just need to replace it with RELAY_ENDPOINT=http://192.168.1.50:3132
- Restart the Mithril signer service withe command:
sudo systemctl restart mithril-signer
References
Credit for identifying and reporting this issue goes to [email protected]
Willburn Finder
Impact
The Mithril relay is implemented with Squid. If the Squid configuration is reset (e.g during an update of the software), the current recommended relay configuration could lead to block producer internal IP leakage.
If such a reset of the configuration occurs, the Squid default configuration will be applied.
This default configuration translates to: the proxy is listening on the port
3128and is accepting traffic from local network only.In that case, the proxy would still relay the traffic from the Cardano block producer to the aggregator, but the recommended privacy configuration would not exist anymore. This would lead to exposing the internal IP of the block producer node.
Here is the default configuration of the Squid:
Patches
The documentation that explains the setup of the Mithril signer and Mithril relay nodes for SPOs has been updated accordingly with the new recommended listening port for the Squid.
There is no need to update the Squid, only its configuration needs to be updated, as well as the configuration of the Mithril signer.
Workarounds
This problem is easily circumvented by using a different listening port in the Mithril Relay configuration than the
3128port that was initially recommended: with this configuration, the Squid would simply not be accessible from the Mithril signer node and the Mithril signer node would trigger errors stating it can't reach the Mithril aggregator.The recommended listening port is now
3132.In order to fix the problem, here are the steps that need to be applied:
/etc/squid/squid.conffile of the Cardano relay machine, replace the http_port directive with:# Listening port (port 3132 is recommended) http_port 3132/opt/mithril/mithril-signer.envfile of the Cardano block producer machine, replace theRELAY_ENDPOINTvalue with the updated listening port of the Mithril relay: if you have the valueRELAY_ENDPOINT=http://192.168.1.50:3128, you just need to replace it withRELAY_ENDPOINT=http://192.168.1.50:3132References
Credit for identifying and reporting this issue goes to [email protected]