From ffe6b121bfb8123e7cc72d5d3a3019a2c4eabfa8 Mon Sep 17 00:00:00 2001 From: Samuel Laferriere <9342524+samlaf@users.noreply.github.com> Date: Wed, 1 Jul 2026 21:27:04 +0800 Subject: [PATCH] fix(deploy_tee): stop exposing reth RPC/WS + dead prometheus port in NSG MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit nginx terminates TLS on 443 and reverse-proxies /rpc and /ws to reth over loopback, so opening 8545/8546 in the NSG only bypassed nginx and exposed reth's --http.api all (admin/debug/txpool) to the internet in the clear. The 9090 "prometheus" rule was dead — summit's metrics are on 9002 (behind nginx /metrics/summit) and reth's on 127.0.0.1:9001. Rename OPEN_PORTS to OPEN_TCP_PORTS since the list is TCP-only (a future reth devp2p UDP discovery port would need its own list + rules). Also fix a stale RPC-method name in a comment. --- deploy_tee/pulumi/seismic_node/__main__.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/deploy_tee/pulumi/seismic_node/__main__.py b/deploy_tee/pulumi/seismic_node/__main__.py index b8cd655..a293282 100644 --- a/deploy_tee/pulumi/seismic_node/__main__.py +++ b/deploy_tee/pulumi/seismic_node/__main__.py @@ -57,19 +57,20 @@ def _require_str(value: str | None) -> str: # local testing. See README for the DCedsv6/local-NVMe caveat. data_disk_size_gb = cfg.get_int("data_disk_size_gb") or 32 -# Standard ports the TEE node needs open. -OPEN_PORTS = [ +# Standard TCP ports the TEE node needs open. +# +# reth's RPC (8545) and WS (8546) are deliberately NOT here: nginx terminates +# TLS on 443 and reverse-proxies /rpc + /ws to them over loopback. +# Same for metrics — summit's prom + reth's metrics are nginx /metrics/*. +OPEN_TCP_PORTS = [ # sshd only listening in the devtools image, not in the production image. (22, "ssh"), (80, "http"), (443, "https"), # Enclave currently exposes too many things on this port: get_attestation_evidence, - # get_purpose_keys, boot_share_root_key. We will eventually split it. + # get_purpose_keys, getWrappedRootKey. We will eventually split it. (7878, "enclave"), (8080, "tdx-init-config"), # one-shot listener; close after first deploy - (9090, "prometheus"), - (8545, "reth-rpc"), - (8546, "reth-ws"), # Summit consensus P2P (commonware-p2p, TCP). Left open like # the other service ports — commonware authenticates peers by pubkey (only # the validator set completes the handshake), so admission is app-layer, and @@ -119,7 +120,7 @@ def _require_str(value: str | None) -> str: destination_address_prefix="*", destination_port_range=str(port), ) - for i, (port, name) in enumerate(OPEN_PORTS) + for i, (port, name) in enumerate(OPEN_TCP_PORTS) ] nsg = azure_native.network.NetworkSecurityGroup(