API server TLS support (#1555)

* Adds `--tls-cert` and `--tls-key` command line options to provide a certificate (chain) and key to the `hydra-node` * API server switches to accepting TLS connections when `--tls-cert` AND `--tls-key` are configured * Updated docs and fixed some errors in the https://hydra.family/head-protocol/api-reference/ introduction.
cardano-scaling · Aug 14, 2024 · fe2c625 · fe2c625
1 parent 30148ce
commit fe2c625
Show file tree

Hide file tree

Showing 12 changed files with 314 additions and 187 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,6 +29,8 @@ changes.
 
 - Offline mode of `hydra-node` uses `--node-id` to derive an artificial offline `headId`. [1551](https://github.com/cardano-scaling/hydra/pull/1551)
 
+- Add TLS support for the API server via `--tls-cert` and `--tls-key` command line options.
+
 ## [0.17.0] - 2024-05-20
 
 - **BREAKING** Change `hydra-node` API `/commit` endpoint for committing from scripts [#1380](https://github.com/cardano-scaling/hydra/pull/1380):

diff --git a/docs/docs/configuration.md b/docs/docs/configuration.md
@@ -134,7 +134,7 @@ Using a _blueprint_ transaction with `/commit` offers flexibility, as `hydra-nod
 
 For more details, refer to this [how to](./how-to/commit-blueprint) guide on committing to a head using a blueprint transaction.
 
-## Connect to Cardano
+### Connect to Cardano
 
 The `hydra-node` must be connected to the Cardano network, unless running in [offline mode](./configuration.md#offline-mode).
 
@@ -169,7 +169,7 @@ To synchronize from the genesis block, use `--start-chain-from 0`.
 If the `hydra-node` already tracks a head in its `state` and `--start-chain-from` is given, the **newer** point is used.
 :::
 
-## Offline mode
+### Offline mode
 
 Hydra supports an offline mode, which allows for disabling the layer 1 interface (that is, the underlying Cardano blockchain which Hydra heads acquire funds and ultimately funds are withdrawn to). Disabling layer 1 interactions allows use cases that would otherwise require running and configuring an entire layer 1 private devnet. For example, the offline mode can be used to quickly validate a series of transactions against a UTxO, without having to spin up an entire layer 1 Cardano node.
 
@@ -196,3 +196,16 @@ hydra-node offline \
 ```
 
 As the node is not connected to a real network, genesis parameters that normally influence things like time-based transaction validation cannot be fetched and are set to defaults. To configure block times, set `--ledger-genesis` to a Shelley genesis file similar to the [shelley-genesis.json](https://book.world.dev.cardano.org/environments/mainnet/shelley-genesis.json).
+
+### API server
+
+The `hydra-node` exposes an [API](/api-reference) for clients to interact with the hydra node, submit transactions to an open, but also initialize / close Hydra heads!
+
+As the API is not authenticated by default, the node is only binding to `localhost`/`127.0.0.1` interfaces and listens on port `4001`. This can be configured using `--api-host` and `--api-port`.
+
+:::warning
+The API is not authenticated and if exposed, an open head can be easily closed through the API!
+:::
+
+The API server also supports `TLS` connections (`https://` and `wss://`) when a certificate and key are configured with `--tls-cert` and `--tls-key` respectively.
+
diff --git a/hydra-cluster/src/HydraNode.hs b/hydra-cluster/src/HydraNode.hs
@@ -365,6 +365,8 @@ withHydraNode' tracer chainConfig workDir hydraNodeId hydraSKey hydraVKeys allNo
                 , peers
                 , apiHost = "0.0.0.0"
                 , apiPort = fromIntegral $ 4_000 + hydraNodeId
+                , tlsCertPath = Nothing
+                , tlsKeyPath = Nothing
                 , monitoringPort = Just $ fromIntegral $ 6_000 + hydraNodeId
                 , hydraSigningKey
                 , hydraVerificationKeys