Skip to content

fix(deploy_tee): stop exposing reth RPC/WS + dead prometheus port in NSG#49

Merged
samlaf merged 1 commit into
mainfrom
deploy/close-nsg-ports
Jul 1, 2026
Merged

fix(deploy_tee): stop exposing reth RPC/WS + dead prometheus port in NSG#49
samlaf merged 1 commit into
mainfrom
deploy/close-nsg-ports

Conversation

@samlaf

@samlaf samlaf commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

nginx terminates TLS on 443 and reverse-proxies /rpc and /ws to reth over loopback, so opening 8545/8546 in the NSG only bypassed nginx and exposed reth's --http.api all (admin/debug/txpool) to the internet in the clear. The 9090 "prometheus" rule was dead — summit's metrics are on 9002 (behind nginx /metrics/summit) and reth's on 127.0.0.1:9001. Rename OPEN_PORTS to OPEN_TCP_PORTS since the list is TCP-only (a future reth devp2p UDP discovery port would need its own list + rules). Also fix a stale RPC-method name in a comment.

nginx terminates TLS on 443 and reverse-proxies /rpc and /ws to reth over
loopback, so opening 8545/8546 in the NSG only bypassed nginx and exposed
reth's --http.api all (admin/debug/txpool) to the internet in the clear. The
9090 "prometheus" rule was dead — summit's metrics are on 9002 (behind nginx
/metrics/summit) and reth's on 127.0.0.1:9001. Rename OPEN_PORTS to
OPEN_TCP_PORTS since the list is TCP-only (a future reth devp2p UDP discovery
port would need its own list + rules). Also fix a stale RPC-method name in a
comment.
@samlaf samlaf merged commit 37b2d79 into main Jul 1, 2026
1 check passed
@samlaf samlaf deleted the deploy/close-nsg-ports branch July 1, 2026 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant