README
¶
L402 (Lightning HTTP 402) API Key proxy
Aperture is your portal to the Lightning-Native Web. Aperture is used in production today by Lightning Loop, a non-custodial on/off ramp for the Lightning Network.
Aperture is a HTTP 402 reverse proxy that supports proxying requests for gRPC (HTTP/2) and REST (HTTP/1 and HTTP/2) backends using the L402 Protocol Standard. L402 is short for: the Lightning HTTP 402 protocol. L402 combines HTTP 402, macaroons, and the Lightning Network to create a new standard for authentication and paid services on the web.
L402 is a new standard protocol for authentication and paid APIs developed by Lightning Labs. L402 API keys can serve both as authentication, as well as a payment mechanism (one can view it as a ticket) for paid APIs. In order to obtain a token, we require the user to pay us over Lightning in order to obtain a preimage, which itself is a cryptographic component of the final L402 token
The implementation of the authentication token is chosen to be macaroons, as they allow us to package attributes and capabilities along with the token. This system allows one to automate pricing on the fly and allows for a number of novel constructs such as automated tier upgrades. In another light, this can be viewed as a global HTTP 402 reverse proxy at the load balancing level for web services and APIs.
Installation / Setup
lnd
- Make sure
lndports are reachable.
aperture
- Compilation requires go
1.19.xor later. - To build
aperturein the current directory, runmake buildand then copy the file./aperturefrom the local directory to the server. - To build and install
aperturedirectly on the machine it will be used, run themake installcommand which will place the binary into your$GOPATH/binfolder. - Make sure port
8081is reachable from outside (or whatever port we choose, could also be 443 at some point) - Make sure there is a valid
tls.certandtls.keyfile located in the~/.aperturedirectory that is valid for the domain that aperture is running on. Aperture doesn't support creating its own certificate through Let's Encrypt yet. If there is notls.certandtls.keyfound, a self-signed pair will be created. - Make sure all required configuration items are set in
~/.aperture/aperture.yaml, compare withsample-conf.yaml. - Start aperture without any command line parameters (
./aperture), all configuration is done in the~/.aperture/aperture.yamlfile.
Documentation
¶
Index ¶
- Constants
- func DefaultSqliteConfig() *aperturedb.SqliteConfig
- func Main()
- func SetupLoggers(root *build.SubLoggerManager, intercept signal.Interceptor)
- func StartPrometheusExporter(cfg *PrometheusConfig) error
- type Aperture
- type AuthConfig
- type Config
- type EtcdConfig
- type HashMailConfig
- type PrometheusConfig
- type TorConfig
Constants ¶
View Source
const ( // DefaultMsgRate is the default message rate for a given mailbox that // we'll allow. We'll allow one message every 500 milliseconds, or 2 // messages per second. DefaultMsgRate = time.Millisecond * 500 // DefaultMsgBurstAllowance is the default burst rate that we'll allow // for messages. If a new message is about to exceed the burst rate, // then we'll allow it up to this burst allowance. DefaultMsgBurstAllowance = 10 // DefaultStaleTimeout is the time after which a mailbox will be torn // down if neither of its streams are occupied. DefaultStaleTimeout = time.Hour // DefaultBufSize is the default number of bytes that are read in a // single operation. DefaultBufSize = 4096 )
View Source
const Subsystem = "APER"
Variables ¶
This section is empty.
Functions ¶
func DefaultSqliteConfig ¶
func DefaultSqliteConfig() *aperturedb.SqliteConfig
DefaultSqliteConfig returns the default configuration for a sqlite backend.
func SetupLoggers ¶
func SetupLoggers(root *build.SubLoggerManager, intercept signal.Interceptor)
SetupLoggers initializes all package-global logger variables.
func StartPrometheusExporter ¶
func StartPrometheusExporter(cfg *PrometheusConfig) error
StartPrometheusExporter registers all relevant metrics with the Prometheus library, then launches the HTTP server that Prometheus will hit to scrape our metrics.
Types ¶
type Aperture ¶
type Aperture struct {
// contains filtered or unexported fields
}
Aperture is the main type of the aperture service. It holds all components that are required for the authenticating reverse proxy to do its job.
func NewAperture ¶
NewAperture creates a new instance of the Aperture service.
func (*Aperture) UpdateServices ¶
UpdateServices instructs the proxy to re-initialize its internal configuration of backend services. This can be used to add or remove backends at run time or enable/disable authentication on the fly.
type AuthConfig ¶
type AuthConfig struct {
Network string `` /* 144-byte string literal not displayed */
Disable bool `long:"disable" description:"Whether to disable auth."`
// LndHost is the hostname of the LND instance to connect to.
LndHost string `long:"lndhost" description:"Hostname of the LND instance to connect to"`
TLSPath string `long:"tlspath" description:"Path to LND instance's tls certificate"`
MacDir string `long:"macdir" description:"Directory containing LND instance's macaroons"`
// The one-time-use passphrase used to set up the connection. This field
// identifies the connection that will be used.
Passphrase string `long:"passphrase" description:"the lnc passphrase"`
// MailboxAddress is the address of the mailbox that the client will
// use for the LNC connection.
MailboxAddress string `long:"mailboxaddress" description:"the host:port of the mailbox server to be used"`
// DevServer set to true to skip verification of the mailbox server's
// tls cert.
DevServer bool `long:"devserver" description:"set to true to skip verification of the server's tls cert."`
}
type Config ¶
type Config struct {
// ListenAddr is the listening address that we should use to allow Aperture
// to listen for requests.
ListenAddr string `long:"listenaddr" description:"The interface we should listen on for client requests."`
// ServerName can be set to a fully qualifying domain name that should
// be used while creating a certificate through Let's Encrypt.
ServerName string `long:"servername" description:"Server name (FQDN) to use for the TLS certificate."`
// AutoCert can be set to true if aperture should try to create a valid
// certificate through Let's Encrypt using ServerName.
AutoCert bool `long:"autocert" description:"Automatically create a Let's Encrypt cert using ServerName."`
// Insecure can be set to disable TLS on incoming connections.
Insecure bool `long:"insecure" description:"Listen on an insecure connection, disabling TLS for incoming connections."`
// StaticRoot is the folder where the static content served by the proxy
// is located.
StaticRoot string `long:"staticroot" description:"The folder where the static content is located."`
// ServeStatic defines if static content should be served from the
// directory defined by StaticRoot.
ServeStatic bool `long:"servestatic" description:"Flag to enable or disable static content serving."`
// DatabaseBackend is the database backend to be used by the server.
DatabaseBackend string `` /* 145-byte string literal not displayed */
// Sqlite is the configuration section for the SQLite database backend.
Sqlite *aperturedb.SqliteConfig `group:"sqlite" namespace:"sqlite"`
// Postgres is the configuration section for the Postgres database backend.
Postgres *aperturedb.PostgresConfig `group:"postgres" namespace:"postgres"`
// Etcd is the configuration section for the Etcd database backend.
Etcd *EtcdConfig `group:"etcd" namespace:"etcd"`
// Authenticator is the configuration section for connecting directly
// to the LND node.
Authenticator *AuthConfig `group:"authenticator" namespace:"authenticator"`
Tor *TorConfig `group:"tor" namespace:"tor"`
// Services is a list of JSON objects in string format, which specify
// each backend service to Aperture.
Services []*proxy.Service `long:"service" description:"Configurations for each Aperture backend service."`
// HashMail is the configuration section for configuring the Lightning
// Node Connect mailbox server.
HashMail *HashMailConfig `group:"hashmail" namespace:"hashmail" description:"Configuration for the Lightning Node Connect mailbox server."`
// Prometheus is the config for setting up an endpoint for a Prometheus
// server to scrape metrics from.
Prometheus *PrometheusConfig `` /* 129-byte string literal not displayed */
// DebugLevel is a string defining the log level for the service either
// for all subsystems the same or individual level by subsystem.
DebugLevel string `long:"debuglevel" description:"Debug level for the Aperture application and its subsystems."`
// ConfigFile points aperture to an alternative config file.
ConfigFile string `long:"configfile" description:"Custom path to a config file."`
// BaseDir is a custom directory to store all aperture flies.
BaseDir string `long:"basedir" description:"Directory to place all of aperture's files in."`
// Profile is the port on which the pprof profile will be served.
Profile uint16 `long:"profile" description:"Enable HTTP profiling on given port -- NOTE port must be between 1024 and 65535"`
// IdleTimeout is the maximum amount of time a connection may be idle.
IdleTimeout time.Duration `long:"idletimeout" description:"The maximum amount of time a connection may be idle before being closed."`
// ReadTimeout is the maximum amount of time to wait for a request to
// be fully read.
ReadTimeout time.Duration `long:"readtimeout" description:"The maximum amount of time to wait for a request to be fully read."`
// WriteTimeout is the maximum amount of time to wait for a response to
// be fully written.
WriteTimeout time.Duration `long:"writetimeout" description:"The maximum amount of time to wait for a response to be fully written."`
// InvoiceBatchSize is the number of invoices to fetch in a single
// request.
InvoiceBatchSize int `long:"invoicebatchsize" description:"The number of invoices to fetch in a single request."`
// Logging controls various aspects of aperture logging.
Logging *build.LogConfig `group:"logging" namespace:"logging"`
// Blocklist is a list of IPs to deny access to.
Blocklist []string `long:"blocklist" description:"List of IP addresses to block from accessing the proxy."`
}
type EtcdConfig ¶
type HashMailConfig ¶
type HashMailConfig struct {
Enabled bool `long:"enabled"`
MessageRate time.Duration `long:"messagerate" description:"The average minimum time that should pass between each message."`
MessageBurstAllowance int `long:"messageburstallowance" description:"The burst rate we allow for messages."`
StaleTimeout time.Duration `long:"staletimeout" description:"The time after the last activity that a mailbox should be removed. Set to -1s to disable. "`
}
type PrometheusConfig ¶
type PrometheusConfig struct {
// Enabled, if true, then Prometheus metrics will be exported.
Enabled bool `long:"enabled" description:"if true prometheus metrics will be exported"`
// ListenAddr is the listening address that we should use to allow the
// main Prometheus server to scrape our metrics.
ListenAddr string `long:"listenaddr" description:"the interface we should listen on for prometheus"`
}
PrometheusConfig is the set of configuration data that specifies if Prometheus metric exporting is activated, and if so the listening address of the Prometheus server.
type TorConfig ¶
type TorConfig struct {
Control string `long:"control" description:"The host:port of the Tor instance."`
ListenPort uint16 `` /* 226-byte string literal not displayed */
VirtualPort uint16 `long:"virtualport" description:"The port through which the onion services created can be reached at."`
V3 bool `long:"v3" description:"Whether we should listen for client requests through a v3 onion service."`
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.