RPC Design

[ebuchman]

The Tendermint RPC endpoints evolved somewhat haphazardly and insufficient attention has been given to production concerns. We have strived to enable the default Tendermint RPC endpoints to be safe to expose over the public internet, though we in general don't recommend this. Certain endpoints leak information (#3055), while others still pose DoS vulnerabilities (#3076). Other issues suggesting the need for a larger rethink of the RPC design include:

• events: distinguish between internal consensus events and the block-level user events #3210
• Tendermint has four serialization protocols #608
• Improvements to Tendermint RPC #529
• Move unsafe_* rpc commands to independent devops server #193

There's also questions around how mature Tendermint's indexer should be, and at what point we should just stream events out to an external indexer like postgres (#1161).

Opening this issue to track discussion around the RPC, and to solicit feedback from users on what they'd like to see here.

[ebuchman]

Should have also mentioned the v0.31 work on the pubsub to not block on slow subscribers (#3227) and to limit the number of subscribers and subscriptions per subscriber (#3269)

[mdyring]

We've been using nginx successfully in production to rate-limit and filter what RPC endpoints are exposed externally. I believe other validators are doing similarly, so it might not by a major issue.

Instead of reinventing this inside of Tendermint, my suggestion is to make RPC listen on localhost:26657 by default and then give some stern warnings and guidance on how to expose it publicly.

Happy to contribute a working nginx config if so desired.

[ebuchman]

@mdyring is that to say you see no way to improve the existing RPC? :P

[mdyring]

No, not at all. Just saying "please don't reinvent nginx" :-)

I think the idea of filtering private peers from net_info could potentially be useful, in case somebody would want to expose net_info.

+1 for supporting external indexer. Perhaps indexing should be off by default, so people enable it (and consider alternatives to internal indexer) if they actually need it.

[mappum]

Just wanted to point out some things that our light-clients rely on in Lotion-land. Other than the obvious data endpoints, we also require /genesis, and future versions will discover new RPC-providing peers via /net_info.

So if /net_info is going to become private, it would be nice to have an endpoint specifically for discovering potential peer addresses/RPC ports (which could either come from the addressbook, or currently connected peers).