How to Encrypt & Restrict RPC Communication to Trusted Clients

[zicklag]

Hi folks!

I'm investigating Substrate as a solution for building a server automation platform. In my case I'd be using substrate as a permissioned chain that is run on a set of nodes deployed by a single user/organization.

My goal is to have all communication with the blockchain be end-to-end encrypted allowing only trusted administrators be able to communicate over the JSON RPC.

I can implement the encryption myself, but the way the substrate services are setup doesn't seem to give me a good way to inject my own middleware before requests are parsed by the JSON RPC server.

I want to be able to run the websocket server myself and create a workflow with a simple handshake that will encrypt messages using the node's key and the crypto_secretstream crate, and I also need to be able to read blockchain data to determine whether or not the person connecting to the RPC endpoint is an admin with a public key registered on the chain.

---

Is there any way to do something similar to what I describe with existing substrate tools, or any path you could suggest that would have the least resistance to me implementing something along those lines?

[xlc]

Just setup some reserve proxy for ssl and some access control?

[zicklag]

Thanks for the reply! I thought about a reverse proxy and that would probably work, but I was just hoping there was a more integrated way.

It looks like I found a solution, though, #10917 (comment).

[zicklag]

Ah, nevermind, I think I just figured it out!

In the node template we have:

let _rpc_handlers = sc_service::spawn_tasks(sc_service::SpawnTasksParams {
		network: network.clone(),
		client: client.clone(),
		keystore: keystore_container.sync_keystore(),
		task_manager: &mut task_manager,
		transaction_pool: transaction_pool.clone(),
		rpc_extensions_builder,
		backend,
		system_rpc_tx,
		config,
		telemetry: telemetry.as_mut(),
	})?;

The rpc_handlers object can be used to send and receive requests from the RPC server. I can create my custom websocket server separately and then send it the decrypted requests using the rpc_handlers struct.

Then all I have to do is set the Configuration so that the default RPC servers on WS and HTTP aren't run and I'm all set!