Trouble proxying lightwalletd for Zashi with nginx

Hi all

I am trying to expose my lightwalletd node through an nginx reverse proxy so Zashi can connect. I have tried http & stream proxy modes, but in either case, when I attempt to connect with Zashi, the connection fails and I get the following error in my nginx logs:

2025/10/16 05:15:38 \[error\] 2730627#2730627: \*13 upstream sent too large http2 frame: 4740180 while reading response header from upstream, client: my.ip.ad.dr, server: zcash.mydomain.net, request: “POST /cash.z.wallet.sdk.rpc.CompactTxStreamer/GetLightdInfo HTTP/2.0”, upstream: “grpc://10.0.0.3:9068”, host: “zcash.mydomain.net:9068”

This would indicate to me that Zashi is exceeding nginx’s 4MB max frame size for http/2 frames… but I’m more inclined to think I messed something up.

Does anyone here have advice for proxying Zashi to lightwalletd?

Tailscale Serve works well:

Thanks, great write-up. I’ve always avoided tailscale, because of its control server dependency, but sounds like I need to give it a shot

… or maybe I just dive all the way in and setup headscale

Out of curiosity, if you are open to sharing, what motivated your wish to have your own lightwalletd?

Perhaps a bit of an obsession with self hosting my entire digital life

But really, for me its about reliability. I like having peace of mind that my wallet will still work even if public wallet RPCs go offline

There’s also a privacy argument: I assume wallet RPCs collect some logs (at least my IP address and connection time), and I prefer not to add my metadata to that collection

Thanks for the answer. I get it, I like to do it too, but this case may be different.

Consider reviewing this post:

Tailscale working great for me, good balance of privacy/convenience, plus its useful for other things too.

Thanks for sharing. These are good points about my node being the gossip source for my transactions and only my transactions. You have me reconsidering my plan now.

At risk of sounding paranoid … what are your thoughts about trusting RPC operators not to sell their logs to Chainalysis? Or that those logs won’t become exposed one day in the future (e.g. new owners decide to sell the logs, data-breach, etc)? I really don’t like trusting other people with my sensitive metadata if I can avoid it

That level of paranoia drives folks mad. Believe me

Paranoia is the safest state of being around crypto.

Expect anything that can be data mined, to be data mined. It probably is. The largest operator of lightwallet servers on Zcash is @emersonian, a former (?) LE collaborator. It’s counter intuitive but you do want to send you txs where most txs are processed, but while being particularly careful how you connect to it.

Fair. In Zashi, you can enable “Tor Protection”, that’s probably the highest level of privacy you can get while making a transaction in Zcash. Note that it is currently in Beta however. I personally have this option enabled and also it all goes through Mullvad VPN.

It’s not paranoia if it’s demonstrated. Are you working with Law Enforcement @dismad ? What else can explain that you always pop up recommending people send transaction through their own lightwallet nodes after it has been demonstrated that it is not safe to do so?

That error indicates nginx’s default http2 max frame size (4MB) is being exceeded. For lightwalletd/gRPC, you need to increase this limit:

nginx

http {
    http2_max_field_size 16k;
    http2_max_header_size 32k;
    large_client_header_buffers 4 32k;
}

server {
    listen 9068 ssl http2;
    server_name zcash.mydomain.net;
    
    grpc_read_timeout 600s;
    grpc_send_timeout 600s;
    client_body_buffer_size 2M;
    
    location / {
        grpc_pass grpc://10.0.0.3:9068;
    }
}

Try those adjustments and let us know if it resolves the issue.

Thanks for the info. TOR+Zashi it is then…

Is there any on-going effort to improve network level privacy in Zcash? e.g. Dandelion routing? I would love to spend my time improving Zcash, and that’s an area where I could be valuable.

Thanks for your reply. It seems nginx has a max 4MB limit, even with those overrides (at least for gRPC connections).

Are you using nginx successfully?

Improving network level privacy has always been one of the projects aspirations. It’s a balancing act of giving users more default privacy and not making accessibility difficult for other users. Letting the user opt-in to choose whatever other service that might enhance this like a VPN seems to be best. It’s a question of knowing about the tools you can use on top of Zcash and how to use them. It requires staying up to speed, which is demanding.