Zebra Connections

kworks · February 8, 2024, 10:25am

I’m trying to limit a zebra node peer connections. Meaning, with a zcash node I can limit or isolate a node --connect in the zcash.conf or directly on the command line. I’ve tried using this in the zcash.conf file for zebra but maybe its in zebra’s .toml file where I must place these peer ip addresses I want to connect too??
I’m currently trying to sync a zebra node to be a prune node, again I’ve placed the prune configurations in the zcash.conf that zebra requires or should I be placing the prune configurations in the .toml file for zebra? Any examples?

Anyone

Autotunafish · February 8, 2024, 3:37pm

Correct, Zebrad does not use a zcash.conf file at all. The zebrad.toml is the configuration file and where any edits might go. You can set initial_mainnet_peers under ‘network’ but theres is currently no prune option.

If you run ‘zebrad generate’, it will output a sample file where you can see where that goes
(Maybe if you set your initial_mainnet_peers and then set peerset_initial_target_size to that number then it may limit the actual connections(?), really not sure.)

kworks · February 9, 2024, 7:22am

Hi @Autotunafish , thanks in advance.

I’ve got a fully synced zebra node & fully sync lightwalletd.

Goal: Private / Personal lightwalletd server.

I have a domain pointing to my zebra node, have acquired a letsencrypt ssl for the lightwalletd and domain, can you walk me through where the ssl cert (not for the domain) but for the lightwalletd to receive private connections.
I think the cert has to be in the lightwalletd directory? When I start the lightwalletd I use a flag --cert /path/to/cert ?

Aim1: ?
curl --user zebra99:894-2857 --data-binary ‘{“jsonrpc”: “1.0”, “id”:“curltest”, “method”: “getblockchaininfo”, “params”: }’ -H ‘content-type: text/plain;’ https://zec.me:8232/

I open port 8232 for the instance security group 8232 to my private ip address

Aim 2:
What am I missing or overlooking in order to have my zashi / zingo app be able to use my private zebra node for transacting? @pacu @zancas

Autotunafish · February 9, 2024, 12:47pm

The LWD production server instructions will explain how to use your Certificate when launching lightwalletD and opening up the proper port. If your wallet is on the same machine as your server (i.e. the easy way) then a SSL cert isn’t strictly necessary. After that, it’s simply a matter of setting the IP of the LWD server in the wallet settings.

github.com

zcash/lightwalletd/blob/master/README.md


[![pipeline status](https://gitlab.com/zcash/lightwalletd/badges/master/pipeline.svg)](https://gitlab.com/zcash/lightwalletd/commits/master)
[![codecov](https://codecov.io/gh/zcash/lightwalletd/branch/master/graph/badge.svg)](https://codecov.io/gh/zcash/lightwalletd)

# Security Disclaimer

lightwalletd is under active development, some features are more stable than
others. The code has not been subjected to a thorough review by an external
auditor, and recent code changes have not yet received security review from
Electric Coin Company's security team.

Developers should familiarize themselves with the [wallet app threat
model](https://zcash.readthedocs.io/en/latest/rtd_pages/wallet_threat_model.html),
since it contains important information about the security and privacy
limitations of light wallets that use lightwalletd.

---

# Overview

This file has been truncated. show original

pacu · February 9, 2024, 9:24pm

When you mean private is “publicly available but for my own use” or “usable only from a subnet of mine”?

I don’t think Zashi is currently allowing custom servers (you could build from source and do it) but as long as your server can be pinged from the wallet and has a valid certificate. It should be good.

Autotunafish · February 10, 2024, 9:58pm

That would seem like the production server method would be the goal and then basically only allow priveledged access to the server. I’m not immediately sure how you would rope that. If it was behind a home router it would not be advisable, even with a valid ssl cert, because it would require opening a port in your home firewall and port forwarding.
There are other ways like with wormhole but idk of any implementations for lwd.

kworks · February 11, 2024, 1:21pm

Goal: Private / Personal lightwalletd server
Background motivation: (I have & shared this concern)

sarahjamielewis: jan, 2021
“I’ll put it out there that my main concern with the current batch of lightwallet infrastructure grant requests is that I think the future needs to ere towards enabling hundreds of low cost, low trusted options rather than *tens of well maintained options with expensive maintenance costs”
source: 2 years of Lightwalletd Infra hosting & maintenance - #7 by chris-remus

When you mean private is “publicly available but for my own use” or “usable only from a subnet of mine”?
Yes. basically I want to run an ec2 instance, zebrad, lightwalletd, install the required certs, open the required security group ports to allow, zingo, ywallet (not sure nighthawk) (zashi not yet) to connect to the ip of the mobile device running the above apps.
My pain points:
Which ports do I need to open in the ec2 instance security groups? For the outside mobile device / apps to connect.
Best location for the lightwalletd ssl cert?
Lightwalletd start up script any additional --flags?
Any other suggestions welcome?

Autotunafish · February 11, 2024, 5:14pm

The run command for production lwd server sort of implies that the cert.pem and key.pem are in the local directory. I don’t have any experience with EC2 AWS so I don’t know if adjusting the security group settings is a particular requirement for it because you otherwise don’t have to do that. Outside traffic will only ever call (default) 9067, which requires your SSL cert (because https everywhere now).

You must mean adding the particular wallet devices to this security group. I don’t really have any intuition on that. This is another deployment guide. It might provide some insight with what you’re doing

github.com

free2z/zuu/blob/main/docs/lightwalletd/experimental-mainnet.md

## Setting up zcashd and lighwalletd

This guide is intended to help you setup Zcashd and lightwalletd.
Assuming a VM with 2 CPU, 8GB of RAM and 100GB of storage and Debian 11
(bullseye).
It also assumes that you are acting as a non-root user who has sudo.

### zcashd

Following the officially supported Debian/Ubuntu setup guide.
https://zcash.readthedocs.io/en/latest/rtd_pages/Debian-Ubuntu-build.html
Using the prebuilt packages:
https://zcash.readthedocs.io/en/latest/rtd_pages/install_debian_bin_packages.html

```
sudo apt-get update && sudo apt-get install apt-transport-https wget gnupg2
```

```
wget -qO - https://apt.z.cash/zcash.asc | gpg --import

This file has been truncated. show original

hanh · February 11, 2024, 8:56pm

Aws Security groups are a sets of firewall rules. In this case, you just need to allow incoming tcp on port 9067. You could also add an IP filter.

Unfortunately, lwd does not support user/password or oauth

Topic		Replies	Views
Zebra 1.9.0 Release Zebra	7	152	September 1, 2024
Zebra powered LightwalletD with Zecwallet Lite Community Collaborations	0	1087	August 26, 2022
Zebra 1.0.0 Stable Release Zebra	33	2269	March 10, 2024
New node is out! Meet Zebra 🤗 protocol	2	1161	June 17, 2019
Zebra v1.7.0 release Zebra	7	365	May 22, 2024

Zebra Connections

Related topics