| ... | ... | @@ -256,6 +256,13 @@ delete the data, and restart: |
|
|
|
|
|
|
|
### Incorrect certificate
|
|
|
|
|
|
|
|
Note: that procedure is out of date and kept for historical purposes
|
|
|
|
only (if we ever rotate back to this old mechanism). Since
|
|
|
|
[tpo/tpa/team#41549][], We now use standard HTTPS certificate
|
|
|
|
issuance processes and this shouldn't occur anymore.
|
|
|
|
|
|
|
|
[tpo/tpa/team#41549]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41549
|
|
|
|
|
|
|
|
If you try to connect to <https://btcpayserver.torproject.org/> and
|
|
|
|
get a self-signed cert, that is because it's not the right
|
|
|
|
server. Connect to <https://btcpay.torproject.org/> instead.
|
| ... | ... | @@ -299,7 +306,7 @@ file: |
|
|
|
We are following the [full installation manual](https://docs.btcpayserver.org/Docker/#full-installation-for-technical-users), which is basically
|
|
|
|
this questionable set of steps:
|
|
|
|
|
|
|
|
```
|
|
|
|
```shell
|
|
|
|
mkdir BTCPayServer
|
|
|
|
cd BTCPayServer
|
|
|
|
git clone https://github.com/btcpayserver/btcpayserver-docker
|
| ... | ... | @@ -308,17 +315,31 @@ cd btcpayserver-docker |
|
|
|
|
|
|
|
Then the procedure wants us to declare those:
|
|
|
|
|
|
|
|
```
|
|
|
|
```shell
|
|
|
|
export BTCPAY_HOST="btcpayserver.torproject.org"
|
|
|
|
export BTCPAY_ADDITIONAL_HOSTS="btcpayserver-02.torproject.org"
|
|
|
|
export NBITCOIN_NETWORK="mainnet"
|
|
|
|
export BTCPAYGEN_CRYPTO1="btc"
|
|
|
|
export BTCPAYGEN_ADDITIONAL_FRAGMENTS="opt-save-storage-s"
|
|
|
|
export BTCPAYGEN_REVERSEPROXY="nginx"
|
|
|
|
export BTCPAYGEN_LIGHTNING=""
|
|
|
|
export BTCPAY_ENABLE_SSH=false
|
|
|
|
export BTCPAYGEN_REVERSEPROXY="nginx"
|
|
|
|
```
|
|
|
|
|
|
|
|
Update: we eventually went with our own reverse proxy deployment,
|
|
|
|
which required this as well:
|
|
|
|
|
|
|
|
```shell
|
|
|
|
export BTCPAYGEN_REVERSEPROXY="none"
|
|
|
|
export BTCPAYGEN_EXCLUDE_FRAGMENTS="$BTCPAYGEN_EXCLUDE_FRAGMENTS;nginx-https"
|
|
|
|
export NOREVERSEPROXY_HTTP_PORT=127.0.0.1:8080
|
|
|
|
export BTCPAYGEN_REVERSEPROXY="none"
|
|
|
|
```
|
|
|
|
|
|
|
|
This was done because of recurring issues with the container-based
|
|
|
|
Nginx proxy and the HTTPS issuance process, see [tpo/tpa/team#41549][]
|
|
|
|
for details.
|
|
|
|
|
|
|
|
We explicitly changed those settings from upstream:
|
|
|
|
|
|
|
|
* `BTCPAY_HOST` and `BTCPAY_ADDITIONAL_HOSTS`
|
| ... | ... | @@ -328,7 +349,7 @@ We explicitly changed those settings from upstream: |
|
|
|
Then we launch the setup script, skipping the docker install because
|
|
|
|
that's already done by Puppet:
|
|
|
|
|
|
|
|
```
|
|
|
|
```shell
|
|
|
|
root@btcpayserver-02:~/BTCPayServer/btcpayserver-docker# . btcpay-setup.sh --docker-unavailable
|
|
|
|
|
|
|
|
-------SETUP-----------
|
| ... | ... | @@ -505,6 +526,10 @@ following components setup (looking at |
|
|
|
* tor-gen, also based on [docker-gen](https://hub.docker.com/r/btcpayserver/docker-gen) to generate a config for the
|
|
|
|
above container
|
|
|
|
|
|
|
|
Update: in March 2024, the nginx, nginx-gen and
|
|
|
|
letsencrypt-nginx-proxy-companien containers were removed, see
|
|
|
|
[tpo/tpa/team#41549][].
|
|
|
|
|
|
|
|
On the previous server, this also included:
|
|
|
|
|
|
|
|
* lnd_bitcoin (for the "lighting network", based on [their image](https://hub.docker.com/r/btcpayserver/lnd))
|
| ... | ... | @@ -564,6 +589,9 @@ here: |
|
|
|
There's a bunch of Docker containers around this that generate
|
|
|
|
configuration and glue things together, see above.
|
|
|
|
|
|
|
|
Update: we managed to get rid of the Nginx container and its
|
|
|
|
associated sidecars, in [tpo/tpa/team#41549][].
|
|
|
|
|
|
|
|
### Storage and queues
|
|
|
|
|
|
|
|
It's unclear what is stored where. Transactions, presumably, get
|
| ... | ... | @@ -698,6 +726,10 @@ infrastructure, but in doing so, significant problems were found with |
|
|
|
BTCpay in particular, but also with our cryptocurrency handling in
|
|
|
|
general.
|
|
|
|
|
|
|
|
In March 2024, the Nginx configuration was split out of the
|
|
|
|
container-based setup and replaced with our standard Puppet-based
|
|
|
|
configuration, see [tpo/tpa/team#41549][].
|
|
|
|
|
|
|
|
## Security review
|
|
|
|
|
|
|
|
There was never a security review performed on BTCpay by Tor
|
| ... | ... | @@ -721,12 +753,15 @@ upgrades, backups, and basic security (e.g. firewalls) would be |
|
|
|
covered. This still leaves a gaping hole for the update and
|
|
|
|
maintenance of BTCpay itself.
|
|
|
|
|
|
|
|
Update: the service is now hosted on TPA infrastructure and a cron job
|
|
|
|
regularly pulls new releases.
|
|
|
|
|
|
|
|
## PII concerns
|
|
|
|
|
|
|
|
There are no efforts in BTCpay to redact PII from logs. Nginx logs
|
|
|
|
keep second-granular timestamps with full IP address and user agent
|
|
|
|
information. It's unclear how long invoices are retained in the
|
|
|
|
PostgreSQL database nor what information they contain.
|
|
|
|
There are no efforts in BTCpay to redact PII from logs. It's unclear
|
|
|
|
how long invoices are retained in the PostgreSQL database nor what
|
|
|
|
information they contain. The Nginx webserver configuration has our
|
|
|
|
standard data redaction policies in place since March 2024.
|
|
|
|
|
|
|
|
BTCpay correctly generates a one-time Bitcoin address for
|
|
|
|
transactions, so that is done correctly at least. But right next to
|
| ... | ... | |
