From 53697cb40d53b5b757bbad30332dbddf0bbef6a9 Mon Sep 17 00:00:00 2001
From: Claude Agent <claude@stakesquid.eu>
Date: Tue, 5 May 2026 19:06:31 +0000
Subject: [PATCH] Rootstock: override RSKJ_SYS_PROPS to allow Host: * in http
 whitelist

The rsksmart/rskj:VETIVER-9.0.1 image bakes an env var:
  RSKJ_SYS_PROPS=-Drpc.providers.web.http.bind_address=0.0.0.0
                 -Drpc.providers.web.http.hosts.0=localhost
                 -Drpc.providers.web.http.hosts.1=127.0.0.1
                 -Drpc.providers.web.http.hosts.2=::1

These JVM -D system properties take precedence over /etc/rsk/node.conf
in HOCON, so the Host whitelist always resolves to {localhost,127.0.0.1,::1}.

Result: traefik routing to rskj at IP rootstock-mainnet-client:8545
arrives with Host header that doesn't match those three. rskj returns
HTTP 400, traefik translates to 502 Bad Gateway.

Override the env var in the compose template so the http hosts whitelist
contains '*' (any host). Traefik's ipallowlist middleware is the actual
gatekeeper. Affects rootstock-mainnet AND rootstock-bamboo.
---
 rootstock/rskj/rootstock-bamboo-rskj-archive.yml  | 2 ++
 rootstock/rskj/rootstock-mainnet-rskj-archive.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/rootstock/rskj/rootstock-bamboo-rskj-archive.yml b/rootstock/rskj/rootstock-bamboo-rskj-archive.yml
index 3160b98b..02552bcc 100644
--- a/rootstock/rskj/rootstock-bamboo-rskj-archive.yml
+++ b/rootstock/rskj/rootstock-bamboo-rskj-archive.yml
@@ -51,6 +51,8 @@ services:
     expose:
       - 8545
       - 8546
+    environment:
+      RSKJ_SYS_PROPS: -Drpc.providers.web.http.bind_address=0.0.0.0 -Drpc.providers.web.http.hosts.0=*
     restart: unless-stopped
     stop_grace_period: 5m
     networks:
diff --git a/rootstock/rskj/rootstock-mainnet-rskj-archive.yml b/rootstock/rskj/rootstock-mainnet-rskj-archive.yml
index d51c8506..92e6b37d 100644
--- a/rootstock/rskj/rootstock-mainnet-rskj-archive.yml
+++ b/rootstock/rskj/rootstock-mainnet-rskj-archive.yml
@@ -51,6 +51,8 @@ services:
     expose:
       - 8545
       - 8546
+    environment:
+      RSKJ_SYS_PROPS: -Drpc.providers.web.http.bind_address=0.0.0.0 -Drpc.providers.web.http.hosts.0=*
     restart: unless-stopped
     stop_grace_period: 5m
     networks: