From 7dc379dd058c728316aa47dcd7eee9c6074e563e Mon Sep 17 00:00:00 2001
From: Claude Agent <claude@stakesquid.eu>
Date: Tue, 5 May 2026 19:25:57 +0000
Subject: [PATCH] Rootstock: include $DOMAIN in http hosts whitelist

rskj's hosts whitelist is exact-match (no wildcards). Use HOCON env-var
substitution ${?DOMAIN} to inject the per-host public domain into the
allowed list. Pass DOMAIN env var into the container via the rskj
template.

Allowed hosts list: [localhost, 127.0.0.1, ::1, ${?DOMAIN}]
- localhost variants for direct/internal access
- DOMAIN for traefik-forwarded requests (Host header = public domain)
---
 rootstock/bamboo/node.conf                        | 4 +++-
 rootstock/mainnet/node.conf                       | 4 +++-
 rootstock/rskj/rootstock-bamboo-rskj-archive.yml  | 1 +
 rootstock/rskj/rootstock-mainnet-rskj-archive.yml | 1 +
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/rootstock/bamboo/node.conf b/rootstock/bamboo/node.conf
index f41f1386..bbc9ee7d 100644
--- a/rootstock/bamboo/node.conf
+++ b/rootstock/bamboo/node.conf
@@ -11,7 +11,9 @@ rpc {
             http = {
                 enabled = true
                 bind_address = "0.0.0.0"
-                hosts = ["*"]
+                # Whitelist: include localhost variants AND the public domain.
+                # ${?DOMAIN} is HOCON env-var sub: skipped if env var is unset.
+                hosts = ["localhost", "127.0.0.1", "::1", ${?DOMAIN}]
                 port = 8545
             }
             ws = {
diff --git a/rootstock/mainnet/node.conf b/rootstock/mainnet/node.conf
index 8c0d3f43..70e61817 100644
--- a/rootstock/mainnet/node.conf
+++ b/rootstock/mainnet/node.conf
@@ -11,7 +11,9 @@ rpc {
             http = {
                 enabled = true
                 bind_address = "0.0.0.0"
-                hosts = ["*"]
+                # Whitelist: include localhost variants AND the public domain.
+                # ${?DOMAIN} is HOCON env-var sub: skipped if env var is unset.
+                hosts = ["localhost", "127.0.0.1", "::1", ${?DOMAIN}]
                 port = 8545
             }
             ws = {
diff --git a/rootstock/rskj/rootstock-bamboo-rskj-archive.yml b/rootstock/rskj/rootstock-bamboo-rskj-archive.yml
index 341811ef..221b4aba 100644
--- a/rootstock/rskj/rootstock-bamboo-rskj-archive.yml
+++ b/rootstock/rskj/rootstock-bamboo-rskj-archive.yml
@@ -52,6 +52,7 @@ services:
       - 8545
       - 8546
     environment:
+      DOMAIN: ${DOMAIN}
       RSKJ_SYS_PROPS: -Drpc.providers.web.http.bind_address=0.0.0.0
     restart: unless-stopped
     stop_grace_period: 5m
diff --git a/rootstock/rskj/rootstock-mainnet-rskj-archive.yml b/rootstock/rskj/rootstock-mainnet-rskj-archive.yml
index c1706eaf..bd40bd0b 100644
--- a/rootstock/rskj/rootstock-mainnet-rskj-archive.yml
+++ b/rootstock/rskj/rootstock-mainnet-rskj-archive.yml
@@ -52,6 +52,7 @@ services:
       - 8545
       - 8546
     environment:
+      DOMAIN: ${DOMAIN}
       RSKJ_SYS_PROPS: -Drpc.providers.web.http.bind_address=0.0.0.0
     restart: unless-stopped
     stop_grace_period: 5m