lnd: optionally listen on localhost for better security

The --profile flag now accepts both a port and a host:port string. If profile is set to a port, then pprof debugging information will be served over localhost. Otherwise, we will attempt to serve pprof information on the specified host:port (if we are allowed to listen on it.) We default to the safe option as if the port is connectable, anybody can connect and see debugging information. See: https://mmcloughlin.com/posts/your-pprof-is-showing
2025-08-27 14:11:04 +02:00 · 2021-03-02 17:08:31 -05:00
parent e7400dfb2b
commit 8b463fbc2b
2 changed files with 30 additions and 11 deletions
--- a/lnd.go
+++ b/lnd.go
@@ -227,11 +227,11 @@ func Main(cfg *Config, lisCfg ListenerCfg, interceptor signal.Interceptor) error
 	// Enable http profiling server if requested.
 	if cfg.Profile != "" {
 		go func() {
-			listenAddr := net.JoinHostPort("", cfg.Profile)
 			profileRedirect := http.RedirectHandler("/debug/pprof",
 				http.StatusSeeOther)
 			http.Handle("/", profileRedirect)
-			fmt.Println(http.ListenAndServe(listenAddr, nil))
+			ltndLog.Infof("Pprof listening on %v", cfg.Profile)
+			fmt.Println(http.ListenAndServe(cfg.Profile, nil))
 		}()
 	}