Disable TLS for gRPC? (TLS is the responsibility of a reverse proxy)

[schildbach]

I am using traefik as a reverse proxy and it handles all certificate renewals via Let's Encrypt for my setup. Thus, I'd rather not use the built-in TLS support of LND.

However, I found no way to switch off TLS or expose a non-TLS port for gRPC. For the REST API there is no-rest-tls=true, but there is no no-grpc-tls or similar.

Did I miss it, or is it planned?

[guggero]

gRPC (or more precisely, HTTP/2) doesn't really work that well without TLS. Sure, there's a protocol called h2c which stands for "HTTP/2 cleartext", but I'm not sure how widely that is supported. And just because it's generally a really bad idea to transport credentials like macaroons over cleartext, we never added that option to avoid people shooting themselves in the foot.
Sure, I can see how this would be slightly different in a reverse proxy environment. But does TLS really add that much of an overhead?

[schildbach]

But does TLS really add that much of an overhead?

You mean "add overhead" to the connection between the reverse proxy and the service (LND)? I'm not sure if such a setup is supported by the reverse proxies (traefik in my case). It would need to decrypt requests using the key the LetsEncrypt certificate is for, and encrypt using the self-signed LND public key. And the other way round for the response.

I'd be ok with such a setup, but do you think it's supported? The normal procedure is reverse proxies unwrap the encryption and send the unencrypted traffic locally. The problem with macaroons in cleartext exists for just about any protocol that has secrets of any kind.

gRPC (or more precisely, HTTP/2) doesn't really work that well without TLS.

Of course it works. TLS is a layer. The underlying protocol (gRPC, HTTP, whatever) is agnostic of that layer. It's just not secure on its own. This is why you need to secure the connection between your reverse proxy and the service, e.g. by connecting it locally via Docker.

[guggero]

I'm not sure if such a setup is supported by the reverse proxies (traefik in my case).

Yes, this should work for all common reverse proxy software. In your case see https://community.traefik.io/t/problem-using-ssl-backend-with-selfsigned-certificates/1974/9

TLS is a layer.

That's not necessarily true with newer web protocols such as HTTP/2 or HTTP/3 (QUIC). Those deeply integrate TLS and it's hard to pull them apart (that's why there's a specific sub specification for "HTTP/2 without TLS" called h2c as mentioned above). And AFAIK HTTP/3 doesn't have a version without TLS. So the layers thing has become quite blurry.

[schildbach]

Ok, I managed to configure Traefik so that it forwards LND gRPC via https (but skipping the cert verification) rather than http. I wasn't aware this is possible. It resolves my issue, but I think it could still be considered to allow disabling TLS for that service in lnd, just to simplify configuration.

I'll close this for now, thanks for your help.