Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -1144,7 +1144,7 @@ Each SV is required to configure their cluster ingress to allow traffic from the
- `https://sv.sv.<YOUR_HOSTNAME>/api/sv` should be routed to `/api/sv` at port 5014 of service `sv-app` in the `sv` namespace.
- `https://scan.sv.<YOUR_HOSTNAME>` should be routed to service `scan-web-ui` in the `sv` namespace.
- `https://scan.sv.<YOUR_HOSTNAME>/api/scan` should be routed to `/api/scan` at port 5012 in service `scan-app` in the `sv` namespace.
- `https://scan.sv.<YOUR_HOSTNAME>/registry` should be routed to `/registry` at port 5012 in service `scan-app` in the `sv` namespace.
- `https://scan.sv.<YOUR_HOSTNAME>/registry` should be routed to `/registry` at port 5012 in service `scan-app` in the `sv` namespace. These endpoints should be publicly accessible without any IP restrictions as they are required for dApps to interact with Canton Coin.
- `https://cns.sv.<YOUR_HOSTNAME>` should be routed to service `ans-web-ui` in the `sv` namespace.
- `https://cns.sv.<YOUR_HOSTNAME>/api/validator` should be routed to `/api/validator` at port 5003 of service `validator-app` in the `sv` namespace.
- `https://sequencer-<SERIAL_ID>.sv.<YOUR_HOSTNAME>` should be routed to port 5008 of service `global-domain-<SERIAL_ID>-sequencer` in the `sv` namespace.
Expand All @@ -1156,6 +1156,15 @@ Each SV is required to configure their cluster ingress to allow traffic from the
To keep the attack surface on your SV deployment and the Global Synchronizer small, please disallow ingress connections to all other services in your SV deployment. It should be assumed that opening up *any* additional port or service represents a security risk that needs to be carefully evaluated on a case-by-case basis.
</Warning>

### Rate-limiting Public Endpoints

Because the `/registry` endpoints must be publicly accessible, you must explicitly configure your networking infrastructure to allow public traffic to these routes while rate-limiting them to prevent Denial of Service (DoS) attacks.

We recommend configuring the following rate limits for each `/registry` endpoint using your preferred rate-limiting mechanism:

* **Global rate limit:** 720 requests per minute
* **Per-IP rate limit:** 120 requests per minute

Internet ingress configuration is often specific to the network configuration and scenario of the cluster being configured. To illustrate the basic requirements of an SV node ingress, we have provided a Helm chart that configures the above cluster according to the routes above, as detailed in the sections below.

Your SV node should be configured with a url to your `global-domain-sequencer` so that other validators can subscribe to it.
Expand Down