From f36637a2157044b14727a2ea018672d8f9ceed99 Mon Sep 17 00:00:00 2001
From: memosr <mehmet.sr35@gmail.com>
Date: Thu, 14 May 2026 22:22:28 +0300
Subject: [PATCH] fix: dockerfile cleanup and https for IP lookup endpoints
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two small but real fixes:

1. geth/Dockerfile (line 32) — Add missing /* to apt cache cleanup.
   Without the glob, the rm -rf cannot delete the directory (it's not
   empty), leaving all apt package index files behind and bloating the
   image. The reth and nethermind Dockerfiles in this repo already use
   the correct pattern (rm -rf /var/lib/apt/lists/*).

2. op-node-entrypoint and base-consensus-entrypoint — Convert 4 IP
   lookup URLs from http:// to https:// in both files.

   The returned IP is used directly as the node's advertised P2P address.
   Using HTTP means a network-level attacker could intercept the request
   and inject a forged IP, causing the node to broadcast a wrong address
   to the entire peer network. All four services (ifconfig.me, api.ipify.org,
   ipecho.net, v4.ident.me) support HTTPS.
---
 base-consensus-entrypoint | 10 +++++-----
 geth/Dockerfile           |  2 +-
 op-node-entrypoint        | 10 +++++-----
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/base-consensus-entrypoint b/base-consensus-entrypoint
index cd2801fce..ef96ac8d9 100755
--- a/base-consensus-entrypoint
+++ b/base-consensus-entrypoint
@@ -2,12 +2,12 @@
 set -eu
 
 get_public_ip() {
-  # Define a list of HTTP-based providers
+  # Define a list of HTTPS-based providers
   local PROVIDERS=(
-    "http://ifconfig.me"
-    "http://api.ipify.org"
-    "http://ipecho.net/plain"
-    "http://v4.ident.me"
+    "https://ifconfig.me"
+    "https://api.ipify.org"
+    "https://ipecho.net/plain"
+    "https://v4.ident.me"
   )
   # Iterate through the providers until an IP is found or the list is exhausted
   for provider in "${PROVIDERS[@]}"; do
diff --git a/geth/Dockerfile b/geth/Dockerfile
index c32881405..5ecaa0136 100644
--- a/geth/Dockerfile
+++ b/geth/Dockerfile
@@ -29,7 +29,7 @@ FROM ubuntu:24.04
 
 RUN apt-get update && \
     apt-get install -y jq curl supervisor && \
-    rm -rf /var/lib/apt/lists
+    rm -rf /var/lib/apt/lists/*
 RUN mkdir -p /var/log/supervisor
 
 WORKDIR /app
diff --git a/op-node-entrypoint b/op-node-entrypoint
index 893015882..0cbadc544 100755
--- a/op-node-entrypoint
+++ b/op-node-entrypoint
@@ -2,12 +2,12 @@
 set -eu
 
 get_public_ip() {
-  # Define a list of HTTP-based providers
+  # Define a list of HTTPS-based providers
   local PROVIDERS=(
-    "http://ifconfig.me"
-    "http://api.ipify.org"
-    "http://ipecho.net/plain"
-    "http://v4.ident.me"
+    "https://ifconfig.me"
+    "https://api.ipify.org"
+    "https://ipecho.net/plain"
+    "https://v4.ident.me"
   )
   # Iterate through the providers until an IP is found or the list is exhausted
   for provider in "${PROVIDERS[@]}"; do