-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Act as HTTP PROXY for http://<cidv1b32>.ipfs.localhost #5982
Comments
@eingenito @Stebalien curious if you've gotten a chance to look at this and the related companion issue: ipfs/ipfs-companion#678 |
Just stumbled on this and wanted to point out that you should not use Otherwise great proposal, I love the idea of this. 👍 |
|
IMO, redirecting all domains with an |
@Stebalien Is there a specific reason why you feel this way?
go-ipfs would do the same validation on its side, and return HTTP 403 if URL is not valid. Unfortunately use of
As noted by @da2x, |
Well, I'm not all that happy with hijacking all However, in the proxy case, this would be a pretty big security issue: I'd be able to run arbitrary javascript on a subdomain of anyone's website. This can be used to mess with cookies (subdomains can set cookies that apply to the root domain). Really, we need to:
Alternatively, we could always redirect to Qm.ipfs.localhost (although that doesn't completely fix the super-cookie issue).
Hm. Yeah, I forgot HTTP proxies can't do anything about this. What if we redirect? That is, what if the companion redirects https to http (when proxying is enabled)? Unfortunately, that has some UX issues (looks insecure).
This is actually why I want this. The current redirect is annoying from a UX standpoint as localhost links won't "just work". If we're worried about telling the user that we're serving the resource from the local IPFS node, we can put something in the urlbar. |
@Stebalien I absolutely agree we shouldn't spoof domains of other people. If subdomain passes validation we would redirect to a subdomain under our specific domain before serving the content, just like we redirect paths. (The purpose of HTTP Proxy here is to provide a vanity hostname for local gateway in a way that works across all platforms). This specific domain should be configurable via As for picking a specific domain, Especially if we are unable to convince browser vendors to make I'm good with either, as long we move in the right direction.
ps. We are tracking adding dweb.link to publicsuffix.org in ipfs/infra#83 (comment) |
So would the companion redirect other domains to, e.g.,
That's basically what I was planning on doing. My objection was to:
(i.e., having go-ipfs act as a blind proxy for these addresses). |
Correct. 👍
It's my fault, I made a mental shortcut while explaining the intent. Just like you said, we will not do a blind proxy, browser extension will redirect to a specific domain. Proxy will only work for domain(s) specified in config. Everything else requested in proxy mode will get HTTP 400 Bad Request. Regular requests will work without any change. |
SGTM. |
If user is required to configure proxy for his browser then he won't be able to use any other proxy (naked proxy or via a browser extension). E.g., user won't be able to use proxies/extensions aimed for bypassing censorship. What would you say about another approach -- installing or configuring caching dns server on a client like, e.g., Dnsmasq? Is this approach worth it? |
@ilyaigpetrov HTTP proxy does not need to be global: browser extension is able to set proxy only for |
PoC right now, but you get the idea. ``` ⨎ curl -v --proxy 'http://127.0.0.1:8180' 'http://bafybeih4mncb4apdnrvbnqkicldf74sfstykoryzi7noaf4njxkiuflnay.ipfs.localhost/658.png' > 658.png % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8180 (#0) > GET http://bafybeih4mncb4apdnrvbnqkicldf74sfstykoryzi7noaf4njxkiuflnay.ipfs.localhost/658.png HTTP/1.1 > Host: bafybeih4mncb4apdnrvbnqkicldf74sfstykoryzi7noaf4njxkiuflnay.ipfs.localhost > User-Agent: curl/7.54.0 > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK < content-type: application/octet-stream < cache-control: no-cache < Date: Fri, 12 Jul 2019 14:20:44 GMT < Connection: keep-alive < Transfer-Encoding: chunked < { [16211 bytes data] 100 853k 0 853k 0 0 30.0M 0 --:--:-- --:--:-- --:--:-- 30.8M * Connection #0 to host 127.0.0.1 left intact ``` refs ipfs/kubo#5982 License: MIT Signed-off-by: Alan Shaw <alan.shaw@protocol.ai>
@lidel, as far as I know proxy setting in Chromium may be set only for one extension, in the settings of your Chromium you will see "Proxy is controlled by <extension name>". You can't set proxy in one extension for a few sites and also set proxy for other sites in another extension. Even if you use PAC-script then it may be controlled only by one extension. Please, let me know if you need a proof of my words and I will make two extensions that try to control proxy settings at the same time for different sites. I don't like the idea of browser extension because, well, there is possibility that I will want to access some file on ipns without any browser and ipfs mounts may be unavailable because of absence of the fuse library. I will try to come up with some more realistic use case for it later. And I also want to ask you: what if we will provide user with both approaches: proxy and local dns -- and user will choose what he wants. |
Extensions running in Firefox have access to much better API called Note the goal of proxy mode is to improve UX in scenarios where DNS solution is not feasible. For most users basic support for subdomain gateway (#6498) will be enough, it will just have bit uglier URLs that include custom port. In systems where |
This comment has been minimized.
This comment has been minimized.
HTTP proxy support in ipfs-companion (for |
Version information:
0.4.18
Type:
feature
Description:
Problem
CID-in-subdomain creates Origin-based isolation if website is loaded from public gateway:
..however we continue to have a single Origin for all websites loaded from local gateway:
This means use of local gateway decreases some of security guarantees web developers are used to, and removes some incentives to run local go-ipfs (and redirect to it via ipfs-companion).
Solution
What if go-ipfs could act as HTTP PROXY for requests made to
http://*.ipfs.*/
andhttp://*.ipns.*/
?Having that, IPFS Companion could automatically set Gateway port as PROXY for requests to
http://*.ipfs.localhost
, which would create very nice URLs for local gateway, solving the Origin problem for local go-ipfs 👌Initial look at technical feasibility
My hope is that we could keep changes to minimum and reuse Gateway port to also act as HTTP PROXY for requests to
*.ipfs.localhost
.In other words, in addition to regular HTTP GET:
Gateway port should also respond to PROXY requests:
AFAIK all HTTP PROXY needs to do is to support HTTP CONNECT Method (but I think some non-https proxies work even without it):
After looking at golang's
net/http
, my initial intuition says it should be possible to detect such requests early via something like:Would love to get some feedback on this idea
I feel this is a huge win for both security and UX, and should be done before we switch to CIDv1 in base32 by default.
As a sidenote: this technique opens us a venue for future support of alternative naming systems such as ENS (
*.eth.localhost
) or Namecoin (*.bit.localhost
).Refs
The text was updated successfully, but these errors were encountered: