Go-ipfs: --api doesn't support TLS

Created on 27 Mar 2019  ·  4Comments  ·  Source: ipfs/go-ipfs

Version information:

go-ipfs version: 0.4.19-
Repo version: 7
System version: amd64/linux
Golang version: go1.11.5

Type: enhancement

Description:

Based on my understanding of multiaddr, it should be possible to do something like ipfs --api="/dns4/ipfs.io/tcp/5001/https" id to connect to a remote node using TLS. You guessed already, that doesn't work.

What happen is that go-ipfs, even though the https part is parsed properly, keep doing http requests. Obviously, the component that add the TLS layer in front of the API doesn't like that very much, return and error, and the call fail with:

14:38:00.954 ERROR  cmds/http: could not guess encoding from content type "text/html" parse.go:198
Error: unknown error content type: text/html

I understand that go-ipfs doesn't natively support TLS for its API, but it's a common and natural way to protect a node exposed over the internet. Can this be sorted out ?

diexpert kinenhancement statuduplicate
Source
picture MichaelMure

Most helpful comment

We'll get /tls and /http properly defined and implemented very soon, status tracked here: multiformats/multiaddr#47 and multiformats/multiaddr#63

picture ghost on 27 Mar 2019
🎉3 🚀22

All 4 comments

The key missing part here is finishing enough of the multiaddr spec (@lgierth?) to support this. I believe the "correct" multiaddr way would be /dns4/ipfs.io/tcp/5001/tls/http but that hasn't quite been figured out yet.

Stebalien picture Stebalien on 27 Mar 2019

FYI, this one return Error: no protocol with name tls

MichaelMure picture MichaelMure on 27 Mar 2019

We'll get /tls and /http properly defined and implemented very soon, status tracked here: multiformats/multiaddr#47 and multiformats/multiaddr#63

ghost picture ghost on 27 Mar 2019
🎉3 🚀22

There are multiple problems with this:

  1. go-ipfs implements minimum of HTTP required for interop, for everything else a reverse proxy should be used
  2. HTTPS on its own is not enough to protect API. Right now API does not provide any ACL (see API Tokens discussion in https://github.com/ipfs/go-ipfs/issues/1532), so exposing API requires adding access control via reverse proxy anyway

For both reasons, it is unlikely that go-ipfs will support API over https:// without reverse proxy any time soon.

Closing this as a duplicate of discussion in https://github.com/ipfs/go-ipfs/issues/5974 (feel free to continue there)

lidel picture lidel on 26 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

0x6431346e picture 0x6431346e  ·  3Comments
slrslr picture slrslr  ·  3Comments
JesseWeinstein picture JesseWeinstein  ·  4Comments
Jorropo picture Jorropo  ·  3Comments
djdv picture djdv  ·  3Comments