-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS for DNSLink websites loaded via public subdomain gateways #169
Comments
What about (C) with and an escape character? For exemple, with - as an escape character, foo-bar.tld becomes foo--bar-tld and foo.bar.tls become foo-bar-tld. |
I have faced this exact dilemma in my lunet experiment and have settled on a following compromise: Loading
Which achieved following:
It had following downsides:
That is all to suggest that I think it's best to decouple UX and Origin separation problems from each other. E.g dweb.link could be used to do the Origin separation and another domain could provide human meaningful URLs on top. I don't believe both could be achieved at the same time. If I were to choose between some domain escaping logic and use of public keys in it's place I would much rather go with later as in my experience deriving origins from domain names did not really provided good UX, on the contrary it resembled spoofing attacks. |
I feel that lunet operated at higher abstraction layers, to which we don't have access here (no keys etc). I think the main criteria for DNSLink representation are (updated first comment):
Note: DNSlink representation in subdomain on public gateway will be a niche use case. I am leaning towards keeping this very simple and implementing a variant of (C) which supports encoded domains:
|
That is fare assessment. I don't think this is in conflict with what I was trying to suggest however. The way I see it That higher level abstraction layer could be built on top of this. I do still however think that it would be highly beneficial if
That enables:
But it does makes redirect URLS less readable as in All that said, it may be doing simple char substitution in this iteration and considering future extensions (like mentioned public keys base origins) is best compromise. I did however wanted to point out than in my prior experience I found simple char substitution problematic because it did not play well with IPNS. |
Ok, I am leaning towards shipping support for simple substitution in go-ipfs ~0.9: Immediate need is to make subdomain gateways drop-in replacement for all paths without surprises or need for custom TLS setup (including ones with DNSLink name). Extending DNSLink with optional pubkey is exciting, but requires more analysis and I feel we need to park it until we have time to work on IPNS itself. |
I'm happy to see progress on this! One quick note: Cloudflare IPFS gateways actually have good support for this. They have a very simple web form (scroll down to the bottom of the page) where you can enter in your domain name, and they'll quickly generate the necessary certificate, allowing you to CNAME your domain to This is basically a variant of solution (A) above, but doesn't involve any "on-the-fly" trickery. I think cloudflare has a big advantage here, though, since they have their own CA to use. The only thing preventing me from using this successfully is that I get very poor performance with the cloudflare gateway (which honestly is a little surprising given what cloudflare's main business is). |
@eminence it is indeed nice, but relies on a single CA, which is pretty bad decentralization-wise. |
Also hope to see this shipped soon. To me I think @lidel's approach C sounds reasonable:
but I also prefer hashing to a CID than the label manipulation, but this obviously loses the human readability:
|
Problem statement and rationale for doing this can be found under "Option C" at: ipfs/in-web-browsers#169 TLDR is: `https://dweb.link/ipns/my.v-long.example.com` can be loaded from a subdomain gateway with a wildcard TLS cert if represented as a single DNS label: `https://my-v--long-example-com.ipns.dweb.link`
PR draft with (C) triggered via |
We're running ipfs/kubo#7847 on Demos: |
This correctly detects subdomains with DNSLink name inlined into a single DNS label. More details: ipfs/in-web-browsers#169 License: MIT Signed-off-by: Marcin Rataj <[email protected]>
This correctly detects subdomains with DNSLink name inlined into a single DNS label. More details: ipfs/in-web-browsers#169 License: MIT Signed-off-by: Marcin Rataj <[email protected]>
This correctly detects subdomains with DNSLink name inlined into a single DNS label. More details: ipfs/in-web-browsers#169
ipfs/in-web-browsers#169 License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Problem statement and rationale for doing this can be found under "Option C" at: ipfs/in-web-browsers#169 TLDR is: `https://dweb.link/ipns/my.v-long.example.com` can be loaded from a subdomain gateway with a wildcard TLS cert if represented as a single DNS label: `https://my-v--long-example-com.ipns.dweb.link`
Problem statement and rationale for doing this can be found under "Option C" at: ipfs/in-web-browsers#169 TLDR is: `https://dweb.link/ipns/my.v-long.example.com` can be loaded from a subdomain gateway with a wildcard TLS cert if represented as a single DNS label: `https://my-v--long-example-com.ipns.dweb.link` This commit was moved from ipfs/kubo@09178aa
By default, people will point DNSLink website at their own go-ipfs and set up proper TLS cert for the domain.
This is how https://en.wikipedia-on-ipfs.org works.
Problems when loading DNSLink website from a public gateway
There are known problems when someone tries to load DNSLink website from an alternative, public gateway:
*.ipns.dweb.link
and*.ipfs.dweb.link
). This works fine for CIDs, which are a single DNS label, but DNSLink names have.
in them, which introduces more than one level.Constraints
I think the main criteria for DNSLink representation are:
Solving the TLS problem
👉 Below is a summary of options I see, would love to hear what others think / do sanity check on this / propose your own.
(A) Mining wildcard certificates on the fly
My understanding is that to support DNSLink in subdomains at our public gateway without this TLS error we would have to create some magical orchestration which "mines certificate" on first load.
While it should be technically possible via some nginx+lua hackery (needs sanity check), it may violate ToS of services like Let's Encrypt. This means we would have to work with CA, make our case and ensure they won't ban us when we do it. If we have green light, we could either document the setup for other gateways to use, or consider implementing the magic it in go-ipfs' gateway itself.
💔 I don't like this because it brings complexity/centralization of PKI deep into go-ipfs/gateway logic, ale we should avoid that if we can.
(B) Do nothing, live with TLS errors
We could just live with the TLS error, and when someone points it out say "to be independent of centralized PKI you need to Install IPFS Desktop and IPFS Companion".
💔 Avoiding the problem is bad, but also I worry people won't understand nuance why, and just take a note that "IPFS breaks/ignores web security", which is a pretty bad meme.
(C) Encode FQDN to a string that fits in a single DNS label
This may be the least painful fix so far: if we come up with a way of encoding domain names to something that fits in a single DNS label (max 63 characters), then
https://dweb.link/ipns/foo.tld
would redirect tohttps://{encoded-foo-tld}.ipfs.dweb.link
and there would be no TLS error (at last for domains shorter than 63 characters).💚 The encoding step could be added to go-ipfs (just like we convert to base36 if base32 is too long) and that way every gateway would support this with pre-existing TLS certs (no additional setup, seamless upgrade).
Challenges:
foo-bar.tld
vsfoo.bar.tld
apart if both are represented asfoo-bar-tld
etc).ipns.example.com
suffix to get the original domain name,but its still a lesser evil for public gateways. And when native IPFS is used on localhost subdomains, we can keep original domain names because there is no TLS.
The text was updated successfully, but these errors were encountered: