-
Notifications
You must be signed in to change notification settings - Fork 495
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make it possible to use Web UI with a remote IPFS API #836
Make it possible to use Web UI with a remote IPFS API #836
Comments
It is worth noting what go-ipfs will bind API port to 127.0.0.1 by default. It is a safety feature. If someone chooses to override that setting and expose it to the wide internet then we are not responsible for damage resulting from that. Just like noted in #594 (comment) we are not able to close such security hole by writing javascript that is refusing webui connection to remote API. Everyone with curl can easily work around that, and it makes things harder for people using VPN. So I agree it is good idea to remove such limitation in v2. Having that said, things we could do to improve situation:
|
This issue has the |
I think modern ipfs-webui will work with any remote API, as long it has properly set CORS headers (which is the blocker, unless you are admin of that node and can add headers on it). @olizilla is CORS the blocker you had in mind? I think Web UI shows how to set up CORS now, is that enough to close this issue? ps. fysa we are researching alternative ways of accessing "remote" API in ipfs/in-web-browsers#137 |
The IPFS companion browser plugin correctly works with a non-local node out of the box, which implies to me that nothing needs to be done to IPFS API server to make this work. Unless perhaps browsers don't enforce CORS for requests made from plugins? |
IIRC ipfs-companion is explicitly disabling CORS for user-specified API endpoint. |
Can you give an example of the server side CORS rules needed to allow remote webui access, and how to set that up? Thanks. |
CORS enforcement is done by the browser, and you can't disable it (allowing an app to ignore CORS would break the security model). So either the browser doesn't enforce CORS for extensions (possible, I have never looked into it) or CORS isn't the problem. |
@makeworld-the-better-one see https://github.com/ipfs-shipyard/ipfs-webui#configure-ipfs-api-cors-headers @MicahZoltu the browser extension removes Origin header from API requests (ipfs-request.js#L118-L144), taking CORS checks out of the picture. |
Ugh, so apparently Firefox and Chrome do add the header but then proceed to allow the author to change the header! That is just annoying because it means any potential security benefits aren't present, yet everyone has to suffer with dealing with CORS. Speaking of which, what is the threat model that IPFS is trying to prevent by requiring same origin? The threat model protected by same origin policies is pretty narrow, and it is not clear to me how IPFS benefits. |
@chiragg6 and I might be interested in adding the creds support to web-ui. Please let us know if we can expedite this & close for betterment of all. |
@MicahZoltu are you able to elaborate? afaik only WebExtension with permission to The requirement of same origin on the API port aims to protect users from things like random websites changing node configuration via @0zAND1z what do you mean by creds? Designing native access controls for IPFS API and implementing it in go-ipfs? Or a reverse-proxy (eg with OAuth2) to sit in front of API, similar to https://github.com/ory/hydra ? |
@lidel The point I was trying to make was that if the extension is able to change the Origin header, then there is no point in applying a Origin header at all (especially when Origin header doesn't make much sense, such as for an extension). In the case of this extension, it has the ability to change the Origin header, thus it is silly for the browser to set the Origin header in the first place. If the browser would have simply not set the Origin header, then the extension wouldn't have to go through the annoyance of having to unset it. IIUC, anyone who can reach |
|
I'm back, running into the same problem (essentially) again. I have a remote IPFS node that I want to use and manage from a machine I am on. The remote API is sitting behind a reverse proxy that does Basic Authentication, so the user needs to enter a username/password to access the API. If I manually navigate to the API in a browser window, I'll get a browser HTTP auth pop-up that I can fill in and the IPFS Companion extension then is able to access the API without problem, because it seems to inherit the authorization. However, the WebUI does not have the ability to inherit the Authorization, so all of the API requests made by the WebUI fail with a 401 Unauthorized. As an interim solution to remote node management, can a section be added to the UI that allows the user to supply HTTP Basic Authorization credentials or perhaps add a custom header to outgoing API requests? This would allow me to use the UI, even if it isn't an ideal scenario, without having to run an SSH tunnel on every machine I want to connect with. SSH tunneling is significantly more complicated IMO than basic Auth credentials, especially if you are running IPFS in docker and already have a reverse proxy setup (which is pretty common in dockerized environments). |
Shoot, this thread went under my octobox carpet of notifications for a very long time.
@lidel yes. This works best. But for people looking to wall the access, Basic Auth is more suitable. @hacdias , we could store it in encrypted format on IPFS itself? And once the user wishes to login, could that keystore be decrypted at browser level with a simple password or 2-step verification? I am very sure that there are better ways of solving this. This is me thinking aloud on decentralising the credentials storage. Security has to be first-class, of course. |
IIRC right now user can specify custom API address in multiaddr format using this UI. It saves multiaddr in
This means we are left with two options:
Personally, I feel we should go with (B) because its implementation has smaller surface and makes HTTP Basic Auth easy to set up while keeping UI minimalist. Thoughts? |
I believe B is the way to go. I can try implementing it out as it seems easy. |
I think bugs (1) and (2) from ipfs-inactive/ipfs-redux-bundle#28 (review) need to be addressed before we close this |
Will be available on next release! |
I've set it up behind Nginx and it works fine except there isn't any option to configure Gateway port for WebUI. if try any "View on IPFS Gateway" it uses This is my config
|
/cc @rafaelramalho19 |
I'm missing the continuity of this thread but are we suggesting adding another box in the UI along the same lines of the API box? If so, is this starting to get close to discussions in other issues about UI-ifying the entire config file? |
Actually this doesn't need any configuration. Like currently there is already auto detect for API as I didn't need to change it. So basically what is needed is that if I access UI with domain like |
Aha - got it, thanks for the details! I'll leave this in @lidel or @rafaelramalho19 's court. |
I suspect this was kinda fixed in #1559 where we default to the public gateway ( @davispuh After above fix is released, you can use IPFS Companion browser extension to redirect IPFS requests to the gateway of your choice.
AFAIK this won't really work in all contexts. Namely, when WebUI was loaded from API port ( |
It seems silly to use browser extension to just get this use case working. I have my own API and Gateway both running behind Nginx which I would say is pretty standard configuration. So if it can't be auto-detected then it does need configuration option. Also I don't see it as that complicated, first time accessing can try several combinations (eg. same host:port or whatever API config returns) and if any work then save in local storage. Also if |
I'm reopening this issue as we still get reports of misconfiguration issues when accessing remote API (eg. #1565). @davispuh how would you solve for situation when different ports are used on each side of Nginx (eg. 443 and 8080)? |
Can i password protect the api on port 5001? |
Lots of people want to use Web UI to monitor and manage IPFS nodes hosted on a remote server rather than on their local machine. That is totally reasonable.
But it is not currently supported. The IPFS API is not authenticated. It currently expects to be accessed by privileged users on the local machine, and should not be exposed to the internet. Once we have an authentication mechanism for the API we'll ensure that Web UI works with it.
Please see: ipfs/kubo#1532
In the meantime we'll make the subset of Web UI that can work against the read-only / gateway API that would be safe expose from a remote machine. See #835
A suitably motivated individual could set up secure proxy + firewall or vpn to access their api port securely from a remote machine. Pervious iterations of Web UI were hardcoded to use an API on localhost, but v2 will do nothing special to prevent trying to use a remote api address. It's worth reiterating that its not a currently supported configuration, and we don't have the bandwidth to deal with support requests if it doesn't work for you. We will make this work in the future, in a secure way, once core supports it.
Previous reports of this issue
The text was updated successfully, but these errors were encountered: