【问题标题】:how to securely expose the API address for ipfs cluster services?如何安全地公开 ipfs 集群服务的 API 地址?
【发布时间】:2019-11-11 21:53:27
【问题描述】:

我从文档中实现了以下内容,这一切正常,但 API 访问设置为 0.0.0.0,这是一个安全漏洞,允许来自网络外部的人连接和添加文件。我想创建一个专用网络,从而通过仅允许 API 上的 localhost 访问或从已知服务器访问来保护网络。但后来我发现同行自己没有连接。有解决方案吗?

版本:'3.4'

# This is an example docker-compose file to quickly test an IPFS Cluster
# with multiple peers on a contained environment.

# It runs 3 cluster peers (cluster0, cluster1...) attached to go-ipfs daemons
# (ipfs0, ipfs1...) using the CRDT consensus component. Cluster peers
# autodiscover themselves using mDNS on the docker internal network.
#
# To interact with the cluster use "ipfs-cluster-ctl" (the cluster0 API port is
# exposed to the locahost. You can also "docker exec -ti cluster0 sh" and run
# it from the container. "ipfs-cluster-ctl peers ls" should show all 3 peers a few
# seconds after start.
#
# For persistance, a "compose" folder is created and used to store configurations
# and states. This can be used to edit configurations in subsequent runs. It looks
# as follows:
#
# compose/
# |-- cluster0
# |-- cluster1
# |-- ...
# |-- ipfs0
# |-- ipfs1
# |-- ...
# 
# During the first start, default configurations are created for all peers.

services:

##################################################################################
## Cluster PEER 0 ################################################################
##################################################################################

  ipfs0:
    container_name: ipfs0
    image: ipfs/go-ipfs:release
#   ports:
#     - "4001:4001" # ipfs swarm - expose if needed/wanted
#     - "5001:5001" # ipfs api - expose if needed/wanted
#     - "8080:8080" # ipfs gateway - expose if needed/wanted
    volumes:
      - ./compose/ipfs0:/data/ipfs

  cluster0:
    container_name: cluster0
    image: ipfs/ipfs-cluster:latest
    depends_on:
      - ipfs0
    environment:
      CLUSTER_PEERNAME: cluster0
      CLUSTER_SECRET: ${CLUSTER_SECRET} # From shell variable if set
      CLUSTER_IPFSHTTP_NODEMULTIADDRESS: /dns4/ipfs0/tcp/5001
      CLUSTER_CRDT_TRUSTEDPEERS: '*' # Trust all peers in Cluster
      CLUSTER_RESTAPI_HTTPLISTENMULTIADDRESS: /ip4/0.0.0.0/tcp/9094 # Expose API
      CLUSTER_MONITORPINGINTERVAL: 2s # Speed up peer discovery
    ports:
          # Open API port (allows ipfs-cluster-ctl usage on host)
          - "127.0.0.1:9094:9094"
          # The cluster swarm port would need  to be exposed if this container
          # was to connect to cluster peers on other hosts.
          # But this is just a testing cluster.
          # - "9096:9096" # Cluster IPFS Proxy endpoint
    volumes:
      - ./compose/cluster0:/data/ipfs-cluster

##################################################################################
## Cluster PEER 1 ################################################################
##################################################################################

# See Cluster PEER 0 for comments (all removed here and below)
  ipfs1:
    container_name: ipfs1
    image: ipfs/go-ipfs:release
    volumes:
      - ./compose/ipfs1:/data/ipfs

  cluster1:
    container_name: cluster1
    image: ipfs/ipfs-cluster:latest
    depends_on:
      - ipfs1
    environment:
      CLUSTER_PEERNAME: cluster1
      CLUSTER_SECRET: ${CLUSTER_SECRET}
      CLUSTER_IPFSHTTP_NODEMULTIADDRESS: /dns4/ipfs1/tcp/5001
      CLUSTER_CRDT_TRUSTEDPEERS: '*'
      CLUSTER_MONITORPINGINTERVAL: 2s # Speed up peer discovery
    volumes:
      - ./compose/cluster1:/data/ipfs-cluster

##################################################################################
## Cluster PEER 2 ################################################################
##################################################################################

# See Cluster PEER 0 for comments (all removed here and below)
  ipfs2:
    container_name: ipfs2
    image: ipfs/go-ipfs:release
    volumes:
      - ./compose/ipfs2:/data/ipfs

  cluster2:
    container_name: cluster2
    image: ipfs/ipfs-cluster:latest
    depends_on:
      - ipfs2
    environment:
      CLUSTER_PEERNAME: cluster2
      CLUSTER_SECRET: ${CLUSTER_SECRET}
      CLUSTER_IPFSHTTP_NODEMULTIADDRESS: /dns4/ipfs2/tcp/5001
      CLUSTER_CRDT_TRUSTEDPEERS: '*'
      CLUSTER_MONITORPINGINTERVAL: 2s # Speed up peer discovery
    volumes:
      - ./compose/cluster2:/data/ipfs-cluster

# For adding more peers, copy PEER 1 and rename things to ipfs2, cluster2.
# Keep bootstrapping to cluster0.

【问题讨论】:

    标签: ipfs


    【解决方案1】:

    首先您需要在 IPFS 中创建 private network,这允许您的 ipfs 节点连接到具有相同 swarm key 的 ipfs 节点。

    在您的 ipfs0 和 ipfs1 服务中,您需要添加两个新环境变量和一个新卷:

    ipfs0:
        container_name: ipfs0
        image: ipfs/go-ipfs:release
    #   ports:
    #     - "4001:4001" # ipfs swarm - expose if needed/wanted
    #     - "5001:5001" # ipfs api - expose if needed/wanted
    #     - "8080:8080" # ipfs gateway - expose if needed/wanted
    environment:
          - LIBP2P_FORCE_PNET=1
          - IPFS_SWARM_KEY_FILE=/data/ipfs/swarm.key
        volumes:
          - ./compose/ipfs0:/data/ipfs
          - ./swarm.key:/data/ipfs/swarm.key
    

    要生成 swarm.key,请检查此link。 swarm.key 必须在您的 ipfs 根路径中(默认为 ~/.ipfs,容器 ipfs 路径为:/data/ipfs)。这个 swarm.key 对于所有 ipfs 节点应该是相同的。

    对于 IPFS 集群,你已经很好了,使用这个命令你可以生成你的集群密钥:

    export CLUSTER_SECRET=$(od  -vN 32 -An -tx1 /dev/urandom | tr -d ' \n')
    

    我建议您使用 ipfs cluster REST Api 添加文件。 Check this link配置ipfs集群,让上传文件更安全(使用api秘钥),或者只能允许localhost作为ipfs集群网络:

    ports:
      - "127.0.0.1:9094:9094" # Only open the port 9094 in localhost
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2017-11-18
      • 2012-01-03
      • 2021-02-20
      • 2021-11-15
      • 2019-01-05
      • 2012-04-19
      • 2021-12-21
      • 1970-01-01
      相关资源
      最近更新 更多