kubo icon indicating copy to clipboard operation
kubo copied to clipboard
verified publisher icon ipfs

Don't convert the host name specified with --api=/dns4/<domain>/ into an IP address (thus making life easy for reverse proxy)

Open softwareplumber opened this issue 2 years ago • 1 comments

Checklist

  • [X] My issue is specific & actionable.
  • [X] I am not suggesting a protocol enhancement.
  • [X] I have searched on the issue tracker for my issue.

Description

In kubo/cmd/ipfs/main.go, the multiaddr specified using the --api is resolved:

apiAddr, err = resolveAddr(req.Context, apiAddr)

Unfortunately this erases information about the host name. Almost anyone trying to run kubo behind a reverse proxy will hate this, since it means the HTTP requests go out with the IP address rather than the host name in the header, thus breaking any hostname based rules in the reverse proxy. This caused a couple of days of head-scratching on my part, since API calls handcrafted via CURL worked just fine for me, but I couldn't persuade the kubo cli to work.

Removing this line fixed that problem for me (OK, there are other problems related to https support, but at least the CLI works over http).

Is there any reason we actually need resolve the hostname here rather than letting the executor do it? Or is it just a check? (in which case simply ignoring the address returned by resolve would be perfect)

softwareplumber avatar Nov 25 '23 15:11 softwareplumber

I have submitted PR https://github.com/ipfs/kubo/pull/10233 so far it looks like a one-line fix. I am using this fix in-house to connect between the cli and back-end via an nginx reverse proxy.

The fly in the ointment is that a fix on go-ipfs-cmds is also necessary to support https on the client. Aware that actually serving the API directly on https is a whole can of worms, but supporting https as an option on the cli (e.g. by specifying --api=/dns4//tcp/443/tls) would at least allow a secure connection to the reverse proxy. Hope to submit a PR for this eventually, but it makes sense to do the kubo part first.

Regards Jon

------ Original Message ------ From "Marcin Rataj" @.> To "ipfs/kubo" @.> Cc "softwareplumber" @.>; "Author" @.> Date 11/27/2023 9:52:23 AM Subject Re: [ipfs/kubo] Don't convert the host name specified with --api=/dns4// into an IP address (thus making life easy for reverse proxy) (Issue #10232)

Triage notes:

makes sense to fix this needs analysis, could be easy fix, or it could require deeper refactor of RPC CLI client/commands to move resolve from https://github.com/ipfs/kubo/blob/3ae04c536e65954db9e6465346108f97d285c244/cmd/ipfs/main.go#L294 deeper down the stack — Reply to this email directly, view it on GitHub https://github.com/ipfs/kubo/issues/10232#issuecomment-1827987695, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGAPFY6NTI2OXB4CPB3D4ULYGSSKPAVCNFSM6AAAAAA72FYPGOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXHE4DONRZGU. You are receiving this because you authored the thread.Message ID: @.***>

softwareplumber avatar Nov 27 '23 16:11 softwareplumber