iroh
iroh copied to clipboard
n0-computer
iroh-relay: run behind reverse proxy
Is it possible to run iroh-relay behind reverse proxy such as nginx?
I am currently getting certificates using acmetool and run iroh-relay with manual certificate mode:
https://github.com/n0-computer/iroh/blob/b07547b68eb771e789474ad4f1344e02b2223f95/iroh-net/src/bin/iroh-relay.rs#L209
But to give iroh-relay access to the key I have to run it as root. To avoid this I would like to run iroh-relay as HTTP and STUN node and have nginx which has access to TLS key proxy all requests to iroh-relay. For STUN server it is also possible by defining a stream section in nginx config: https://github.com/coturn/coturn/issues/702
When not running as root, iroh-relay cannot read the key and fails with
Apr 15 02:04:42 b1 iroh-relay[3168974]: Error: cannot open secret key file
Apr 15 02:04:42 b1 iroh-relay[3168974]: Caused by:
Apr 15 02:04:42 b1 iroh-relay[3168974]: Permission denied (os error 13)
Apr 15 02:04:42 b1 systemd[1]: iroh-relay.service: Main process exited, code=exited, status=1/FAILURE
Apr 15 02:04:42 b1 systemd[1]: iroh-relay.service: Failed with result 'exit-code'.
Apr 15 02:04:47 b1 systemd[1]: iroh-relay.service: Scheduled restart job, restart counter is at 1.
Apr 15 02:04:47 b1 systemd[1]: Stopped Iroh relay.
Apr 15 02:04:47 b1 systemd[1]: Started Iroh relay.
Apr 15 02:04:47 b1 iroh-relay[3168990]: Error: cannot open secret key file
Apr 15 02:04:47 b1 iroh-relay[3168990]: Caused by:
Apr 15 02:04:47 b1 iroh-relay[3168990]: Permission denied (os error 13)
Apr 15 02:04:47 b1 systemd[1]: iroh-relay.service: Main process exited, code=exited, status=1/FAILURE
Apr 15 02:04:47 b1 systemd[1]: iroh-relay.service: Failed with result 'exit-code'.
Unless you also want to make it learn to drop privileges, it seems easier to move TLS key handling outside of the service.
Why can't you make the certificates readable by the user that runs the relay?
It's not the certificate, but the key that is not readable by users. Key directories in /var/lib/acme/keys are owned by root:root with 700 permissions and are recreated each time certificate is updated, every 60 days or so.
Sure, but either way isn't it odd that acmtool only allows to store keys owned by root?
But that's not your original question I guess, your original question is whether the relay server can handle everything over http traffic and rely on a reverse proxy to strip the https? I think you might be able to do this with the --dev option? But you'd have to experiment. And maybe it makes sense to have a CertMode::None or something to properly support this.
Sure, but either way isn't it odd that acmetool only allows to store keys owned by root?
I think it is common, most services that deal with keys like nginx, postfix and dovecot start as root and drop privileges after reading the key. I can hack something with hooks to copy the key and change the owner. But generally I'm trying to push managing TLS as much to the "edge" as possible, so services don't have to care about it. Postfix and dovecot are an exception due to STARTTLS, otherwise I'd be happy to make nginx manage TLS for them as well.
#2177 is about iroh-relay expecting a folder rather than separate key and certificate paths. This issue is about being able to run iroh-relay behind a reverse proxy such as nginx that takes care of TLS, in this case there would be no need to give TLS keys to iroh-relay at all but I don't know if it is possible. If iroh-relay also uses TLS key for QUIC, then it is not possible I guess. If TLS keys are only used for HTTPS port, then I would prefer to just give TLS key to nginx.