cdn icon indicating copy to clipboard operation
cdn copied to clipboard

Published 20 hours ago verified publisher icon subutai-io

How can we enable users to easily setup their own CDN cache nodes without compromising security?

Open akarasulu opened this issue 7 years ago • 5 comments

Right now peers use the https certificate to trust the CDN cache nodes. This is a bit problematic when using self signed certificates because peers have to use the allow_insecure parameter. In addition to this perhaps we can use PGP keys in the CDN cache nodes to bypass this trust mechanism and use the PGP key in the CDN cache node to trust the node. Allow insecure will pertain to the https cert but then the PGP trust will kick in.

This way the agent can trust the CDN cache node via PGP key and bypass the https cert mechanism. Can we do something like this to enable CDN nodes to use self signed certificates while still maintaining security and trust between peers and the CDN cache node. That way we do not have to distribute our own certificate to CDN nodes to allow them to be deemed secure.

akarasulu avatar Jan 21 '18 06:01 akarasulu

@akarasulu I think you are requesting a type o PGP Key server, such as https://roll.urown.net/server/pgp-keyserver.html#a-public-key-shelf , while possible this will add another service to be run in order to peer talk with a certified CDN. So agent would get the public PGP key of the CDN and then follow with a search on the PGP Keyserver that provides central repo for all nodes. This will add the burden for a CDN to be able to provide its PGP key for the agent. Since our cache node is a reverse proxy Nginx server, this would be a file with the PGP public key stored in its root path.

marcoarthur avatar Jan 24 '18 14:01 marcoarthur

BTW the Hub is already a PGP server. Anyhow that's not related at all to this issue.

Regardless this one was simple, and yes it would be a PGP key stored statically on the CDN in some path like at the root. Someone would just import the PGP key of a CDN cache node from the root, and load it into the agent as a trusted key. The agent when pulling from the cache node bypasses the X.509 certificate authentication to just trust the PGP key, much like the way apt works with repositories.

This is more an agent thing I guess actually. But yes all the user has to do is put the GPG public key in the root of the CDN cache node which well is nothing. Excuse the noise here on this project.

@Dilshat can you also give me your opinion please?

Me wonders how I can move this issue over to the agent project hmm.

akarasulu avatar Jan 24 '18 19:01 akarasulu

Currently agent verifies each imported template's signature by getting owner pgp key from Kurjun. If this is not enough then we can add additional verification step where locally placed Kurjun public pgp key will be used to verify some token obtained from Kurjun on each operation. However this also obliges us to distribute the key with snap and in case it changes, make user change it.

dilshat avatar Jan 25 '18 02:01 dilshat

I was not talking about templates but about trusting either a certificate or PGP key placed in the CDN cache node. Maybe my approach is wrong, and perhaps there's no good way to solve this properly, but let me state the problem properly:

The Problem

Presently the CDN is set to use cdn.subut.ai.

If someone outside our organization wants to setup a local CDN cache node, they can do that, and point cdn.subut.ai to their local cache node.

The problem with this is you either need to install our certificate for cdn.subut.ai, or change the agent.gcfg to set allow_insecure to true. This kind of sucks to do.

Users can't just install a self signed certificate for that domain name. Allow insecure must still be enabled. Nor can they get a valid letsencrypt certificate for our domain.

As a user, not associated with our organization, I would like to be able to setup a local CDN cache node WITHOUT disabling https security checks with allow_insecure set to true in the agent.gcfg.

Some Possible Solutions

Is the CDN DNS name configurable in the agent.gcfg? Can I set it to foobar.com which I can host with a valid letsencrypt certificate and peers can use it without setting allow_insecure to true?

This is still kind of shitty, because I have to now make each peer use that custom CDN. Perhaps a workaround is to ask the local DNS for a CDN cache node. You can use service records for this. If the peer finds a CDN cache server it automatically configures itself to use it.

I was trying to think of other elaborate ways with PGP but I don't think they'll work out after a second thought.

akarasulu avatar Jan 25 '18 22:01 akarasulu

we can make agent search for a server certificate say ca.crt and if present to add it to its truststore used for CDN.

dilshat avatar Jan 26 '18 03:01 dilshat