如何安全地公开ipfs群集服务的API地址?

时间:2019-11-06 12:26:10

标签: ipfs

我从文档中实现了以下内容,并且一切正常,但是API访问权限设置为0.0.0.0,这是一个安全漏洞,允许来自网络外部的人们连接和添加文件。我想创建一个专用网络,从而通过只允许API上的本地主机访问或从已知服务器进行访问来保护网络安全。但是后来我发现对等点本身没有连接。有解决方案吗?

版本:“ 3.4” 

# This is an example docker-compose file to quickly test an IPFS Cluster
# with multiple peers on a contained environment.

# It runs 3 cluster peers (cluster0, cluster1...) attached to go-ipfs daemons
# (ipfs0, ipfs1...) using the CRDT consensus component. Cluster peers
# autodiscover themselves using mDNS on the docker internal network.
#
# To interact with the cluster use "ipfs-cluster-ctl" (the cluster0 API port is
# exposed to the locahost. You can also "docker exec -ti cluster0 sh" and run
# it from the container. "ipfs-cluster-ctl peers ls" should show all 3 peers a few
# seconds after start.
#
# For persistance, a "compose" folder is created and used to store configurations
# and states. This can be used to edit configurations in subsequent runs. It looks
# as follows:
#
# compose/
# |-- cluster0
# |-- cluster1
# |-- ...
# |-- ipfs0
# |-- ipfs1
# |-- ...
# 
# During the first start, default configurations are created for all peers.

services:

##################################################################################
## Cluster PEER 0 ################################################################
##################################################################################

  ipfs0:
    container_name: ipfs0
    image: ipfs/go-ipfs:release
#   ports:
#     - "4001:4001" # ipfs swarm - expose if needed/wanted
#     - "5001:5001" # ipfs api - expose if needed/wanted
#     - "8080:8080" # ipfs gateway - expose if needed/wanted
    volumes:
      - ./compose/ipfs0:/data/ipfs

  cluster0:
    container_name: cluster0
    image: ipfs/ipfs-cluster:latest
    depends_on:
      - ipfs0
    environment:
      CLUSTER_PEERNAME: cluster0
      CLUSTER_SECRET: ${CLUSTER_SECRET} # From shell variable if set
      CLUSTER_IPFSHTTP_NODEMULTIADDRESS: /dns4/ipfs0/tcp/5001
      CLUSTER_CRDT_TRUSTEDPEERS: '*' # Trust all peers in Cluster
      CLUSTER_RESTAPI_HTTPLISTENMULTIADDRESS: /ip4/0.0.0.0/tcp/9094 # Expose API
      CLUSTER_MONITORPINGINTERVAL: 2s # Speed up peer discovery
    ports:
          # Open API port (allows ipfs-cluster-ctl usage on host)
          - "127.0.0.1:9094:9094"
          # The cluster swarm port would need  to be exposed if this container
          # was to connect to cluster peers on other hosts.
          # But this is just a testing cluster.
          # - "9096:9096" # Cluster IPFS Proxy endpoint
    volumes:
      - ./compose/cluster0:/data/ipfs-cluster

##################################################################################
## Cluster PEER 1 ################################################################
##################################################################################

# See Cluster PEER 0 for comments (all removed here and below)
  ipfs1:
    container_name: ipfs1
    image: ipfs/go-ipfs:release
    volumes:
      - ./compose/ipfs1:/data/ipfs

  cluster1:
    container_name: cluster1
    image: ipfs/ipfs-cluster:latest
    depends_on:
      - ipfs1
    environment:
      CLUSTER_PEERNAME: cluster1
      CLUSTER_SECRET: ${CLUSTER_SECRET}
      CLUSTER_IPFSHTTP_NODEMULTIADDRESS: /dns4/ipfs1/tcp/5001
      CLUSTER_CRDT_TRUSTEDPEERS: '*'
      CLUSTER_MONITORPINGINTERVAL: 2s # Speed up peer discovery
    volumes:
      - ./compose/cluster1:/data/ipfs-cluster

##################################################################################
## Cluster PEER 2 ################################################################
##################################################################################

# See Cluster PEER 0 for comments (all removed here and below)
  ipfs2:
    container_name: ipfs2
    image: ipfs/go-ipfs:release
    volumes:
      - ./compose/ipfs2:/data/ipfs

  cluster2:
    container_name: cluster2
    image: ipfs/ipfs-cluster:latest
    depends_on:
      - ipfs2
    environment:
      CLUSTER_PEERNAME: cluster2
      CLUSTER_SECRET: ${CLUSTER_SECRET}
      CLUSTER_IPFSHTTP_NODEMULTIADDRESS: /dns4/ipfs2/tcp/5001
      CLUSTER_CRDT_TRUSTEDPEERS: '*'
      CLUSTER_MONITORPINGINTERVAL: 2s # Speed up peer discovery
    volumes:
      - ./compose/cluster2:/data/ipfs-cluster

# For adding more peers, copy PEER 1 and rename things to ipfs2, cluster2.
# Keep bootstrapping to cluster0.

1 个答案:

答案 0 :(得分:0)

首先,您需要在IPFS中创建private network,这允许您的ipfs节点连接到具有相同群集密钥的ipfs节点。

在ipfs0和ipfs1服务中,您需要添加两个新的环境变量和一个新的卷:

ipfs0:
    container_name: ipfs0
    image: ipfs/go-ipfs:release
#   ports:
#     - "4001:4001" # ipfs swarm - expose if needed/wanted
#     - "5001:5001" # ipfs api - expose if needed/wanted
#     - "8080:8080" # ipfs gateway - expose if needed/wanted
environment:
      - LIBP2P_FORCE_PNET=1
      - IPFS_SWARM_KEY_FILE=/data/ipfs/swarm.key
    volumes:
      - ./compose/ipfs0:/data/ipfs
      - ./swarm.key:/data/ipfs/swarm.key

要生成swarm.key,请选中此link。 swarm.key必须在ipfs根路径中(默认情况下,〜/ .ipfs在容器ipfs路径中是: / data / ipfs )。对于所有ipfs节点,该swarm.key应该相同。

对于IPFS群集,它很好,使用此命令可以生成群集密钥:

export CLUSTER_SECRET=$(od  -vN 32 -An -tx1 /dev/urandom | tr -d ' \n')

我建议您使用ipfs群集REST Api添加文件。 Check this link来配置ipfs集群并使其更安全地上传文件(使用api密钥),或者您只能将localhost作为ipfs集群网络:

ports:
  - "127.0.0.1:9094:9094" # Only open the port 9094 in localhost
相关问题
最新问题