fix: add text for port security #274
Conversation
docs/run/nodes/nodes.md
Outdated
| !!! warning "" | ||
|
|
||
| Healthchecks can be run against the `HEALTHCHECK_PORT` (port `8011` by default) when `HEALTHCHECK_ENABLED` is `true`. | ||
|
|
||
| Additionally, when running IPFS the IPFS API port must be accessible by the Ceramic node. The default API port is `5001`. The IPFS node address will then be passed to Ceramic with the `ipfs.host` option in the Ceramic daemon config file. | ||
|
|
||
| !!! warning "" | ||
|
|
||
| Access to the IPFS API port _must_ be restricted to the Ceramic node in order to prevent malicious API calls. |
There was a problem hiding this comment.
| Access to the IPFS API port _must_ be restricted to the Ceramic node in order to prevent malicious API calls. | |
| Access to the IPFS API port _should_ be restricted to the Ceramic node in order to prevent malicious API calls. |
?
It kind of depends on how the person plans to use their IPFS instance. but maybe the suggestion should be more along the lines of, "you don't want to expose this to the open internet. we recommend a firewall to only allow access by your ceramic instance"
There was a problem hiding this comment.
That's fair lol. Updated.
There was a problem hiding this comment.
From the kubo docs 🤷🏼
| @@ -266,12 +266,20 @@ The Ceramic daemon serves an HTTP API that clients use to interact with your Cer | |||
|
|
|||
| Ceramic nodes rely on IPFS for networking. IPFS nodes connect to each other using a Libp2p module called "switch" (aka "swarm"). This module operates over a websocket, on port `4011` by default. The websocket port must be accessible to the internet so your Ceramic node can be connected to the network. | |||
|
|
|||
| !!! warning "" | |||
|
|
|||
| IPFS nodes connect to other nodes over the p2p network, and incoming connections to a node running on a local machine might get flagged as suspicious by a router or anti-virus software. Make sure to vet all such reports and verify on a case-by-case basis whether they are false positives and can be safely ignored. | |||
There was a problem hiding this comment.
How would one go about this vetting?
There was a problem hiding this comment.
I'd look at the source IP address and port being accessed. My anti-virus tells me which ports are being accessed and from where. Are there any clarifications we can/should add here? We also shouldn't be too descriptive because reports might vary from machine to machine or software.
zachferland
force-pushed
the
main
branch
8 times, most recently
from
3ef43e4
to
48090da
Compare
Based on this forum discussion.