Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server gave HTTP response to HTTPS client #279

Closed
jbenet opened this issue Jan 3, 2018 · 6 comments
Closed

server gave HTTP response to HTTPS client #279

jbenet opened this issue Jan 3, 2018 · 6 comments

Comments

@jbenet
Copy link
Contributor

jbenet commented Jan 3, 2018

Trying to use basic auth w/ https

my cluster node's config has:

  "api": {
    "restapi": {
      ...
      "basic_auth_credentials": {
        "theuser": "thepass"
      }
    }
  },

ipfs-cluster-ctl fails

> ipfs-cluster-ctl --host /ip4/1.2.3.4/tcp/9094 --basic-auth "theuser:thepass" id
An error occurred:
  Code: 0
  Message: Get https://1.2.3.4:9094/id: http: server gave HTTP response to HTTPS client

Guessing i have to enable "https" on ipfs-cluster-service somehow. but not sure how. config opt?

ipfs-cluster-ctl --force-http works

> ipfs-cluster-ctl --host /ip4/1.2.3.4/tcp/9094 --basic-auth "theuser:thepass" --force-http id
Qmb....
  > Addresses:
     ....

curl w/ http basic auth works:

> curl --basic --user theuser:thepass http://1.2.3.4:9094/id
{"id": ... }

curl w/ https basic auth fails:

> curl --basic --user theuser:thepass https://1.2.3.4:9094/id
curl: (35) Unknown SSL protocol error in connection to 1.2.3.4:-9847
@hsanjuan
Copy link
Collaborator

hsanjuan commented Jan 3, 2018

@jbenet https://github.com/ipfs/ipfs-cluster/blob/master/docs/ipfs-cluster-guide.md#the-configuration-file

ssl_cert_file and ssl_key_file need to be specified in the config.

@jbenet
Copy link
Contributor Author

jbenet commented Jan 3, 2018
edited

  • Ah-- bummer. can it not generate some? (self-signed certs are better than reg http)
  • Also: consider using libp2p as a transport for the api (can pipe http over libp2p worst case)

@hsanjuan
Copy link
Collaborator

hsanjuan commented Jan 4, 2018

Ah-- bummer. can it not generate some? (self-signed certs are better than reg http)

I am very split on implementing such thing. On one side, it might be a useful thing to provide and/or default thing to have (but would need --no-check-certificate for it to work which is ugly). On the other, there are like 30 mega-documented ways of producing x502 certificates (can be as simple as openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt), so adding and maintaining another one might be overkill.

Also: consider using libp2p as a transport for the api (can pipe http over libp2p worst case)

This might be a better approach (can take advantage of https://github.com/hsanjuan/go-libp2p-http): offering the user whether to expose a libp2p endpoint and using thus getting an encrypted channel for free.

@jbenet
Copy link
Contributor Author

jbenet commented Jan 5, 2018

yeah, +1 for libp2p.

@hsanjuan
Copy link
Collaborator

hsanjuan commented Jun 1, 2018

We expose the http API through libp2p since a while ago. closing this. #349

@hsanjuan hsanjuan closed this as completed Jun 1, 2018
@erangaeb
Copy link

erangaeb commented Jun 30, 2022

Wrote a post about enabling IPFS Cluster Basic Authentication in docker-based environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jbenet @hsanjuan @erangaeb