feat: wildcard support for public gateways #7319
Conversation
|
Note that this also support more complex things like It's also possible to abuse it with something like I'll add more test for the first kind. |
There was a problem hiding this comment.
Thank you @MichaelMure
Is my understanding correct, that the purpose of this PR is to support a single gateway that handles: {cid}.ipfs.example.com AND {cid}.ipfs.user1.example.com AND {cid}.ipfs.app1.user1.example.com – all using the same root domain name?
Quick feedback from my end:
foo.bar-*-*-foo.domain.tldis a bit of controversial idea- I believe left side of URL should be open-ended for content identifier, maintaining the authority hierarchy (used for Origin calculation) from right to left
- This is not just for "purity" reasons
- local gateway supports DNSLink identifiers:
http://en.wikipedia-on-ipfs.org.ipns.localhost:8080/wiki/ - we may have to start splitting longer CIDs at 63th character due to Subdomain support for CIDs longer than 63 #7318
- perhaps this is something you'd like to tackle as part of this PR? or at least be aware its something we need to support in the future (touches the same codepaths)
- for example (sha2-512):
bafkrgqe3ohjcjplc6n4f3fwunlj6upltggn7xqujbsvnvyw764srszz4u4rshq6ztos4chl4plgg4ffyyxnayrtdi5oc4xb2332g645433aeg→https://bafkrgqe3ohjcjplc6n4f3fwunlj6upltggn7xqujbsvnvyw.764srszz4u4rshq6ztos4chl4plgg4ffyyxnayrtdi5oc4xb2332g645433aeg.ipfs.example.com
- local gateway supports DNSLink identifiers:
- nit: if we know that remainder on the left side is always a content identifier, are we able to simplify this PR? perhaps do the detection without regex?
- When you add tests make sure we have ones that that document behavior when multiple rules are added for with the same root domain:
example.com,*.example.com,*.*.example.com
The goal for Infura is:
It was complex on purpose just to show that wildcard within a subdomain label is possible. That said we do use internally subdomains like
Agree on that, not sure where I'm going against it.
Err, for now I'm just trying to have things working :). I'm aware and things should be compatible once that land.
Possibly but I tried to follow the original logic of this piece of code with a very minimal change. Regexes are compiled once when launching go-ipfs. A quick benchmark gives me 265ns and 0 allocation to check a match so performance should not be a problem. Also, exact matches are checked first so they should not even be used unless actually necessary. I suppose it would be possible to rewrite it without regex, but doing it that way give a nice expressiveness to the gateway operators at a very small cost.
Ha yes, I can do that once you agree on the logic. |
That comment was aimed at the example of
Right now, If rules for I think there are two acceptable ways to resolve this (I am ok with either):
Do you need gateway overlap support? If not, B may be less work. @MichaelMure I think its ok for you to continue working on this PR – wildcard support is something we do want to have, and proposed logic seems sound (just need to decide between A and B). Just FYSA we will want to land fix for #7318 first, and then rebase this PR on top of that. I'd know more details on Thursday/Friday after check in with @Stebalien and others. |
|
Ha, I'm not trying to have the CID being a wildcard. Wildcards in this PR are only for the part right of I'll have a look at |
|
FYI, the main usecase for this PR (to pass a user ID in the host) pretty much disappeared when I found out that TLS certificate wildcards are only possible for a single left-most wildcard. It is still useful IMHO but not critical anymore. |
^ disregard that, it's still useful for us, although the plan is getting more complex by the hour. |
There was a problem hiding this comment.
@MichaelMure quick heads up: we want to merge #7358 first, to add generic suport for long CIDs.
This PR will have to be rebased on top of that to ensure it passes newly added splitting tests.
|
In dc5e7c5 I made sure that the correct GW spec is returned for each matches. To do so, they are now passed around with a pointer instead of by value. |
There was a problem hiding this comment.
@MichaelMure I agree, this is no longer blocked by splitting logic.
AFAIK things missing from this PR:
- add basic wildcard sharness tests at the end of
test/sharness/t0114-gateway-subdomains.sh- set config that defines subdomain gateways at
*.example.netand*.*.example.com - request
$CIDv1.ipfs.foo.example.netand$CIDv1.ipfs.foo.bar.example.comand confirm the payload is$CID_VAL - request
example.net/ipfs/$CIDv1andexample.com/ipfs/$CIDv1and confirm response includesLocationheader with redirect to correct subdomain - (reuse helper funcrions from existing tests – ping me if something is unclear)
- set config that defines subdomain gateways at
- add a wildcard example as a new recipe in https://github.com/ipfs/go-ipfs/blob/master/docs/config.md#gateway-recipes
MichaelMure
force-pushed
the
wildcard-gateways
branch
from
dc5e7c5
to
362caad
Compare
|
@lidel I rebased on master and added some sharness tests Last step should be the documentation. |
MichaelMure
force-pushed
the
wildcard-gateways
branch
from
362caad
to
f4a3878
Compare
|
Now with documentation. |
MichaelMure
force-pushed
the
wildcard-gateways
branch
from
f4a3878
to
f2beb61
Compare
|
@lidel I noticed that I somehow overwrote my own PR, which removed the sharness tests and other improvements. It's fixed now and rebased on master. However, your latest changes are now failing (see https://app.circleci.com/pipelines/github/ipfs/go-ipfs/3177/workflows/9473c54a-5884-4fec-9b02-6f4da71f72ad/jobs/36945/tests). Any idea why ? |
|
I can confirm, I don't have bandwidth to dig deeper into this, but suspect recent changes related to ED25519 support are the cause (see #7251 (comment)), let's wait for that set of changes to settle in. |
* add support for choosing a peer key type (e.g. RSA or Ed25519) when initializing the repo * test all variants of ipfs init: RSA, Ed25519 and default * update subdomain gateway sharness test to publish IPNS using RSA and Ed25519 keys * use default identity bit lengths defined in config repo instead of having separate defaults in go-ipfs * update config repo dependency Co-authored-by: Will Scott <will@cypherpunk.email> Co-authored-by: Petar Maymounkov <petarm@gmail.com>
|
Any chance to have this merged for go-ipfs 0.7 ? |
|
@MichaelMure I believe the problem was fixed in Do you mind rebasing to see if sharness problems go away? |
Add support for one or more wildcards in the hostname definition of a public gateway. This is useful for example to support easily multiples environment. Wildcarded hostname are set in the config as for example "*.domain.tld".
MichaelMure
force-pushed
the
wildcard-gateways
branch
from
f2beb61
to
13e6bcf
Compare
|
@lidel it didn't work :( Any other idea? |
|
I'm blocking some time today to take a closer look. |
This ensures implicit defaults are always present, even when Gateway.PublicGateways is defined in the config. User still can disable them, but needs to do it per hostname. License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org>
There was a problem hiding this comment.
LGTM, sharness is green.
@MichaelMure FYSA I fixed tests and adjusted the logic in 2ff6f1a (details inline)
@aschmahmann this is ready for your review.
core/corehttp/hostname.go
Outdated
| if len(publicGateways) == 0 { | ||
| hosts.exact = make( | ||
| map[string]*config.GatewaySpec, | ||
| len(defaultKnownGateways), | ||
| ) | ||
| for hostname, gw := range defaultKnownGateways { | ||
| hosts.exact[hostname] = gw | ||
| } | ||
| return hosts | ||
| } |
There was a problem hiding this comment.
@MichaelMure FYI this is why sharness tests were failing: you were applying implicit defaults only when Gateway.PublicGateways was empty. This meant subdomain gateway at localhost was missing when you had any public gateway defined. I fixed it in 2ff6f1a and added explicit test to guard against regressions.
lidel
added
need/maintainers-input
|
Thanks :) |
|
@MichaelMure thanks for the PR. @lidel thanks for getting the tests working here and for the ping, I'll try and take a look this this week. |
|
@aschmahmann friendly ping :) |
|
@MichaelMure thanks for the ping. I'm a little low bandwidth this week, but I'd like to get this in for the 0.7 RC. Will take a look. |
There was a problem hiding this comment.
LGTM, just a few nits and questions for you two @MichaelMure and @lidel.
Thanks for moving this along and the ping. We should be able to get this merged in later today.
core/corehttp/hostname_test.go
Outdated
| gwLocalhost := &config.GatewaySpec{} | ||
| gwDweb := &config.GatewaySpec{} | ||
| gwLong := &config.GatewaySpec{} | ||
| gwWildcard1 := &config.GatewaySpec{} | ||
| gwWildcard2 := &config.GatewaySpec{} |
There was a problem hiding this comment.
Is the fact that we no longer need UseSubdomains : true just something that happens to be true now?
It seems to me like knownSubdomainDetails would reasonably not return gateways that did not have UseSubdomains : true, but perhaps I've misunderstood.
We don't necessarily need to change the test here, I'm just asking to understand what's going on and if we should be adding checks to knownSubdomainDetails
There was a problem hiding this comment.
I'll leave @lidel answer that one. If I made a change like that it was not on purpose.
There was a problem hiding this comment.
knownSubdomainDetails does not check UseSubdomains flag because we perform that check later in:
Without this, knownSubdomainDetails request would fallback to the generic, host-agnostic gateway at 127.0.0.1:8080/ipfs/* and we dont want that to happen on something that looks like a subdomain gateway, but is not one, as illustrated in:
https://github.com/MichaelMure/go-ipfs/blob/2ff6f1a80d6a070465e8c157a750ecf17687642b/test/sharness/t0114-gateway-subdomains.sh#L646-L652
I've updated tests to be explicit and comments in 6b6569f (#7319)
I am open to renaming knownSubdomainDetails to something else if it is still confusing.
| hosts.wildcard = append(hosts.wildcard, wildcardHost{re: re, spec: gw}) | ||
| } else { | ||
| hosts.exact[hostname] = gw |
There was a problem hiding this comment.
Any particular reason why we're using pointers to GatewaySpec now?
Are we concerned at all about the caller doing something silly like modifying the struct after it's been passed in here?
There was a problem hiding this comment.
IIRC it was just so that knownSubdomainDetails could be tested as returning the correct gateway config.
https://github.com/ipfs/go-ipfs/pull/7319/files#diff-a2ecbeeb066383b7a375fc1f924cb53dR189
ipfs#7319 (comment) License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org>
|
🎉 thanks for the help :) |
ipfs/kubo#7319 (comment) License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org> This commit was moved from ipfs/kubo@6b6569f
This is a preview for feedback. Some things are obviously missing, like the documentation.
Add support for one or more wildcards in the hostname definition
of a public gateway. This is useful for example to support easily
multiples environment.
Wildcarded hostnames are set in the config as for example
*.domain.tldor even*.*.domain.tldThis PR address #7317 as well
cc @lidel @Stebalien