Skip to content
This repository has been archived by the owner on Nov 22, 2023. It is now read-only.

Generate SSL certificates for Myel providers #154

Closed
gallexis opened this issue Jul 19, 2021 · 6 comments · Fixed by #161
Closed

Generate SSL certificates for Myel providers #154

gallexis opened this issue Jul 19, 2021 · 6 comments · Fixed by #161
Assignees
@gallexis

Comments

@gallexis
Copy link
Contributor

gallexis commented Jul 19, 2021
edited
Loading

How could Myel providers who run a Pop on their home devices easily generate a SSL certificate so clients can retrieve over WSS

Benefits:
Each swarm could use its own SSL certificates to ensure :

  1. A possible communication of peers using web browsers with the Providers
  2. A safe communication channel

Problem:

  1. Deal with ACME DNS challenge
  2. Might be too SPOF

Hints :
@gallexis gallexis self-assigned this Jul 19, 2021
@gallexis
Copy link
Contributor Author

gallexis commented Jul 19, 2021
edited
Loading

I don't think we have to deal we the whole Caddy HTTP server.
Since we are using our own Go mux based http server, this link seems more interesting for our case :

@gallexis
Copy link
Contributor Author

gallexis commented Jul 20, 2021
edited
Loading

I've spawn my own vps and used a domain name I own on Cloudflare, and with the basic code below I've been able to run a HTTP server with a ssl certificate, managed by certmagic which handles by itself the ACME challenge :
---> demo

package main

import (
        "fmt"
        "github.com/caddyserver/certmagic"
        "github.com/libdns/cloudflare"
        "net/http"
)

func main(){
        certmagic.DefaultACME.DNS01Solver = &certmagic.DNS01Solver{
                DNSProvider: &cloudflare.Provider{
                        APIToken: "MY_CLOUDFLARE_API_KEY",
                },
        }

        handler := http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
                fmt.Fprintf(writer, "HELLO WORLD :D")
        })


        panic(certmagic.HTTPS([]string{"curt.ly", "*.curt.ly"}, handler))
}

@gallexis
Copy link
Contributor Author

gallexis commented Jul 20, 2021
edited
Loading

I managed to make a proxy that redirects wss://curt.ly to he localhost ws listener of ipfs : "/ip4/0.0.0.0/tcp/41505/ws".
It means that nodes from the browser will have to dial wss://curt.ly to reach the actual ipfs node, doing something like :

h.NewStream(ctx, p, 
		... ,
		"/dns4/curt.ly/tcp/443/wss/p2p/12D3KooWL6iAkTwQzTDQ6vjC7pPXAMKAL1MTpVURTugc6Vip44WG",  //. <-- something like that
	),

@gallexis
Copy link
Contributor Author

gallexis commented Jul 21, 2021
edited
Loading

  • Good news : when running a basic code in js, it can connect to my vps Pop node on the websocket address:

/dns4/curt.ly/tcp/443/wss/p2p/12D3KooWL6iAkTwQzTDQ6vjC7pPXAMKAL1MTpVURTugc6Vip44WG

const Libp2p = require('libp2p')
const WebSockets = require('libp2p-websockets')
const {NOISE} = require('libp2p-noise')
const MPLEX = require('libp2p-mplex')

    const node = await Libp2p.create({
        modules: {
            transport: [WebSockets],
            connEncryption: [NOISE],
            streamMuxer: [MPLEX]
        },
        addresses: {
            listen: [
                '/ip4/127.0.0.1/tcp/8100/ws',
            ]
        },
    })


    // start libp2p
    await node.start()

    const advertiseAddrs = node.multiaddrs
    console.log('libp2p is advertising the following addresses: ', advertiseAddrs, node.peerId.toB58String())

    
    await node.ping("/dns4/curt.ly/tcp/443/wss/p2p/12D3KooWL6iAkTwQzTDQ6vjC7pPXAMKAL1MTpVURTugc6Vip44WG")
  • Bad news: I've an error when adding this bootstrap address on pop :
    failed to connect to peer error="failed to dial 12D3KooWL6iAkTwQzTDQ6vjC7pPXAMKAL1MTpVURTugc6Vip44WG: no good addresses" peerId=12D3KooWL6iAkTwQzTDQ6vjC7pPXAMKAL1MTpVURTugc6Vip44WG

@gallexis
Copy link
Contributor Author

gallexis commented Jul 22, 2021
edited
Loading

This might be the solution :

Add encryption and multiplexing capabilities to libp2p transport connections

https://github.com/libp2p/go-ws-transport#security-and-multiplexing
https://github.com/libp2p/go-libp2p-transport-upgrader

@gallexis
Copy link
Contributor Author

  1. A new provider P1  wants to be part of the Myel network
  2. Because we want to talk to Browsers, we need a way for them to reach pop nodes
  3. We use websockets for that, but only WebSocket Secure (WSS) connections are possible within the browser
  4. It means pop nodes will need a domain name with a valid SSL certificate
  5. Because it’s too annoying for many of our providers to deal with that, we (Myel) will act as a facilitator in this process by providing a domain name, i.e : myel.app
  6. The provider will the only have to send us the IP (public & static) of their node and a subdomain
  7. Thanks to our domain provider’s API, will will automatically create a DNS A record that will point the subdomain “p1” to the IP of their node
  8. Once done and their node started, they will be able to listen for websocket connections on wss://p1.myel.app

Only the facilitators will need to connect to their domain provider with an API to set a special TXT record in the domain’s zone, proving to the Certificate Authority the ownership of the domain name (see: https://letsencrypt.org/fr/docs/challenge-types/#d%C3%A9fi-dns-01).

@gallexis gallexis mentioned this issue Jul 28, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gallexis gallexis

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add websocket secure myelnet/pop
1 participant
@gallexis