This code is still a prototype!
- not properly tested or audited
- Origin_filter does not make sense with direct because it will never have a referer or origin...
- IPNS speed reduced when using dnslink
- Linux OS (tested on Arch)
- Nginx with Lua Support (tested with OpenResty)
- IPFS (tested with Kubo)
- bash, jq, rsync, cron, curl, grep, sed
This ACL implements different policies. Each type of policy can be enabled or disabled. If the request violates one of the policies the status code 403 is returned. The following policies are available (in order of checking):
- pinset_filter
- Filter requests that are pinned on host
- optional=false: requires request to be pinned, otherwise 403 will be returned; can be combined with overwrites.
- optional=true: request has not to be pinned, but pinned requested cid can overwrite other policies; therefore it only makes sense in combination with at least one of the overwrites
- overwrite: use to overwrite other policies; so that if pinset contains requested pin the desired policy will not be valuated.
- origin_filter:
- valid hostnames for specific types of request (use lua match expression)
- direct: user-originated request (no origin) (f.E. entering address in address bar)
- same_origin: same-origin request (f.E. navigating on webpage)
- user_initiated_top_level: user initiated top level cross-site request (f.E. clicking a link on an external page)
- cross_site: other cross-site request
- cid_blocklist:
- list of cid to be blocked (generated by
scripts/update-cid-blocklist.sh) - local / remote / both: load blocklist from local file (generated by
scripts/block-cid.sh), badbits (by ipfs) or both.
Follow this information to implement IPFS Gateway ACL to Arch Linux Node.
yay -S openresty
git clone https://github.com/chixodo-xyz/ipfs-gatewayacl-git.git
cd ipfs-gatewayacl-git
makepkg -si
sudo nano /opt/openresty/nginx/conf/nginx.conf
sudo ipfs-gatewayacl config init
sudo ipfs-gatewayacl config edit
sudo systemctl restart openrestyFollow this information to implement IPFS Gateway ACL to existing Gateway.
- Prerequirements
Make sure you use nginx with support for LUA filter. Easiest (for Arch-Linux) is to use Openresty as proxy (see Development Environment). Alternatively you can use a lua-module for nginx. For example in debian based distros:
apt install nginx libnginx-mod-http-lua
echo "load_module modules/ngx_http_lua_module.so;" > /etc/nginx/modules-enabled/50-mod-http-lua.conf
sudo systemctl restart nginx- Clone Repo to /usr/share/IPFS-Gateway-ACL
cd /usr/share
git clone https://github.com/chixodo-xyz/ipfs-gateway-acl.git
cd IPFS-Gateway-ACL- Install LUA dependencies
sudo cp helpers/lib/*.lua /opt/openresty/site/lualib/
# Alternative for nginx with lua-module:
# sudo mkdir -p /usr/share/lua/5.1/
# sudo helpers/lib/*.lua /usr/share/lua/5.1/- include nginx.conf to nginx virtual host (section server)
sudo nano /opt/openresty/nginx/conf/nginx.conf
#ADD to every server section:>
include /usr/share/ipfs-gateway-acl/nginx.conf;
# Alternative for nginx with lua-module:
# nano /etc/nginx/sites-available/[ipfs-host-config].conf
# #ADD to every server section:>
# include /usr/share/IPFS-Gateway-ACL/nginx.conf;- Generate denylist by dwebops
bash scripts/update-denylist.sh
#for Testing:
bash scripts/deny-cid.sh QmcniBv7UQ4gGPQQW2BwbD4ZZHzN3o3tPuNLZCbBchd1zh
bash scripts/update-denylist.shRemember to remove customdeny after testing:
rm customdeny.txt ; ./update-denylist.sh
- Activate change
nginx -t
service nginx restart- Setup Cron to Update denylist
crontab -e
ADD:>
*/20 * * * * cd /usr/share/ipfs-denylist && ./update-denylist.shUse the scripts/setup-dev.sh to setup local development environment on arch based linux.
We compile kubo manually that we can install go plugins and such if needed.
#normal dev environment
bash scripts/setup-dev.sh
#limited dev environment (connect only to chixodo nodes)
bash scripts/setup-dev.sh chixodo_only- CID/Multicode/Multihash Implementation: https://github.com/filecoin-project/lua-filecoin
- SHA2 Implementation: https://github.com/Egor-Skriptunoff/pure_lua_SHA
- JSON Implementation: https://github.com/rxi/json.lua
- Tiny Logging Module: https://github.com/rxi/log.lua