-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(gw): DNSLink names on https:// subdomains #7847
Conversation
Problem statement and rationale for doing this can be found under "Option C" at: ipfs/in-web-browsers#169 TLDR is: `https://dweb.link/ipns/my.v-long.example.com` can be loaded from a subdomain gateway with a wildcard TLS cert if represented as a single DNS label: `https://my-v--long-example-com.ipns.dweb.link`
# DNSLink on Public gateway with a single-level wildcard TLS cert | ||
# "Option C" from https://github.com/ipfs/in-web-browsers/issues/169 | ||
test_expect_success \ | ||
"request for example.com/ipns/{fqdn} with X-Forwarded-Proto redirects to TLS-safe label in subdomain" " | ||
curl -H \"Host: example.com\" -H \"X-Forwarded-Proto: https\" -sD - \"http://127.0.0.1:$GWAY_PORT/ipns/en.wikipedia-on-ipfs.org/wiki\" > response && | ||
test_should_contain \"Location: https://en-wikipedia--on--ipfs-org.ipns.example.com/wiki\" response |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR in action:
- User opens
ipns://en.wikipedia-on-ipfs.org/wiki
- User agent (eg. web browser) resolves
ipns://
URI via public gateway athttps://example.com/ipns/en.wikipedia-on-ipfs.org/wiki
which returns HTTP 301 redirect tohttps://en-wikipedia--on--ipfs-org.ipns.example.com/wiki
ifX-Forwarded-Proto: https
is present.
test_expect_success \ | ||
"request for {single-label-dnslink}.ipns.example.com with X-Forwarded-Proto returns expected payload" " | ||
curl -H \"Host: dnslink--subdomain--gw--test-example-org.ipns.example.com\" -H \"X-Forwarded-Proto: https\" -sD - \"http://127.0.0.1:$GWAY_PORT\" > response && | ||
test_should_contain \"$CID_VAL\" response |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.. after redirect:
3. Inlined DNSLink name returns expected payload.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not familiar w/ the go code so needs a proper review from a go-ipfs person, but I didn't see any problems. couple of minor notes below.
As suggested in #7847 (comment)
This kinda enables to run their custom DNS resolver with custom tlds/names that are independent from the public DNS network.
Simplify DNSLink handling: ipfs/kubo#7847 will ship with go-ipfs 0.8.0 and is already supported at dweb.link
* docs: simplified DNSLink handling on subdomain gws Simplify DNSLink handling: ipfs/kubo#7847 will ship with go-ipfs 0.8.0 and is already supported at dweb.link * style: replace code block with table * docs: link to suborigin status * docs: clarify types of content handled by gateways * docs: simplify TLDR
As suggested in ipfs#7847 (comment)
As suggested in ipfs/kubo#7847 (comment) This commit was moved from ipfs/kubo@88dd257
TLDR
This PR enables users of public gateways to load DNSlink websites without TLS error described in ipfs/in-web-browsers#169.
It not only makes DNSLink websites more resilient, but makes it easier to resolve
ipns://
URIs in Opera Mobile and Brave (when a public gateway is selected as a resolution method).Details
dweb.link
to provide DNSLink hosting service over HTTPS with astandard single-level-wildcard TLS certificate.
X-Forwarded-Proto: https
is present (opt-in made by gateway operator), no additional configuration is needed.How DNSlink name inlining works
Below is a real life example of a DNSlink name inlined into a single DNS label that works with a wildcard TLS cert for
*.ipns.dweb.link
:/ipns/en.wikipedia-on-ipfs.org
→ipns://en.wikipedia-on-ipfs.org
→https://dweb.link/ipns/en.wikipedia-on-ipfs.org
https://en-wikipedia--on--ipfs-org.ipns.dweb.link
👈 a single DNS label, no TLS errorUse cases fixed by this PR
my.v-long.example.com
but the original HTTP server is down. The hostname has DNSLink set up.User should be able to load website not only from a local gateway, but any public one.
ipns://
URIs using public gateway (eg.dweb.link
).ipns://my.v-long.example.com
→https://dweb.link/ipns/my.v-long.example.com
→ (HTTP 301) →https://my-v--long-example-com.ipns.dweb.link