Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing support for RPC API over HTTPS #10539

Closed
3 tasks done
ze42 opened this issue Oct 7, 2024 · 7 comments · Fixed by #10659
Closed
3 tasks done

Missing support for RPC API over HTTPS #10539

ze42 opened this issue Oct 7, 2024 · 7 comments · Fixed by #10659
Assignees
Labels
effort/hours Estimated to take one or several hours good first issue Good issue for new contributors help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws) P3 Low: Not priority right now

Comments

@ze42
Copy link

ze42 commented Oct 7, 2024

Checklist

Installation method

ipfs-update or dist.ipfs.tech

Version

/ipfs version --all
Kubo version: 0.30.0
Repo version: 16
System version: amd64/linux
Golang version: go1.22.7

Config

(probably not relevant)

{"API":{"HTTPHeaders":{}},"Addresses":{"API":"/ip4/127.0.0.1/tcp/5001","Announce":[],"AppendAnnounce":[],"Gateway":"/ip4/127.0.0.1/tcp/8080","NoAnnounce":[],"Swarm":["/ip4/0.0.0.0/tcp/4001","/ip6/::/tcp/4001","/ip4/0.0.0.0/udp/4001/quic-v1","/ip4/0.0.0.0/udp/4001/quic-v1/webtransport","/ip6/::/udp/4001/quic-v1","/ip6/::/udp/4001/quic-v1/webtransport"]},"AutoNAT":{},"Bootstrap":["/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN","/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa","/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb","/dnsaddr/bootstrap.libp2p.io/p2p/QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt","/ip4/104.131.131.82/tcp/4001/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ","/ip4/104.131.131.82/udp/4001/quic-v1/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ"],"DNS":{"Resolvers":{}},"Datastore":{"BloomFilterSize":0,"GCPeriod":"1h","HashOnRead":false,"Spec":{"mounts":[{"child":{"path":"blocks","shardFunc":"/repo/flatfs/shard/v1/next-to-last/2","sync":true,"type":"flatfs"},"mountpoint":"/blocks","prefix":"flatfs.datastore","type":"measure"},{"child":{"compression":"none","path":"datastore","type":"levelds"},"mountpoint":"/","prefix":"leveldb.datastore","type":"measure"}],"type":"mount"},"StorageGCWatermark":90,"StorageMax":"10GB"},"Discovery":{"MDNS":{"Enabled":true}},"Experimental":{"FilestoreEnabled":false,"Libp2pStreamMounting":false,"OptimisticProvide":false,"OptimisticProvideJobsPoolSize":0,"P2pHttpProxy":false,"StrategicProviding":false,"UrlstoreEnabled":false},"Gateway":{"DeserializedResponses":null,"DisableHTMLErrors":null,"ExposeRoutingAPI":null,"HTTPHeaders":{},"NoDNSLink":false,"NoFetch":false,"PublicGateways":null,"RootRedirect":""},"Identity":{"PeerID":"12D3KooWHmUkKz2ys3uQpNStsCwDP7DBpvPMMF4182KsBQ55xb1A"},"Internal":{},"Ipns":{"RecordLifetime":"","RepublishPeriod":"","ResolveCacheSize":128},"Migration":{"DownloadSources":[],"Keep":""},"Mounts":{"FuseAllowOther":false,"IPFS":"/ipfs","IPNS":"/ipns"},"Peering":{"Peers":null},"Pinning":{"RemoteServices":{}},"Plugins":{"Plugins":null},"Provider":{"Strategy":""},"Pubsub":{"DisableSigning":false,"Router":""},"Reprovider":{},"Routing":{"Methods":null,"Routers":null},"Swarm":{"AddrFilters":null,"ConnMgr":{},"DisableBandwidthMetrics":false,"DisableNatPortMap":false,"RelayClient":{},"RelayService":{},"ResourceMgr":{},"Transports":{"Multiplexers":{},"Network":{},"Security":{}}}}

Description

When trying to connect to a distant API over https, it fails and try to connect with http.

/ipfs --api /dns/myapihost.mydomain.com/tcp/443/https files stat /
2024-10-07T16:00:52.505+0200	ERROR	cmds/http	http/parse.go:212	could not guess encoding from content type "text/html"
Error: unknown error content type: text/html

When checking logs from the RP we have in place receiving the request, we see "scheme": "http".

When trying to access directly the same URL with curl and https, it works properly.

@ze42 ze42 added kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization labels Oct 7, 2024
@lidel
Copy link
Member

lidel commented Oct 8, 2024

Thank you for reporting this bug.

Indeed, /https and /tls/http are not supported. https:// hint is not forwarded to go-ipfs-cmds client.

The host value in:

remoteVersion, err := getRemoteVersion(tracingWrappedExecutor{cmdhttp.NewClient(host, opts...)})

likely does not include protocol, just host, and http:// is added in:

https://github.com/ipfs/go-ipfs-cmds/blob/ae8443f905e4604e2a0c001ac20a7c8fe4dd7948/http/client.go#L87-L89

Potential quick fix is to make sure kubo/cmd/ipfs/kubo/start.go prepends https:// to host if apiAddr contains /https or /tls/http

@ze42 would you have time to open PR with a fix?

@lidel lidel added the need/author-input Needs input from the original author label Oct 8, 2024
@lidel lidel changed the title API over HTTPs broken Missing support fr RPC API over HTTPS Oct 8, 2024
@lidel lidel added help wanted Seeking public contribution on this issue good first issue Good issue for new contributors effort/hours Estimated to take one or several hours and removed need/triage Needs initial labeling and prioritization need/author-input Needs input from the original author labels Oct 15, 2024
@Sairaviteja27
Copy link

Sairaviteja27 commented Oct 22, 2024

@lidel I’m new to this repository, but I believe this fix requires a small change, and I would like to contribute to it. Can I take this?

@lidel
Copy link
Member

lidel commented Oct 23, 2024

@Sairaviteja27 sure, submit PR once you have something ready for review 👍

@gammazero gammazero added the P3 Low: Not priority right now label Nov 25, 2024
@Sairaviteja27
Copy link

Sairaviteja27 commented Dec 1, 2024

Hi,

Just wanted to share an update. I was occupied with some personal work and initially faced a few challenges due to the earlier version. However, I updated to the latest version (0.32.1) and tried to reproduce the issue, but I didn't encounter any errors.

image

Next, I will try downgrading my IPFS version to check if the issue persists and also investigate further by cloning the repository.

@Sairaviteja27
Copy link

After some investigation, I found that if I prepend https:// when the apiAddr contains /https or /tls/http, the cmdhttp.NewClient method call prepends http:// again to the address. I tried changing the serverAddress, but it’s not possible because both the serverAddress and client are unexported. The only solution I can think of is adding a function like this in the go-ipfs-cmds library and using it as an option in start.go:

func ClientWithHTTPSServerAddress() ClientOpt {
    return func(c *client) {
        c.serverAddress = strings.Replace(c.serverAddress, "http://", "https://", 1)
    }
}

This would allow the client to send HTTPS requests, but additional changes may be needed for handling HTTPS responses. When I tried this, I encountered the error: http: server gave HTTP response to HTTPS client

@lidel @gammazero
Correct me if I’m mistaken or overlooked anything, and please advise on the next steps for resolving this issue.

@hsanjuan hsanjuan changed the title Missing support fr RPC API over HTTPS Missing support for RPC API over HTTPS Jan 3, 2025
@hsanjuan
Copy link
Contributor

hsanjuan commented Jan 3, 2025

However, I updated to the latest version (0.32.1) and tried to reproduce the issue, but I didn't encounter any errors.

Sorry, but does it work or not in the latest version?

@Sairaviteja27
Copy link

Sairaviteja27 commented Jan 3, 2025

However, I updated to the latest version (0.32.1) and tried to reproduce the issue, but I didn't encounter any errors.

Sorry, but does it work or not in the latest version?

Hi, I initially connected with latest version using 5001 and random ports such as 8182 without encountering any errors, but the RPC calls worked only over HTTP, not HTTPS.

image

The issue became apparent when I attempted to use standard ports (443, 80) on the remote node. Since these ports were already in use, I couldn’t run IPFS on these ports there.
image

After replicating the environment with a version downgrade, I observed the same behavior.
image
image

It seems the OP's concern was making RPC calls over HTTPS, which might require changes as mentioned in my previous comment.
#10539 (comment)

@lidel lidel self-assigned this Jan 10, 2025
lidel added a commit that referenced this issue Jan 10, 2025
@lidel lidel closed this as completed in 3b098b9 Jan 10, 2025
lidel added a commit that referenced this issue Jan 13, 2025
* fix(cli): support HTTPS in ipfs --api

Closes #10539

* chore: go-ipfs-cmds v0.14.1

https://github.com/ipfs/go-ipfs-cmds/releases/tag/v0.14.1

* docs: ipfs --api example

* test(cli): https rpc support

makes sure we dont have regression where HTTPS endpoint
starts getting cleartext requests

(cherry picked from commit 3b098b9)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
effort/hours Estimated to take one or several hours good first issue Good issue for new contributors help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws) P3 Low: Not priority right now
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants