-
Notifications
You must be signed in to change notification settings - Fork 7
IPFS gateway hardening #84
Comments
Thanks for this @ambertch. @DanielVF reminded me that we also need to add more redundancy to our IPFS gateway and have at least a second server that is constantly pinning our content. We're currently running a single gateway server and there's no guarantee that anyone else will ever pin our stuff without the appropriate incentive. @cuongdo can you own this? |
@joshfraser Yes, I'll take on adding IPFS gateway redundancy. @ambertch Thanks. I'll put in my comments later today. |
@ambertch These are good ideas. I don't currently have access to the IPFS gateway, but these are some other ideas in order of my priority for them:
Of the ideas @ambertch suggested, I believe that adding better logging and validating uploaded data are the short-term priorities. |
It sounds like besides application development, provisioning has to be done for the gateway server (configure logging, install agents for monitoring and alerting, writing the Nginx configs). One option for provisioning is a system like ansible (python), which can deploy changes to all servers as well as provision/configure servers identically. Tags and variables in ansible allow for variations in deploys, ex. if the shadow server is mostly the same as the gateways but has a different setting to make it a read replica of sorts |
The following issues track the above:
For the setup and configuration of the servers, OriginProtocol/origin-devops#10 |
In addition, profiling of upload and download times as well as optimization of those: OriginProtocol/origin-devops#9 |
Currently, the IPFS gateway (NGINX proxy) allows any content to be uploaded (with a 2MB max payload). If anything can be uploaded from anywhere, there are potential hazards, among them:
There are many ways to harden the gateway, for example:
The text was updated successfully, but these errors were encountered: