ipfs: create preload.ipfs.io gateways

License: MIT
Signed-off-by: Lars Gierth <[email protected]>

Author: Lars Gierth

ipfs/pages/build.sh

@@ -30,6 +30,11 @@ printf %s\\n "$(lookup pages_bootstrap_ssl_key)" > out/bootstrap.libp2p.io.key
 printf %s\\n "$(lookup pages_bootstrap_ssl_trustchain)" > out/bootstrap.libp2p.io.trustchain.crt
 printf %s\\n "$(lookup pages_bootstrap_ssl_dhparam)" > out/bootstrap.libp2p.io.dhparam.pem
 
+printf %s\\n "$(lookup pages_preload_ssl_cert)" > out/preload.ipfs.io.crt
+printf %s\\n "$(lookup pages_preload_ssl_key)" > out/preload.ipfs.io.key
+printf %s\\n "$(lookup pages_preload_ssl_trustchain)" > out/preload.ipfs.io.trustchain.crt
+printf %s\\n "$(lookup pages_preload_ssl_dhparam)" > out/preload.ipfs.io.dhparam.pem
+
 printf %s\\n "$(lookup pages_ipld_ssl_cert)" > out/ipld.io.crt
 printf %s\\n "$(lookup pages_ipld_ssl_key)" > out/ipld.io.key
 printf %s\\n "$(lookup pages_ipld_ssl_trustchain)" > out/ipld.io.trustchain.crt

ipfs/pages/install.sh

@@ -132,6 +132,26 @@ if [ ! -z "$(diff -Naur "$cert_dest/bootstrap.libp2p.io.dhparam.pem" "out/bootst
   reload=1
 fi
 
+if [ ! -z "$(diff -Naur "$cert_dest/preload.ipfs.io.crt" "out/preload.ipfs.io.crt")" ]; then
+  echo "ipfs/pages *.preload.ipfs.io ssl cert changed"
+  reload=1
+fi
+
+if [ ! -z "$(diff -Naur "$cert_dest/preload.ipfs.io.key" "out/preload.ipfs.io.key")" ]; then
+  echo "ipfs/pages *.preload.ipfs.io ssl key changed"
+  reload=1
+fi
+
+if [ ! -z "$(diff -Naur "$cert_dest/preload.ipfs.io.trustchain.crt" "out/preload.ipfs.io.trustchain.crt")" ]; then
+  echo "ipfs/pages *.preload.ipfs.io ssl trustchain changed"
+  reload=1
+fi
+
+if [ ! -z "$(diff -Naur "$cert_dest/preload.ipfs.io.dhparam.pem" "out/preload.ipfs.io.dhparam.pem")" ]; then
+  echo "ipfs/pages *.preload.ipfs.io ssl dhparam changed"
+  reload=1
+fi
+
 if [ ! -z "$(diff -Naur "$cert_dest/ipld.io.crt" "out/ipld.io.crt")" ]; then
   echo "ipfs/pages ipld.io ssl cert changed"
   reload=1
@@ -556,6 +576,10 @@ if [ "reload$reload" == "reload1" ]; then
   cp "out/bootstrap.libp2p.io.key" "$cert_dest/bootstrap.libp2p.io.key"
   cp "out/bootstrap.libp2p.io.trustchain.crt" "$cert_dest/bootstrap.libp2p.io.trustchain.crt"
   cp "out/bootstrap.libp2p.io.dhparam.pem" "$cert_dest/bootstrap.libp2p.io.dhparam.pem"
+  cp "out/preload.ipfs.io.crt" "$cert_dest/preload.ipfs.io.crt"
+  cp "out/preload.ipfs.io.key" "$cert_dest/preload.ipfs.io.key"
+  cp "out/preload.ipfs.io.trustchain.crt" "$cert_dest/preload.ipfs.io.trustchain.crt"
+  cp "out/preload.ipfs.io.dhparam.pem" "$cert_dest/preload.ipfs.io.dhparam.pem"
   cp "out/ipld.io.crt" "$cert_dest/ipld.io.crt"
   cp "out/ipld.io.key" "$cert_dest/ipld.io.key"
   cp "out/ipld.io.trustchain.crt" "$cert_dest/ipld.io.trustchain.crt"

ipfs/pages/nginx.conf.tpl

@@ -133,6 +133,52 @@ server {
     # 31536000 seconds = 12 months, as advised by hstspreload.org
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
+    location / {
+        proxy_set_header Host $(var pages_bootstrap_hostname).bootstrap.libp2p.io:443;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection \$http_connection;
+        proxy_set_header Sec-WebSocket-Key \$http_sec_websocket_key;
+        proxy_set_header Sec-WebSocket-Extensions \$http_sec_websocket_extensions;
+        proxy_set_header Sec-WebSocket-Version \$http_sec_websocket_version;
+        proxy_pass http://ws_bootstrap;
+        proxy_pass_header Server;
+        proxy_read_timeout 60s;
+    }
+}
+
+server {
+    server_name *.preload.ipfs.io;
+    access_log /var/log/nginx/access.log mtail;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate /etc/nginx/certs/preload.ipfs.io.crt;
+    ssl_certificate_key /etc/nginx/certs/preload.ipfs.io.key;
+    ssl_dhparam /etc/nginx/certs/preload.ipfs.io.dhparam.pem;
+    ssl_trusted_certificate /etc/nginx/certs/preload.ipfs.io.trustchain.crt;
+
+    # HSTS (ngx_http_headers_module is required)
+    # 31536000 seconds = 12 months, as advised by hstspreload.org
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    location /ipfs {
+        proxy_set_header Host \$host:443;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+
+    location /ipns {
+        proxy_set_header Host \$host:443;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+
+    location /api {
+        proxy_set_header Host \$host:443;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+
     location / {
         proxy_set_header Host \$host:80;
         proxy_set_header Upgrade \$http_upgrade;

secrets_secure

@@ -16,7 +16,7 @@
 # 2. Obtain lets-encrypt-x3-cross-signed.pem and isrgrootx1.pem
 #
 # 3. Fetch the certificate and key from the certs host:
-#   scp '[email protected]:/root/.caddy/acme/acme-v01.api.letsencrypt.org/sites/wikipedia-on-ipfs.org/*.{crt,key}' secrets/
+#   scp '[email protected]:/root/.caddy/acme/acme-v02.api.letsencrypt.org/sites/wikipedia-on-ipfs.org/*.{crt,key}' secrets/
 #
 # 4. Build trustchains:
 #   cat lets-encrypt-x3-cross-signed.pem >> secrets/wikipedia-on-ipfs.org.crt