From 397c346ae033ca1629651d88ff27a0fb41424067 Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Fri, 20 Dec 2024 12:41:25 -0500 Subject: [PATCH] feat(libp2p): shared TCP listeners and AutoTLS.AutoWSS (#10565) * feat(libp2p): enable shared TCP listeners * docs: switch mentions of /ws to /tcp/4001 * feat: AutoTLS.AutoWSS This adds AutoTLS.AutoWSS flag that is set to true by default. It will check if Addresses.Swarm contain explicit /ws listener, and if not found, it will append one per every /tcp listener This way existing TCP ports are reused without any extra configuration, but we don't break user's who have custom / explicit /ws listener already. I also moved logger around, to include Addresses.Swarm inspection results in `autotls` logger. * chore: go-libp2p v0.38.1 https://github.com/libp2p/go-libp2p/releases/tag/v0.38.0 https://github.com/libp2p/go-libp2p/releases/tag/v0.38.1 * docs: AutoTLS.AutoWSS and go-libp2p v0.38.x * chore: p2p-forge/client v0.2.0 https://github.com/ipshipyard/p2p-forge/releases/tag/v0.2.0 * fix: disable libp2p.ShareTCPListener() in PNET * chore(ci): timeout sharness after 15m average successful run is <9 minutes, no need to wait for 20 https://github.com/ipfs/kubo/actions/workflows/sharness.yml?query=is%3Asuccess --------- Co-authored-by: Andrew Gillis <11790789+gammazero@users.noreply.github.com> Co-authored-by: Marcin Rataj --- .github/workflows/sharness.yml | 2 +- cmd/ipfs/kubo/daemon.go | 18 +++++++--- config/autotls.go | 6 +++- core/node/groups.go | 47 ++++++++++++++++++++++++-- core/node/libp2p/addrs.go | 11 +++--- core/node/libp2p/transport.go | 16 +++++++-- docs/changelogs/v0.33.md | 28 ++++++++++++--- docs/config.md | 35 +++++++++++-------- docs/environment-variables.md | 12 ++++++- docs/examples/kubo-as-a-library/go.mod | 2 +- docs/examples/kubo-as-a-library/go.sum | 8 ++--- go.mod | 2 +- go.sum | 4 +-- test/dependencies/go.mod | 2 +- test/dependencies/go.sum | 4 +-- test/sharness/t0181-private-network.sh | 1 + 16 files changed, 150 insertions(+), 48 deletions(-) diff --git a/.github/workflows/sharness.yml b/.github/workflows/sharness.yml index 04fea72b20f..f5b226105a4 100644 --- a/.github/workflows/sharness.yml +++ b/.github/workflows/sharness.yml @@ -17,7 +17,7 @@ jobs: sharness-test: if: github.repository == 'ipfs/kubo' || github.event_name == 'workflow_dispatch' runs-on: ${{ fromJSON(github.repository == 'ipfs/kubo' && '["self-hosted", "linux", "x64", "4xlarge"]' || '"ubuntu-latest"') }} - timeout-minutes: 20 + timeout-minutes: ${{ github.repository == 'ipfs/kubo' && 15 || 60 }} defaults: run: shell: bash diff --git a/cmd/ipfs/kubo/daemon.go b/cmd/ipfs/kubo/daemon.go index 6b87ff44229..0615b26d318 100644 --- a/cmd/ipfs/kubo/daemon.go +++ b/cmd/ipfs/kubo/daemon.go @@ -410,13 +410,21 @@ func daemonFunc(req *cmds.Request, re cmds.ResponseEmitter, env cmds.Environment } } - // Private setups can't leverage peers returned by default IPNIs (Routing.Type=auto) - // To avoid breaking existing setups, switch them to DHT-only. - if routingOption == routingOptionAutoKwd { - if key, _ := repo.SwarmKey(); key != nil || pnet.ForcePrivateNetwork { + if key, _ := repo.SwarmKey(); key != nil || pnet.ForcePrivateNetwork { + // Private setups can't leverage peers returned by default IPNIs (Routing.Type=auto) + // To avoid breaking existing setups, switch them to DHT-only. + if routingOption == routingOptionAutoKwd { log.Error("Private networking (swarm.key / LIBP2P_FORCE_PNET) does not work with public HTTP IPNIs enabled by Routing.Type=auto. Kubo will use Routing.Type=dht instead. Update config to remove this message.") routingOption = routingOptionDHTKwd } + + // Private setups should not use public AutoTLS infrastructure + // as it will leak their existence and PeerID identity to CA + // and they will show up at https://crt.sh/?q=libp2p.direct + // Below ensures we hard fail if someone tries to enable both + if cfg.AutoTLS.Enabled.WithDefault(config.DefaultAutoTLSEnabled) { + return errors.New("private networking (swarm.key / LIBP2P_FORCE_PNET) does not work with AutoTLS.Enabled=true, update config to remove this message") + } } switch routingOption { @@ -467,7 +475,7 @@ func daemonFunc(req *cmds.Request, re cmds.ResponseEmitter, env cmds.Environment fmt.Printf("Swarm key fingerprint: %x\n", node.PNetFingerprint) } - if (pnet.ForcePrivateNetwork || node.PNetFingerprint != nil) && routingOption == routingOptionAutoKwd { + if (pnet.ForcePrivateNetwork || node.PNetFingerprint != nil) && (routingOption == routingOptionAutoKwd || routingOption == routingOptionAutoClientKwd) { // This should never happen, but better safe than sorry log.Fatal("Private network does not work with Routing.Type=auto. Update your config to Routing.Type=dht (or none, and do manual peering)") } diff --git a/config/autotls.go b/config/autotls.go index 67ada23abe8..638b205d840 100644 --- a/config/autotls.go +++ b/config/autotls.go @@ -6,9 +6,12 @@ import p2pforge "github.com/ipshipyard/p2p-forge/client" // for obtaining a domain and TLS certificate to improve connectivity for web // browser clients. More: https://github.com/ipshipyard/p2p-forge#readme type AutoTLS struct { - // Enables the p2p-forge feature + // Enables the p2p-forge feature and all related features. Enabled Flag `json:",omitempty"` + // Optional, controls if Kubo should add /tls/sni/.../ws listener to every /tcp port if no explicit /ws is defined in Addresses.Swarm + AutoWSS Flag `json:",omitempty"` + // Optional override of the parent domain that will be used DomainSuffix *OptionalString `json:",omitempty"` @@ -27,4 +30,5 @@ const ( DefaultDomainSuffix = p2pforge.DefaultForgeDomain DefaultRegistrationEndpoint = p2pforge.DefaultForgeEndpoint DefaultCAEndpoint = p2pforge.DefaultCAEndpoint + DefaultAutoWSS = true // requires AutoTLS.Enabled ) diff --git a/core/node/groups.go b/core/node/groups.go index caa6cc96305..0f65230dd3c 100644 --- a/core/node/groups.go +++ b/core/node/groups.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "regexp" "strings" "time" @@ -115,6 +116,8 @@ func LibP2P(bcfg *BuildCfg, cfg *config.Config, userResourceOverrides rcmgr.Part enableRelayService := cfg.Swarm.RelayService.Enabled.WithDefault(enableRelayTransport) enableRelayClient := cfg.Swarm.RelayClient.Enabled.WithDefault(enableRelayTransport) enableAutoTLS := cfg.AutoTLS.Enabled.WithDefault(config.DefaultAutoTLSEnabled) + enableAutoWSS := cfg.AutoTLS.AutoWSS.WithDefault(config.DefaultAutoWSS) + atlsLog := log.Logger("autotls") // Log error when relay subsystem could not be initialized due to missing dependency if !enableRelayTransport { @@ -125,21 +128,59 @@ func LibP2P(bcfg *BuildCfg, cfg *config.Config, userResourceOverrides rcmgr.Part logger.Fatal("Failed to enable `Swarm.RelayClient`, it requires `Swarm.Transports.Network.Relay` to be true.") } } + if enableAutoTLS { + if !cfg.Swarm.Transports.Network.TCP.WithDefault(true) { + logger.Fatal("Invalid configuration: AutoTLS.Enabled=true requires Swarm.Transports.Network.TCP to be true as well.") + } if !cfg.Swarm.Transports.Network.Websocket.WithDefault(true) { logger.Fatal("Invalid configuration: AutoTLS.Enabled=true requires Swarm.Transports.Network.Websocket to be true as well.") } + // AutoTLS for Secure WebSockets: ensure WSS listeners are in place (manual or automatic) wssWildcard := fmt.Sprintf("/tls/sni/*.%s/ws", cfg.AutoTLS.DomainSuffix.WithDefault(config.DefaultDomainSuffix)) wssWildcardPresent := false + customWsPresent := false + customWsRegex := regexp.MustCompile(`/wss?$`) + tcpRegex := regexp.MustCompile(`/tcp/\d+$`) + + // inspect listeners defined in config at Addresses.Swarm + var tcpListeners []string for _, listener := range cfg.Addresses.Swarm { + // detect if user manually added /tls/sni/.../ws listener matching AutoTLS.DomainSuffix if strings.Contains(listener, wssWildcard) { + atlsLog.Infof("found compatible wildcard listener in Addresses.Swarm. AutoTLS will be used on %s", listener) wssWildcardPresent = true break } + // detect if user manually added own /ws or /wss listener that is + // not related to AutoTLS feature + if customWsRegex.MatchString(listener) { + atlsLog.Infof("found custom /ws listener set by user in Addresses.Swarm. AutoTLS will not be used on %s.", listener) + customWsPresent = true + break + } + // else, remember /tcp listeners that can be reused for /tls/sni/../ws + if tcpRegex.MatchString(listener) { + tcpListeners = append(tcpListeners, listener) + } } - if !wssWildcardPresent { - logger.Fatal(fmt.Sprintf("Invalid configuration: AutoTLS.Enabled=true requires a catch-all Addresses.Swarm listener ending with %q to be present, see https://github.com/ipfs/kubo/blob/master/docs/config.md#autotls", wssWildcard)) + + // Append AutoTLS's wildcard listener + // if no manual /ws listener was set by the user + if enableAutoWSS && !wssWildcardPresent && !customWsPresent { + if len(tcpListeners) == 0 { + logger.Fatal("Invalid configuration: AutoTLS.AutoWSS=true requires at least one /tcp listener present in Addresses.Swarm, see https://github.com/ipfs/kubo/blob/master/docs/config.md#autotls") + } + for _, tcpListener := range tcpListeners { + wssListener := tcpListener + wssWildcard + cfg.Addresses.Swarm = append(cfg.Addresses.Swarm, wssListener) + atlsLog.Infof("appended AutoWSS listener: %s", wssListener) + } + } + + if !wssWildcardPresent && !enableAutoWSS { + logger.Fatal(fmt.Sprintf("Invalid configuration: AutoTLS.Enabled=true requires a /tcp listener ending with %q to be present in Addresses.Swarm or AutoTLS.AutoWSS=true, see https://github.com/ipfs/kubo/blob/master/docs/config.md#autotls", wssWildcard)) } } @@ -152,7 +193,7 @@ func LibP2P(bcfg *BuildCfg, cfg *config.Config, userResourceOverrides rcmgr.Part // Services (resource management) fx.Provide(libp2p.ResourceManager(bcfg.Repo.Path(), cfg.Swarm, userResourceOverrides)), - maybeProvide(libp2p.P2PForgeCertMgr(bcfg.Repo.Path(), cfg.AutoTLS), enableAutoTLS), + maybeProvide(libp2p.P2PForgeCertMgr(bcfg.Repo.Path(), cfg.AutoTLS, atlsLog), enableAutoTLS), maybeInvoke(libp2p.StartP2PAutoTLS, enableAutoTLS), fx.Provide(libp2p.AddrFilters(cfg.Swarm.AddrFilters)), fx.Provide(libp2p.AddrsFactory(cfg.Addresses.Announce, cfg.Addresses.AppendAnnounce, cfg.Addresses.NoAnnounce)), diff --git a/core/node/libp2p/addrs.go b/core/node/libp2p/addrs.go index 958d05bbbad..b2dc45c5ce6 100644 --- a/core/node/libp2p/addrs.go +++ b/core/node/libp2p/addrs.go @@ -133,21 +133,20 @@ func ListenOn(addresses []string) interface{} { } } -func P2PForgeCertMgr(repoPath string, cfg config.AutoTLS) interface{} { +func P2PForgeCertMgr(repoPath string, cfg config.AutoTLS, atlsLog *logging.ZapEventLogger) interface{} { return func() (*p2pforge.P2PForgeCertMgr, error) { storagePath := filepath.Join(repoPath, "p2p-forge-certs") - forgeLogger := logging.Logger("autotls").Desugar() - // TODO: this should not be necessary, but we do it to help tracking // down any race conditions causing // https://github.com/ipshipyard/p2p-forge/issues/8 - certmagic.Default.Logger = forgeLogger.Named("default_fixme") - certmagic.DefaultACME.Logger = forgeLogger.Named("default_acme_client_fixme") + rawLogger := atlsLog.Desugar() + certmagic.Default.Logger = rawLogger.Named("default_fixme") + certmagic.DefaultACME.Logger = rawLogger.Named("default_acme_client_fixme") certStorage := &certmagic.FileStorage{Path: storagePath} certMgr, err := p2pforge.NewP2PForgeCertMgr( - p2pforge.WithLogger(forgeLogger.Sugar()), + p2pforge.WithLogger(rawLogger.Sugar()), p2pforge.WithForgeDomain(cfg.DomainSuffix.WithDefault(config.DefaultDomainSuffix)), p2pforge.WithForgeRegistrationEndpoint(cfg.RegistrationEndpoint.WithDefault(config.DefaultRegistrationEndpoint)), p2pforge.WithCAEndpoint(cfg.CAEndpoint.WithDefault(config.DefaultCAEndpoint)), diff --git a/core/node/libp2p/transport.go b/core/node/libp2p/transport.go index 61412ff4fc4..3e5ab956888 100644 --- a/core/node/libp2p/transport.go +++ b/core/node/libp2p/transport.go @@ -2,6 +2,8 @@ package libp2p import ( "fmt" + "os" + "github.com/ipfs/kubo/config" "github.com/ipshipyard/p2p-forge/client" "github.com/libp2p/go-libp2p" @@ -24,12 +26,14 @@ func Transports(tptConfig config.Transports) interface{} { ) (opts Libp2pOpts, err error) { privateNetworkEnabled := params.Fprint != nil - if tptConfig.Network.TCP.WithDefault(true) { + tcpEnabled := tptConfig.Network.TCP.WithDefault(true) + wsEnabled := tptConfig.Network.Websocket.WithDefault(true) + if tcpEnabled { // TODO(9290): Make WithMetrics configurable opts.Opts = append(opts.Opts, libp2p.Transport(tcp.NewTCPTransport, tcp.WithMetrics())) } - if tptConfig.Network.Websocket.WithDefault(true) { + if wsEnabled { if params.ForgeMgr == nil { opts.Opts = append(opts.Opts, libp2p.Transport(websocket.New)) } else { @@ -37,6 +41,14 @@ func Transports(tptConfig config.Transports) interface{} { } } + if tcpEnabled && wsEnabled && os.Getenv("LIBP2P_TCP_MUX") != "false" { + if privateNetworkEnabled { + log.Error("libp2p.ShareTCPListener() is not supported in private networks, please disable Swarm.Transports.Network.Websocket or run with LIBP2P_TCP_MUX=false to make this message go away") + } else { + opts.Opts = append(opts.Opts, libp2p.ShareTCPListener()) + } + } + if tptConfig.Network.QUIC.WithDefault(!privateNetworkEnabled) { if privateNetworkEnabled { return opts, fmt.Errorf( diff --git a/docs/changelogs/v0.33.md b/docs/changelogs/v0.33.md index f93ab3fbdd2..873e57d7383 100644 --- a/docs/changelogs/v0.33.md +++ b/docs/changelogs/v0.33.md @@ -6,13 +6,15 @@ - [Overview](#overview) - [๐Ÿ”ฆ Highlights](#-highlights) + - [Shared TCP listeners](#shared-tcp-listeners) + - [AutoTLS takes care of Secure WebSockets setup](#autotls-takes-care-of-secure-websockets-setup) - [Bitswap improvements from Boxo](#bitswap-improvements-from-boxo) - [Using default `libp2p_rcmgr` metrics](#using-default-libp2p_rcmgr--metrics) - [Flatfs does not `sync` on each write](#flatfs-does-not-sync-on-each-write) - [`ipfs add --to-files` no longer works with `--wrap`](#ipfs-add---to-files-no-longer-works-with---wrap) - [New options for faster writes: `WriteThrough`, `BlockKeyCacheSize`, `BatchMaxNodes`, `BatchMaxSize`](#new-options-for-faster-writes-writethrough-blockkeycachesize-batchmaxnodes-batchmaxsize) - [MFS stability with large number of writes](#mfs-stability-with-large-number-of-writes) - - [๐Ÿ“ฆ๏ธ Dependency updates](#-dependency-updates) + - [๐Ÿ“ฆ๏ธ Important dependency updates](#-important-dependency-updates) - [๐Ÿ“ Changelog](#-changelog) - [๐Ÿ‘จโ€๐Ÿ‘ฉโ€๐Ÿ‘งโ€๐Ÿ‘ฆ Contributors](#-contributors) @@ -20,6 +22,24 @@ ### ๐Ÿ”ฆ Highlights +#### Shared TCP listeners + +Kubo now supports sharing the same TCP port (`4001` by default) by both [raw TCP](https://github.com/ipfs/kubo/blob/master/docs/config.md#swarmtransportsnetworktcp) and [WebSockets](https://github.com/ipfs/kubo/blob/master/docs/config.md#swarmtransportsnetworkwebsocket) libp2p transports. + +This feature is not yet compatible with Private Networks and can be disabled by setting `LIBP2P_TCP_MUX=false` if causes any issues. + +#### AutoTLS takes care of Secure WebSockets setup + +It is no longer necessary to manually add `/tcp/../ws` listeners to `Addresses.Swarm` when [`AutoTLS.Enabled`](https://github.com/ipfs/kubo/blob/master/docs/config.md#autotlsenabled) is set to `true`. Kubo will detect if `/ws` listener is missing and add one on the same port as pre-existing TCP (e.g. `/tcp/4001`), removing the need for any extra configuration. +> [!TIP] +> Give it a try: +> ```console +> $ ipfs config --json AutoTLS.Enabled true +> ``` +> And restart the node. If you are behind NAT, make sure your node is publicly diallable (uPnP or port forwarding), and wait a few minutes to pass all checks and for the changes to take effect. + +See [`AutoTLS`](https://github.com/ipfs/kubo/blob/master/docs/config.md#autotls) for more information. + #### Bitswap improvements from Boxo This release includes some refactorings and improvements affecting Bitswap which should improve reliability. One of the changes affects blocks providing. Previously, the bitswap layer took care itself of announcing new blocks -added or received- with the configured provider (i.e. DHT). This bypassed the "Reprovider", that is, the system that manages precisely "providing" the blocks stored by Kubo. The Reprovider knows how to take advantage of the [AcceleratedDHTClient](https://github.com/ipfs/kubo/blob/master/docs/config.md#routingaccelerateddhtclient), is able to handle priorities, logs statistics and is able to resume on daemon reboot where it left off. From now on, Bitswap will not be doing any providing on-the-side and all announcements are managed by the reprovider. In some cases, when the reproviding queue is full with other elements, this may cause additional delays, but more likely this will result in improved block-providing behaviour overall. @@ -62,11 +82,11 @@ We recommend users trying Pebble as a datastore backend to disable both blocksto We have fixed a number of issues that were triggered by writing or copying many files onto an MFS folder: increased memory usage first, then CPU, disk usage, and eventually a deadlock on write operations. The details of the fixes can be read at [#10630](https://github.com/ipfs/kubo/pull/10630) and [#10623](https://github.com/ipfs/kubo/pull/10623). The result is that writing large amounts of files to an MFS folder should now be possible without major issues. It is possible, as before, to speed up the operations using the `ipfs files --flush=false ...` flag, but it is recommended to switch to `ipfs files --flush=true ...` regularly, or call `ipfs files flush` on the working directory regularly, as this will flush, clear the directory cache and speed up reads. -#### ๐Ÿ“ฆ๏ธ Dependency updates +#### ๐Ÿ“ฆ๏ธ Important dependency updates -- update `boxo` to [v0.26.0](https://github.com/ipfs/boxo/releases/tag/v0.26.0) +- update `boxo` to [v0.26.0](https://github.com/ipfs/boxo/releases/tag/v0.26.0) (incl. [v0.25.0](https://github.com/ipfs/boxo/releases/tag/v0.25.0)) - update `go-libp2p` to [v0.38.1](https://github.com/libp2p/go-libp2p/releases/tag/v0.38.1) (incl. [v0.37.1](https://github.com/libp2p/go-libp2p/releases/tag/v0.37.1) + [v0.37.2](https://github.com/libp2p/go-libp2p/releases/tag/v0.37.2) + [v0.38.0](https://github.com/libp2p/go-libp2p/releases/tag/v0.38.0)) -- update `p2p-forge/client` to [v0.1.0](https://github.com/ipshipyard/p2p-forge/releases/tag/v0.1.0) +- update `p2p-forge/client` to [v0.2.0](https://github.com/ipshipyard/p2p-forge/releases/tag/v0.2.0) (incl. [v0.1.0](https://github.com/ipshipyard/p2p-forge/releases/tag/v0.1.0)) - update `ipfs-webui` to [v4.4.1](https://github.com/ipfs/ipfs-webui/releases/tag/v4.4.1) ### ๐Ÿ“ Changelog diff --git a/docs/config.md b/docs/config.md index 8fbcc849449..f1a3895f5de 100644 --- a/docs/config.md +++ b/docs/config.md @@ -29,6 +29,7 @@ config file at runtime. - [`AutoNAT.Throttle.Interval`](#autonatthrottleinterval) - [`AutoTLS`](#autotls) - [`AutoTLS.Enabled`](#autotlsenabled) + - [`AutoTLS.AutoWSS`](#autotlsautowss) - [`AutoTLS.DomainSuffix`](#autotlsdomainsuffix) - [`AutoTLS.RegistrationEndpoint`](#autotlsregistrationendpoint) - [`AutoTLS.RegistrationToken`](#autotlsregistrationtoken) @@ -496,33 +497,39 @@ Type: `object` > Feel free to enable it and [report issues](https://github.com/ipfs/kubo/issues/new/choose) if you want to help with testing. > Track progress in [kubo#10560](https://github.com/ipfs/kubo/issues/10560). -Enables AutoTLS feature to get DNS+TLS for [libp2p Secure WebSocket](https://github.com/libp2p/specs/blob/master/websockets/README.md) listeners defined in [`Addresses.Swarm`](#addressesswarm), such as `/ip4/0.0.0.0/tcp/4002/tls/sni/*.libp2p.direct/ws` and `/ip6/::/tcp/4002/tls/sni/*.libp2p.direct/ws`. +Enables AutoTLS feature to get DNS+TLS for [libp2p Secure WebSocket](https://github.com/libp2p/specs/blob/master/websockets/README.md) on `/tcp` port. -If `.../tls/sni/*.libp2p.direct/ws` [multiaddr] is present in [`Addresses.Swarm`](#addressesswarm) +If `AutoTLS.AutoWSS` is `true`, or `/tcp/../tls/sni/*.libp2p.direct/ws` [multiaddr] is present in [`Addresses.Swarm`](#addressesswarm) with SNI segment ending with [`AutoTLS.DomainSuffix`](#autotlsdomainsuffix), -Kubo will obtain and set up a trusted PKI TLS certificate for it, making it dialable from web browser's [Secure Contexts](https://w3c.github.io/webappsec-secure-contexts/). +Kubo will obtain and set up a trusted PKI TLS certificate for `*.peerid.libp2p.direct`, making it dialable from web browser's [Secure Contexts](https://w3c.github.io/webappsec-secure-contexts/). + +> [!TIP] +> - Most users don't need custom `/ws` config in `Addresses.Swarm`. Try running this with `AutoTLS.AutoWSS=true`: it will reuse preexisting catch-all `/tcp` ports that were already forwarded/safelisted on your firewall. +> - Debugging can be enabled by setting environment variable `GOLOG_LOG_LEVEL="error,autotls=debug,p2p-forge/client=debug"`. Less noisy `GOLOG_LOG_LEVEL="error,autotls=info` may be informative enough. +> - Certificates are stored in `$IPFS_PATH/p2p-forge-certs`. Removing directory and restarting daemon will trigger certificate rotation. > [!IMPORTANT] > Caveats: > - Requires your Kubo node to be publicly dialable. -> - If you want to test this with a node that is behind a NAT and uses manual port forwarding or UPnP (`Swarm.DisableNatPortMap=false`), -> add catch-all `/ip4/0.0.0.0/tcp/4002/tls/sni/*.libp2p.direct/ws` and `/ip6/::/tcp/4002/tls/sni/*.libp2p.direct/ws` to [`Addresses.Swarm`](#addressesswarm) +> - If you want to test this with a node that is behind a NAT and uses manual TCP port forwarding or UPnP (`Swarm.DisableNatPortMap=false`), use `AutoTLS.AutoWSS=true`, or manually +> add catch-all `/ip4/0.0.0.0/tcp/4001/tls/sni/*.libp2p.direct/ws` and `/ip6/::/tcp/4001/tls/sni/*.libp2p.direct/ws` to [`Addresses.Swarm`](#addressesswarm) > and **wait 5-15 minutes** for libp2p node to set up and learn about own public addresses via [AutoNAT](#autonat). > - If your node is fresh and just started, the [p2p-forge] client may produce and log ERRORs during this time, but once a publicly dialable addresses are set up, a subsequent retry should be successful. -> - Listeners defined in [`Addresses.Swarm`](#addressesswarm) with `/tls/sni` must use a separate port from other TCP listeners, e.g. `4002` instead of the default `4001`. -> - A separate port (`/tcp/4002`) has to be used instead of `/tcp/4001` because we wait for TCP port sharing ([go-libp2p#2984](https://github.com/libp2p/go-libp2p/issues/2684)) to be implemented. -> - If you use manual port forwarding, make sure incoming connections to this additional port are allowed the same way `4001` ones already are. > - The TLS certificate is used only for [libp2p WebSocket](https://github.com/libp2p/specs/blob/master/websockets/README.md) connections. > - Right now, this is NOT used for hosting a [Gateway](#gateway) over HTTPS (that use case still requires manual TLS setup on reverse proxy, and your own domain). -> [!TIP] -> - Debugging can be enabled by setting environment variable `GOLOG_LOG_LEVEL="error,autotls=debug,p2p-forge/client=debug"` -> - Certificates are stored in `$IPFS_PATH/p2p-forge-certs`. Removing directory and restarting daemon will trigger certificate rotation. - Default: `false` Type: `flag` +### `AutoTLS.AutoWSS` + +Optional. Controls if Kubo should add `/tls/sni/*.libp2p.direct/ws` listener to every pre-existing `/tcp` port IFF no explicit `/ws` is defined in [`Addresses.Swarm`](#addressesswarm) already. + +Default: `true` (active only if `AutoTLS.Enabled` is `true` as well) + +Type: `flag` + ### `AutoTLS.DomainSuffix` Optional override of the parent domain suffix that will be used in DNS+TLS+WebSockets multiaddrs generated by [p2p-forge] client. @@ -2198,8 +2205,8 @@ Default: Enabled Type: `flag` Listen Addresses: -* /ip4/0.0.0.0/tcp/4002/ws -* /ip6/::/tcp/4002/ws +* /ip4/0.0.0.0/tcp/4001/ws +* /ip6/::/tcp/4001/ws #### `Swarm.Transports.Network.QUIC` diff --git a/docs/environment-variables.md b/docs/environment-variables.md index b384e51addb..f6832471f82 100644 --- a/docs/environment-variables.md +++ b/docs/environment-variables.md @@ -155,7 +155,17 @@ Kubo tries to reuse the same source port for all connections to improve NAT traversal. If this is an issue, you can disable it by setting `LIBP2P_TCP_REUSEPORT` to false. -Default: true +Default: `true` + +## `LIBP2P_TCP_MUX` + +By default Kubo tries to reuse the same listener port for raw TCP and WebSockers transports via experimental `libp2p.ShareTCPListener()` feature introduced in [go-libp2p#2984](https://github.com/libp2p/go-libp2p/pull/2984). +If this is an issue, you can disable it by setting `LIBP2P_TCP_MUX` to `false` and use separate ports for each TCP transport. + +> [!CAUTION] +> This configuration option may be removed once `libp2p.ShareTCPListener()` becomes default in go-libp2p. + +Default: `true` ## `LIBP2P_MUX_PREFS` diff --git a/docs/examples/kubo-as-a-library/go.mod b/docs/examples/kubo-as-a-library/go.mod index 6f6c7e52564..76a4e94b88d 100644 --- a/docs/examples/kubo-as-a-library/go.mod +++ b/docs/examples/kubo-as-a-library/go.mod @@ -112,7 +112,7 @@ require ( github.com/ipld/go-car/v2 v2.14.2 // indirect github.com/ipld/go-codec-dagpb v1.6.0 // indirect github.com/ipld/go-ipld-prime v0.21.0 // indirect - github.com/ipshipyard/p2p-forge v0.1.0 // indirect + github.com/ipshipyard/p2p-forge v0.2.0 // indirect github.com/jackpal/go-nat-pmp v1.0.2 // indirect github.com/jbenet/go-temp-err-catcher v0.1.0 // indirect github.com/jbenet/goprocess v0.1.4 // indirect diff --git a/docs/examples/kubo-as-a-library/go.sum b/docs/examples/kubo-as-a-library/go.sum index 81fb3cbfa5d..4f46a659d95 100644 --- a/docs/examples/kubo-as-a-library/go.sum +++ b/docs/examples/kubo-as-a-library/go.sum @@ -407,8 +407,8 @@ github.com/ipld/go-ipld-prime v0.21.0 h1:n4JmcpOlPDIxBcY037SVfpd1G+Sj1nKZah0m6QH github.com/ipld/go-ipld-prime v0.21.0/go.mod h1:3RLqy//ERg/y5oShXXdx5YIp50cFGOanyMctpPjsvxQ= github.com/ipld/go-ipld-prime/storage/bsadapter v0.0.0-20230102063945-1a409dc236dd h1:gMlw/MhNr2Wtp5RwGdsW23cs+yCuj9k2ON7i9MiJlRo= github.com/ipld/go-ipld-prime/storage/bsadapter v0.0.0-20230102063945-1a409dc236dd/go.mod h1:wZ8hH8UxeryOs4kJEJaiui/s00hDSbE37OKsL47g+Sw= -github.com/ipshipyard/p2p-forge v0.1.0 h1:RjCuX5wSKOv6J+6aaKTvuGOhVw24TuCLZx7d3M4BaiI= -github.com/ipshipyard/p2p-forge v0.1.0/go.mod h1:5s1MuHMh8FXrhDScKLk0F+zBaJglCAZMKn9myiWAPOU= +github.com/ipshipyard/p2p-forge v0.2.0 h1:ZboFW1h6SE5ZTHz3YrCRSup/C0GMMOzHux82zMEPWtk= +github.com/ipshipyard/p2p-forge v0.2.0/go.mod h1:RcA03Mn9o31M3HKBa9mrnTDthWGRlAxTipQFQjDOOvc= github.com/jackpal/go-nat-pmp v1.0.2 h1:KzKSgb7qkJvOUTqYl9/Hg/me3pWgBmERKrTGD7BdWus= github.com/jackpal/go-nat-pmp v1.0.2/go.mod h1:QPH045xvCAeXUZOxsnwmrtiCoxIr9eob+4orBN1SBKc= github.com/jbenet/go-cienv v0.1.0/go.mod h1:TqNnHUmJgXau0nCzC7kXWeotg3J9W34CUv5Djy1+FlA= @@ -1081,8 +1081,8 @@ golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= -golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/go.mod b/go.mod index 344a2a37ac5..e4f5ce41daf 100644 --- a/go.mod +++ b/go.mod @@ -49,7 +49,7 @@ require ( github.com/ipld/go-car/v2 v2.14.2 github.com/ipld/go-codec-dagpb v1.6.0 github.com/ipld/go-ipld-prime v0.21.0 - github.com/ipshipyard/p2p-forge v0.1.0 + github.com/ipshipyard/p2p-forge v0.2.0 github.com/jbenet/go-temp-err-catcher v0.1.0 github.com/jbenet/goprocess v0.1.4 github.com/julienschmidt/httprouter v1.3.0 diff --git a/go.sum b/go.sum index 7309e554fed..39ced23ab40 100644 --- a/go.sum +++ b/go.sum @@ -475,8 +475,8 @@ github.com/ipld/go-ipld-prime v0.21.0 h1:n4JmcpOlPDIxBcY037SVfpd1G+Sj1nKZah0m6QH github.com/ipld/go-ipld-prime v0.21.0/go.mod h1:3RLqy//ERg/y5oShXXdx5YIp50cFGOanyMctpPjsvxQ= github.com/ipld/go-ipld-prime/storage/bsadapter v0.0.0-20230102063945-1a409dc236dd h1:gMlw/MhNr2Wtp5RwGdsW23cs+yCuj9k2ON7i9MiJlRo= github.com/ipld/go-ipld-prime/storage/bsadapter v0.0.0-20230102063945-1a409dc236dd/go.mod h1:wZ8hH8UxeryOs4kJEJaiui/s00hDSbE37OKsL47g+Sw= -github.com/ipshipyard/p2p-forge v0.1.0 h1:RjCuX5wSKOv6J+6aaKTvuGOhVw24TuCLZx7d3M4BaiI= -github.com/ipshipyard/p2p-forge v0.1.0/go.mod h1:5s1MuHMh8FXrhDScKLk0F+zBaJglCAZMKn9myiWAPOU= +github.com/ipshipyard/p2p-forge v0.2.0 h1:ZboFW1h6SE5ZTHz3YrCRSup/C0GMMOzHux82zMEPWtk= +github.com/ipshipyard/p2p-forge v0.2.0/go.mod h1:RcA03Mn9o31M3HKBa9mrnTDthWGRlAxTipQFQjDOOvc= github.com/jackpal/go-nat-pmp v1.0.2 h1:KzKSgb7qkJvOUTqYl9/Hg/me3pWgBmERKrTGD7BdWus= github.com/jackpal/go-nat-pmp v1.0.2/go.mod h1:QPH045xvCAeXUZOxsnwmrtiCoxIr9eob+4orBN1SBKc= github.com/jbenet/go-cienv v0.1.0 h1:Vc/s0QbQtoxX8MwwSLWWh+xNNZvM3Lw7NsTcHrvvhMc= diff --git a/test/dependencies/go.mod b/test/dependencies/go.mod index 4fd03c8e627..57ab795c274 100644 --- a/test/dependencies/go.mod +++ b/test/dependencies/go.mod @@ -131,7 +131,7 @@ require ( github.com/ipfs/kubo v0.31.0 // indirect github.com/ipld/go-codec-dagpb v1.6.0 // indirect github.com/ipld/go-ipld-prime v0.21.0 // indirect - github.com/ipshipyard/p2p-forge v0.1.0 // indirect + github.com/ipshipyard/p2p-forge v0.2.0 // indirect github.com/jackpal/go-nat-pmp v1.0.2 // indirect github.com/jbenet/go-temp-err-catcher v0.1.0 // indirect github.com/jbenet/goprocess v0.1.4 // indirect diff --git a/test/dependencies/go.sum b/test/dependencies/go.sum index f858bfc8a1c..b0b4314dd0f 100644 --- a/test/dependencies/go.sum +++ b/test/dependencies/go.sum @@ -364,8 +364,8 @@ github.com/ipld/go-codec-dagpb v1.6.0 h1:9nYazfyu9B1p3NAgfVdpRco3Fs2nFC72DqVsMj6 github.com/ipld/go-codec-dagpb v1.6.0/go.mod h1:ANzFhfP2uMJxRBr8CE+WQWs5UsNa0pYtmKZ+agnUw9s= github.com/ipld/go-ipld-prime v0.21.0 h1:n4JmcpOlPDIxBcY037SVfpd1G+Sj1nKZah0m6QH9C2E= github.com/ipld/go-ipld-prime v0.21.0/go.mod h1:3RLqy//ERg/y5oShXXdx5YIp50cFGOanyMctpPjsvxQ= -github.com/ipshipyard/p2p-forge v0.1.0 h1:RjCuX5wSKOv6J+6aaKTvuGOhVw24TuCLZx7d3M4BaiI= -github.com/ipshipyard/p2p-forge v0.1.0/go.mod h1:5s1MuHMh8FXrhDScKLk0F+zBaJglCAZMKn9myiWAPOU= +github.com/ipshipyard/p2p-forge v0.2.0 h1:ZboFW1h6SE5ZTHz3YrCRSup/C0GMMOzHux82zMEPWtk= +github.com/ipshipyard/p2p-forge v0.2.0/go.mod h1:RcA03Mn9o31M3HKBa9mrnTDthWGRlAxTipQFQjDOOvc= github.com/jackpal/go-nat-pmp v1.0.2 h1:KzKSgb7qkJvOUTqYl9/Hg/me3pWgBmERKrTGD7BdWus= github.com/jackpal/go-nat-pmp v1.0.2/go.mod h1:QPH045xvCAeXUZOxsnwmrtiCoxIr9eob+4orBN1SBKc= github.com/jbenet/go-cienv v0.1.0/go.mod h1:TqNnHUmJgXau0nCzC7kXWeotg3J9W34CUv5Djy1+FlA= diff --git a/test/sharness/t0181-private-network.sh b/test/sharness/t0181-private-network.sh index 46dc45cdf3c..5f8979d3a52 100755 --- a/test/sharness/t0181-private-network.sh +++ b/test/sharness/t0181-private-network.sh @@ -36,6 +36,7 @@ LIBP2P_FORCE_PNET=1 test_launch_ipfs_daemon test_expect_success "set up iptb testbed" ' iptb testbed create -type localipfs -count 5 -force -init && iptb run -- ipfs config --json "Routing.LoopbackAddressesOnLanDHT" true && + iptb run -- ipfs config --json "Swarm.Transports.Network.Websocket" false && iptb run -- ipfs config --json Addresses.Swarm '"'"'["/ip4/127.0.0.1/tcp/0"]'"'"' '