Interplanetary File System - We localize the global gateway or sites in IPFS

We will learn to switch to your local IPFS gateway sites that do not automatically do this themselves yet. Let's create them a shared SSL certificate using OpenSSL bundled with Stunnel .

I remind you: InterPlanetary File System is a new decentralized file sharing network (HTTP-server, Content Delivery Network ). I told about it in the article "Interplanetary File System IPFS" .

Take, for example, the global IPFS gateway gateway.ipfs.io and redirect this address to our local IPFS gateway.

Condition: We have already installed and working on the standard port 8080 IPFS gateway.

1. In the hosts file we add the domain we want to load from the IPFS gateway.

   
   

   127.0.0.1 gateway.ipfs.io 

   
   

2. Install and configure Stunnel .
   stunnel.conf :

   
   

    ;       ,        [https gateway] accept = 127.0.0.1:8443 connect = 127.0.0.1:8080 cert = stunnel.pem TIMEOUTclose = 0 ;    443  HTTPS [https] accept = 127.0.0.1:443 connect = 127.0.0.1:8080 cert = stunnel.pem TIMEOUTclose = 0 ;    80  HTTP [http] client = yes accept = 127.0.0.1:80 connect = 127.0.0.1:443 

   
   

   Thus, we open 3 additional ports (433, 8443, 80) that connect the client to the IPFS gateway.

   
   

3. Create certificates and keys.

   
   

   3.1. Copy makecert.cmd to the config directory

   
   

    echo off %~d0 cd %~p0 set STUNNELBIN = ..\bin set PATH=%STUNNELBIN%;%PATH%; rem //   openssl        PEM rem // openssl    ,               rem //   openssl    PEM  DER   Windows rem //    PEM    Firefox if not exist "rootkey.pem" ( echo [ req ] >openssl.root.cnf echo distinguished_name = req_distinguished_name >>openssl.root.cnf echo [v3_ca] >>openssl.root.cnf echo subjectKeyIdentifier = hash >>openssl.root.cnf echo authorityKeyIdentifier = keyid:always,issuer:always >>openssl.root.cnf echo basicConstraints = critical, CA:TRUE >>openssl.root.cnf echo keyUsage = keyCertSign, cRLSign >>openssl.root.cnf echo [ req_distinguished_name ] >>openssl.root.cnf openssl.exe req -newkey rsa:4096 -x509 -sha256 -days 5480 -config openssl.root.cnf -extensions v3_ca -utf8 -subj "/CN=127.0.0.1" -out rootcert.pem -keyout rootkey.pem openssl.exe x509 -outform der -in rootcert.pem -out rootcert.crt del openssl.root.cnf ) rem //        if not exist "gatewaykey.pem" ( openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out gatewaykey.pem ) rem //     if not exist "gateway.csr" ( echo [ req ] >openssl.req.cnf echo req_extensions = v3_req >>openssl.req.cnf echo distinguished_name = req_distinguished_name >>openssl.req.cnf echo [ req_distinguished_name ] >>openssl.req.cnf echo [ v3_req ] >>openssl.req.cnf echo basicConstraints = CA:FALSE >>openssl.req.cnf echo keyUsage = nonRepudiation, digitalSignature, keyEncipherment >>openssl.req.cnf openssl req -new -key gatewaykey.pem -days 1096 -batch -utf8 -subj "/CN=127.0.0.1" -config openssl.req.cnf -out gateway.csr del openssl.req.cnf ) rem //       ,   index.txt     DNS . if exist "index.txt" ( set /p index=<index.txt ) if not exist "index.txt" ( set index=2 ) rem //   openssl.cnf         . if not exist "openssl.cnf" ( echo basicConstraints = CA:FALSE >openssl.cnf echo extendedKeyUsage = serverAuth >>openssl.cnf echo subjectAltName=@alt_names >>openssl.cnf echo [alt_names] >>openssl.cnf echo IP.1 = 127.0.0.1 >>openssl.cnf echo DNS.1 = localhost >>openssl.cnf set index=2 del "index.txt" ) rem //     openssl.cnf ,         . :NEXT set /a aindex=%index% + 1 set /a bindex=%index% + 2 set domain=%1 if !%domain% == ! ( set /p domain=enter domain name or space: ) if not !%domain% == ! ( echo DNS.%index% = %domain% >>openssl.cnf echo DNS.%aindex% = *.%domain% >>openssl.cnf echo %bindex% >index.txt set index=%bindex% shift goto NEXT ) del gateway.pem rem //   IPFS  openssl x509 -req -sha256 -days 1096 -in gateway.csr -CAkey rootkey.pem -CA rootcert.pem -set_serial %RANDOM%%RANDOM%%RANDOM%%RANDOM% -extfile openssl.cnf -out gateway.pem rem //      stunnel.pem,      stunnel copy /b gateway.pem+gatewaykey.pem stunnel.pem rem //       pause 

   
   

   3.2. Run

   
   

    makecert.cmd ipfs.io 

   
   

   When you first run this script, a root certificate will be created (rootcert.pem for firefox and rootcert.crt for the rest) - a key that you need to set a password for. The root certificate must be added to the trusted root certificate store in the browser and operating system.

   
   

Next, a certificate will be automatically created for the gateway, and you need to specify the domains it will serve.

1. Restart stunnel

   
   

   reload.cmd

   
   

    echo off %~d0 cd %~p0 set STUNNELBIN = ..\bin set PATH=%STUNNELBIN%;%PATH%; stunnel -install -quiet stunnel -start -quiet stunnel -reload -quiet 

   
   

Now gateway.ipfs.io will work on the local gateway. Similarly, you can do with any site that is hosted in IPFS.

Test site: ivan386.tk

GitHub: Stunnel settings for InterPlanetary File System

Sources:

1. Its Certificate Authority - in 5 OpenSSL teams
2. A Web PKI x509 certificate primer
3. man stunnel TLS Proxy

My other articles on "interplanetary file system":

1. Interplanetary File System IPFS
2. We publish the site in the interplanetary file system IPFS
3. We host a site in the interplanetary IPFS file system under Windows
4. No need to copy to the network