[volunteergrid2-l] Making our web-facing gateways NOT a rope around our necks
Brad Rupp
bradrupp at gmail.com
Wed Feb 9 19:14:36 PST 2011
I think I have a solution for this, but I need some help testing it.
My gateway is now configured to require authentication for all paths
except for GET requests to /uri/ and /file/. GET requests to those two
paths do not require authentication. All other HTTP methods, including
POST and PUT still do require authentication. The root path (/) where
the introducer furl is displayed also requires authentication.
Note that /uri/ is different then /uri and /file/ is different then
/file. /uri and /file still require authentication. I'm not sure if
that matters in Tahoe.
If you have any known caps in the vg2 grid, can you test them out using
my gateway? I know the GET requests to /uri/ and /file/ are working. I
have not yet verified POST and PUT requests. Any help would be appreciated.
Finally, does anyone see any security holes in what I have done?
Thanks
Brad
On 2/7/2011 5:15 PM, Jody Harris wrote:
> I think that's going to be our only choice....
>
> Once I wrapped my head around the fact that Tahoe isn't designed to be
> "friendly" to sharing AND security at the same time and in the same way,
> I realized that this was what we were going to have to do.
>
> I would also like to set up a central proxy that will load balance
> between our download-only, web-facing interfaces so that any one of us
> doesn't have to pay the full bandwidth bill for making our files
> publicly accessible. (The way my server is set up, I pay per-GB for
> incoming and outgoing bandwidth.)
>
> j
> ----
> - Think carefully.
>
>
> On Mon, Feb 7, 2011 at 5:05 PM, Brad Rupp <bradrupp at gmail.com
> <mailto:bradrupp at gmail.com>> wrote:
>
> What if we were to configure a gateway node that disallows HTTP
> POST/PUT and comment out the lines you mention to hide the
> introducer furl?
>
> Brad
>
>
> On 2/7/2011 3:14 PM, Jody Harris wrote:
>
> Commenting out lines 45 and 51 of welcome.xhtml (version
> 1.8.2) alleviates the biggest concern of exposing the introducer and
> helper furls, while still allowing the connected status to those
> services to be indicated.
>
> This, of course, does not stop "outsiders" from uploading to the
> grid,
> but that's a different kind of problem.
>
> j
> ----
> - Think carefully.
>
>
> On Mon, Feb 7, 2011 at 2:58 PM, Jody Harris
> <jharris at harrisdev.com <mailto:jharris at harrisdev.com>
> <mailto:jharris at harrisdev.com <mailto:jharris at harrisdev.com>>>
> wrote:
>
> Interesting....
>
> I see now that the problem with web/welcome.xhtml is that it
> exposes
> the introducer furl, which can be remedied easily enough be
> removing
> ~10 lines of code.
>
> There still remains the problem with the uri .... interface,
> which
> exposes the ability to store files into the grid even if the
> forms
> were removed from the welcome.xhtml interface.
>
> So, really Tahoe-LAFS does not support sharing files unless the
> owners are willing to expose their full grid to the world.
> Solutions
> to this problem would necessarily be workarounds outside the use
> case of the Tahoe-LAFS developers.
>
> I'm cool with that as long as it's clearly stated from the
> beginning.
>
> Am I on the right track?
>
> jody
> ----
> - Think carefully.
>
>
>
> On Mon, Feb 7, 2011 at 2:35 PM, Zooko O'Whielacronx
> <zooko at zooko.com <mailto:zooko at zooko.com>
> <mailto:zooko at zooko.com <mailto:zooko at zooko.com>>> wrote:
>
> > It might be helpful if more people created Trac accounts and
> commented on
> > this ticket -- I don't know.
>
> As a tahoe-lafs developer, I definitely appreciate
> feedback from
> users
> on the tahoe-dev mailing list, and I appreciate feedback
> on the trac
> even more.
>
> Of course, the fastest way to get a feature like this one
> implemented
> is to do the work to implement it and submit a patch.
> I'll be
> happy to
> mentor anyone who wants to do that. The first step is to get
> everyone
> on the same page about what behavior would be desirable and
> acceptable
> to everyone, which is what the #860 ticket has accomplished.
>
> Regards,
>
> Zooko
> _______________________________________________
> volunteergrid2-l mailing list
> volunteergrid2-l at tahoe-lafs.org
> <mailto:volunteergrid2-l at tahoe-lafs.org>
> <mailto:volunteergrid2-l at tahoe-lafs.org
> <mailto:volunteergrid2-l at tahoe-lafs.org>>
>
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> http://bigpig.org/twiki/bin/view/Main/WebHome
>
>
>
>
>
> _______________________________________________
> volunteergrid2-l mailing list
> volunteergrid2-l at tahoe-lafs.org
> <mailto:volunteergrid2-l at tahoe-lafs.org>
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> http://bigpig.org/twiki/bin/view/Main/WebHome
>
> _______________________________________________
> volunteergrid2-l mailing list
> volunteergrid2-l at tahoe-lafs.org <mailto:volunteergrid2-l at tahoe-lafs.org>
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> http://bigpig.org/twiki/bin/view/Main/WebHome
>
>
>
>
> _______________________________________________
> volunteergrid2-l mailing list
> volunteergrid2-l at tahoe-lafs.org
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> http://bigpig.org/twiki/bin/view/Main/WebHome
More information about the volunteergrid2-l
mailing list