[volunteergrid2-l] Making our web-facing gateways NOT a rope around our necks

Jody Harris jharris at harrisdev.com
Wed Feb 9 20:07:59 PST 2011 

Grabbing the "tahoe updater script (beta)" works without authentication:
http://if3-1.no-ip.org:3456/uri/URI:CHK:w57u6rrpcuslan5yb27cr4tn7q:l4mmiei2m4vyc75r2iovsytcta7dspyxyhqeomegwqk56mcvydkq:7:15:539

<http://if3-1.no-ip.org:3456/uri/URI:CHK:w57u6rrpcuslan5yb27cr4tn7q:l4mmiei2m4vyc75r2iovsytcta7dspyxyhqeomegwqk56mcvydkq:7:15:539>Maybe
I'll have time tomorrow to work on some hacking to make sure I can't upload
to that gateway without authentication.

jody
----
- Think carefully.


On Wed, Feb 9, 2011 at 8:14 PM, Brad Rupp <bradrupp at gmail.com> wrote:

> I think I have a solution for this, but I need some help testing it.
>
> My gateway is now configured to require authentication for all paths except
> for GET requests to /uri/ and /file/.  GET requests to those two paths do
> not require authentication.  All other HTTP methods, including POST and PUT
> still do require authentication.  The root path (/) where the introducer
> furl is displayed also requires authentication.
>
> Note that /uri/ is different then /uri and /file/ is different then /file.
>  /uri and /file still require authentication.  I'm not sure if that matters
> in Tahoe.
>
> If you have any known caps in the vg2 grid, can you test them out using my
> gateway?  I know the GET requests to /uri/ and /file/ are working.  I have
> not yet verified POST and PUT requests.  Any help would be appreciated.
>
> Finally, does anyone see any security holes in what I have done?
>
> Thanks
>
> Brad
>
> On 2/7/2011 5:15 PM, Jody Harris wrote:
>
>> I think that's going to be our only choice....
>>
>> Once I wrapped my head around the fact that Tahoe isn't designed to be
>> "friendly" to sharing AND security at the same time and in the same way,
>> I realized that this was what we were going to have to do.
>>
>> I would also like to set up a central proxy that will load balance
>> between our download-only, web-facing interfaces so that any one of us
>> doesn't have to pay the full bandwidth bill for making our files
>> publicly accessible. (The way my server is set up, I pay per-GB for
>> incoming and outgoing bandwidth.)
>>
>> j
>> ----
>> - Think carefully.
>>
>>
>> On Mon, Feb 7, 2011 at 5:05 PM, Brad Rupp <bradrupp at gmail.com
>> <mailto:bradrupp at gmail.com>> wrote:
>>
>>    What if we were to configure a gateway node that disallows HTTP
>>    POST/PUT and comment out the lines you mention to hide the
>>    introducer furl?
>>
>>    Brad
>>
>>
>>    On 2/7/2011 3:14 PM, Jody Harris wrote:
>>
>>        Commenting out lines 45 and 51 of welcome.xhtml (version
>>        1.8.2) alleviates the biggest concern of exposing the introducer
>> and
>>        helper furls, while still allowing the connected status to those
>>        services to be indicated.
>>
>>        This, of course, does not stop "outsiders" from uploading to the
>>        grid,
>>        but that's a different kind of problem.
>>
>>        j
>>        ----
>>        - Think carefully.
>>
>>
>>
>>        On Mon, Feb 7, 2011 at 2:58 PM, Jody Harris
>>        <jharris at harrisdev.com <mailto:jharris at harrisdev.com>
>>        <mailto:jharris at harrisdev.com <mailto:jharris at harrisdev.com>>>
>>        wrote:
>>
>>            Interesting....
>>
>>
>>            I see now that the problem with web/welcome.xhtml is that it
>>        exposes
>>            the introducer furl, which can be remedied easily enough be
>>        removing
>>            ~10 lines of code.
>>
>>            There still remains the problem with the uri .... interface,
>>        which
>>            exposes the ability to store files into the grid even if the
>>        forms
>>            were removed from the welcome.xhtml interface.
>>
>>            So, really Tahoe-LAFS does not support sharing files unless the
>>            owners are willing to expose their full grid to the world.
>>        Solutions
>>            to this problem would necessarily be workarounds outside the
>> use
>>            case of the Tahoe-LAFS developers.
>>
>>            I'm cool with that as long as it's clearly stated from the
>>        beginning.
>>
>>            Am I on the right track?
>>
>>            jody
>>            ----
>>            - Think carefully.
>>
>>
>>
>>            On Mon, Feb 7, 2011 at 2:35 PM, Zooko O'Whielacronx
>>        <zooko at zooko.com <mailto:zooko at zooko.com>
>>
>>        <mailto:zooko at zooko.com <mailto:zooko at zooko.com>>> wrote:
>>
>>         > It might be helpful if more people created Trac accounts and
>>                commented on
>>         > this ticket -- I don't know.
>>
>>                As a tahoe-lafs developer, I definitely appreciate
>>        feedback from
>>                users
>>                on the tahoe-dev mailing list, and I appreciate feedback
>>        on the trac
>>                even more.
>>
>>                Of course, the fastest way to get a feature like this one
>>                implemented
>>                is to do the work to implement it and submit a patch.
>>        I'll be
>>                happy to
>>                mentor anyone who wants to do that. The first step is to
>> get
>>                everyone
>>                on the same page about what behavior would be desirable and
>>                acceptable
>>                to everyone, which is what the #860 ticket has
>> accomplished.
>>
>>
>>                Regards,
>>
>>                Zooko
>>                _______________________________________________
>>                volunteergrid2-l mailing list
>>        volunteergrid2-l at tahoe-lafs.org
>>        <mailto:volunteergrid2-l at tahoe-lafs.org>
>>        <mailto:volunteergrid2-l at tahoe-lafs.org
>>        <mailto:volunteergrid2-l at tahoe-lafs.org>>
>>
>>
>>        http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>>        http://bigpig.org/twiki/bin/view/Main/WebHome
>>
>>
>>
>>
>>
>>        _______________________________________________
>>        volunteergrid2-l mailing list
>>        volunteergrid2-l at tahoe-lafs.org
>>        <mailto:volunteergrid2-l at tahoe-lafs.org>
>>
>>        http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>>        http://bigpig.org/twiki/bin/view/Main/WebHome
>>
>>    _______________________________________________
>>    volunteergrid2-l mailing list
>>    volunteergrid2-l at tahoe-lafs.org <mailto:
>> volunteergrid2-l at tahoe-lafs.org>
>>
>>    http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>>    http://bigpig.org/twiki/bin/view/Main/WebHome
>>
>>
>>
>>
>> _______________________________________________
>> volunteergrid2-l mailing list
>> volunteergrid2-l at tahoe-lafs.org
>> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
>> http://bigpig.org/twiki/bin/view/Main/WebHome
>>
> _______________________________________________
> volunteergrid2-l mailing list
> volunteergrid2-l at tahoe-lafs.org
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l
> http://bigpig.org/twiki/bin/view/Main/WebHome
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tahoe-lafs.org/cgi-bin/mailman/private/volunteergrid2-l/attachments/20110209/346b3910/attachment-0001.html>

More information about the volunteergrid2-l mailing list