-
-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: built-in content blocking based on IPIP-383 (#10161)
Fixes #8492 This introduces "nopfs" as a preloaded plugin into Kubo with support for denylists from ipfs/specs#383 It automatically makes Kubo watch *.deny files found in: - /etc/ipfs/denylists - $XDG_CONFIG_HOME/ipfs/denylists - $IPFS_PATH/denylists * test: Gateway.NoFetch and GatewayOverLibp2p adds missing tests for "no fetch" gateways one can expose, in both cases the offline mode is done by passing custom blockservice/exchange into path resolver, which means global path resolver that has nopfs intercept is not used, and the content blocking does not happen on these gateways. * fix: use offline path resolvers where appropriate this fixes the problem described in #10161 (comment) by adding explicit offline path resolvers that are backed by offline exchange, and using them in NoFetch gateways instead of the default online ones --------- Co-authored-by: Henrique Dias <[email protected]> Co-authored-by: Marcin Rataj <[email protected]>
- Loading branch information
1 parent
4f303d3
commit a0f34b1
Showing
19 changed files
with
596 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
<h1 align="center"> | ||
<br> | ||
<a href="#readme"><img src="https://github.com/ipfs-shipyard/nopfs/blob/41484a818e6542314f784da852fc41b76f2d48a6/logo.png?raw=true" alt="content blocking logo" title="content blocking in Kubo" width="200"></a> | ||
<br> | ||
Content Blocking in Kubo | ||
<br> | ||
</h1> | ||
|
||
Kubo ships with built-in support for denylist format from [IPIP-383](https://github.com/ipfs/specs/pull/383). | ||
|
||
## Default behavior | ||
|
||
Official Kubo build does not ship with any denylists enabled by default. | ||
|
||
Content blocking is an opt-in decision made by the operator of `ipfs daemon`. | ||
|
||
## How to enable blocking | ||
|
||
Place a `*.deny` file in one of directories: | ||
|
||
- `$IPFS_PATH/denylists/` (`$HOME/.ipfs/denylists/` if `IPFS_PATH` is not set) | ||
- `$XDG_CONFIG_HOME/ipfs/denylists/` (`$HOME/.config/ipfs/denylists/` if `XDG_CONFIG_HOME` is not set) | ||
- `/etc/ipfs/denylists/` (global) | ||
|
||
Files need to be present before starting the `ipfs daemon` in order to be watched for updates. | ||
|
||
If a new denylist file is added, `ipfs daemon` needs to be restarted. | ||
|
||
CLI and Gateway users will receive errors in response to request impacted by a blocklist: | ||
|
||
``` | ||
Error: /ipfs/QmQvjk82hPkSaZsyJ8vNER5cmzKW7HyGX5XVusK7EAenCN is blocked and cannot be provided | ||
``` | ||
|
||
End user is not informed about the exact reason, see [How to | ||
debug](#how-to-debug) if you need to find out which line of which denylist | ||
caused the request to be blocked. | ||
|
||
## Denylist file format | ||
|
||
[NOpfs](https://github.com/ipfs-shipyard/nopfs) supports the format from [IPIP-383](https://github.com/ipfs/specs/pull/383). | ||
|
||
Clear-text rules are simple: just put content paths to block, one per line. | ||
Paths with unicode and whitespace need to be percend-encoded: | ||
|
||
``` | ||
/ipfs/QmbWqxBEKC3P8tqsKc98xmWNzrzDtRLMiMPL8wBuTGsMnR | ||
/ipfs/bafybeihfg3d7rdltd43u3tfvncx7n5loqofbsobojcadtmokrljfthuc7y/927%20-%20Standards/927%20-%20Standards.png | ||
``` | ||
|
||
Sensitive content paths can be double-hashed to block without revealing them. | ||
Double-hashed list example: https://badbits.dwebops.pub/badbits.deny | ||
|
||
See [IPIP-383](https://github.com/ipfs/specs/pull/383) for detailed format specification and more examples. | ||
|
||
## How to suspend blocking without removing denylists | ||
|
||
Set `IPFS_CONTENT_BLOCKING_DISABLE` environment variable to `true` and restart the daemon. | ||
|
||
|
||
## How to debug | ||
|
||
Debug logging of `nopfs` subsystem can be enabled with `GOLOG_LOG_LEVEL="nopfs=debug"` | ||
|
||
All block events are logged as warnings on a separate level named `nopfs-blocks`. | ||
|
||
To only log requests for blocked content set `GOLOG_LOG_LEVEL="nopfs-blocks=warn"`: | ||
|
||
``` | ||
WARN (...) QmRFniDxwxoG2n4AcnGhRdjqDjCM5YeUcBE75K8WXmioH3: blocked (test.deny:9) | ||
``` | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.