You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/how-to/kubo-tls.md
+11-7Lines changed: 11 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,14 +3,14 @@ title: TLS and HTTP Auth for Kubo
3
3
description: Learn how to set up TLS for Kubo with Caddy reverse proxy for secure API access over public networks.
4
4
---
5
5
6
-
# Setting up TLS and basic HTTP auth for Kubo with Caddy reverse proxy
6
+
# Setting up TLS and HTTP authentication for Kubo with Caddy reverse proxy
7
7
8
8
This guide will help you set up two things:
9
9
10
-
-**Transport Encryption:** Caddy as a reverse proxy with automatic TLS certificate management for your Kubo node.
11
-
-**Authentication:** Basic HTTP auth for the Kubo RPC API.
10
+
-**Transport Encryption:** Caddy as a reverse proxy with automatic TLS certificate management for your Kubo node using a domain you control.
11
+
-**Authentication:** Basic HTTP authentication for the Kubo RPC API.
12
12
13
-
This is highly recommended if you run your own Kubo node and want to use the Kubo RPC API over public networks, for example, to pin data from CI, or other services. Since the Kubo RPC API is exposed over plain HTTP, you will need to use TLS to ensure the connection to the API is encrypted.
13
+
This is highly recommended if you run your own Kubo node and want to use the Kubo RPC API over public networks, for example, to pin CIDs from CI, or other services. Since the Kubo RPC API is exposed over plain HTTP, TLS is used to ensure the connection to the API is encrypted.
14
14
15
15
## Prerequisites
16
16
@@ -21,6 +21,8 @@ Before starting, ensure you have:
21
21
- Port 443 open on your server's firewall
22
22
-[Caddy web server](https://caddyserver.com/) installed on the server
23
23
24
+
The guide assumes the Caddy process is managed by systemd. If you are using a different process manager or Docker, you will need to adjust the configuration accordingly.
25
+
24
26
## Configure Kubo
25
27
26
28
First, you'll need to configure Kubo to work with the reverse proxy. Edit your Kubo config file (usually located at `~/.ipfs/config`) and update the API section:
@@ -72,19 +74,21 @@ This configuration:
72
74
73
75
## Restart Caddy
74
76
77
+
Restart the Caddy service to apply the changes:
78
+
75
79
```bash
76
80
sudo systemctl restart caddy
77
81
```
78
82
79
83
## Test the Connection
80
84
81
-
To verify everything is working correctly, test the connection using the IPFS CLI:
85
+
To verify everything is working correctly, test the connection using the IPFS CLI, making sure to replace `YOUR_DOMAIN` with your actual domain name:
82
86
83
87
```bash
84
88
ipfs id --api /dns/YOUR_DOMAIN/tcp/443/https --api-auth basic:hello:world123
85
89
```
86
90
87
-
If successful, you should see your node's information displayed. The command connects to your Kubo node through the secure HTTPS endpoint using basic authentication.
91
+
If successful, you should see your node's identify displayed. The command connects to your Kubo node through the secure HTTPS endpoint using basic authentication.
88
92
89
93
## Security Considerations
90
94
@@ -98,6 +102,6 @@ If successful, you should see your node's information displayed. The command con
98
102
If you encounter issues:
99
103
100
104
1. Check Caddy logs
101
-
2. Verify your domain's DNS settings, ensuring the A record is correct
105
+
2. Verify your domain's DNS settings, ensuring the A record is correct. Sometimes changes can take a few minutes to propagate (depending on the TTL of the DNS record).
102
106
3. Ensure port 443 is open and not blocked by your firewall
103
107
4. Check that Kubo is running and accessible on localhost:5001
0 commit comments