Jump to content

How to Setup Cloudflare Full Strict and IPNS - IPFS


Recommended Posts

If you are playing on IPFS you can use IPNS so your site has a typical domain someone can go to. A user can also go to the hash of the IPNS too, using IPFS gateway, Infura or Cloudflare as well. I was curious how to setup Full Strict on Cloudflare and what that would do with this monstrosity. First setup your domain on cloudflare with a proxy. I am using explorer.denarius.pro for this example.

Install IPFS on your VPS, PI or VM. Setup your website like usual and setup IPNS with that. I might write out how to do this again in a second post.

Setup IPNS on cloudflare with the TXT record.

image.png.891263eaa36de00c40236ac5afbcfffc.png

The nuts and bolts is a gist I forked https://gist.github.com/buzzkillb/aabf6b113154cf4f1601cc34e5488acf

Go to SSL/TLS -> Origin Server -> Create Certificate and either use the default or like I did, specifiy the full subdomain. Here I am showing example.denarius.pro for the example. Click Next.

image.thumb.png.e6c875e49bcacf2cefbae310089d42b3.png

Insert Origin Certificate into a cert.pem

sudo nano /etc/ssl/certs/cert.pem

image.png.438eb6675b370b54f0bd7af785f9d1f6.png

Insert Private Key into key.pem

sudo nano /etc/ssl/private/key.pem

image.png.7e84916bbee8b0dddf71b543b1abb059.png

Download and copy https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem into  cloudflare.crt

sudo nano /etc/ssl/certs/cloudflare.crt
-----BEGIN CERTIFICATE-----
MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln
aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv
cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx
MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV
BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD
VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD
ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI
42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e
ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw
hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY
QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3
Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn
aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5
lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR
PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh
CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa
+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB
AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud
DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz
alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1
QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS
zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX
VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz
6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z
0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc
5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/
fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j
bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm
iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F
AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM
fVQ6VpyjEXdiIXWUq/o=
-----END CERTIFICATE-----

Edit the default nginx sites-available file

sudo nano /etc/nginx/sites-available/default

and throw this in. Take note of the domain as you would change that to whatever you are using.

server {
    listen 80;
    listen [::]:80;
    server_name explorer.denarius.pro;
    return 302 https://$server_name$request_uri;

}

server {
        listen 443 ssl;
        listen [::]:443 ssl http2;
        ssl on;

        ssl_certificate /etc/ssl/certs/cert.pem;
        ssl_certificate_key /etc/ssl/private/key.pem;

        location / {
                proxy_pass    http://127.0.0.1:8080;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }
}

Test nginx that there are no errors from the copy/pasta.

nginx -t

And reload the nginx service.

nginx -s reload

Now that you have full strict cloudflare on your IPFS / IPNS website. Turn this on.

image.thumb.png.58e0183e1b99a625e29ae70786c4a105.png

Denarius Wiki is a Hugo built site.

https://denarius.wiki/
https://gateway.ipfs.io/ipns/denarius.wiki/

Simple Explorer is a test site using IPFS for a block explorer.

https://explorer.denarius.pro/
https://gateway.ipfs.io/ipns/explorer.denarius.pro/

 

 

 

 

 

 

  • Moon 1

If you enjoy my content please consider donating to the Denarius creator - https://www.patreon.com/carsenk
Join Denarius Discord - https://discord.gg/JQEmXwb

Link to post
Share on other sites

To setup IPNS, install IPFS daemon.

https://docs.ipfs.io/guides/guides/install/

Latest binary.

https://dist.ipfs.io/#go-ipfs

Throw the site into somewhere like ~/website and then run

TMP=`ipfs add -r /home/USERNAME/website/ | awk 'END{printf $2}'` && ipfs name publish $TMP

This will show something like

Published to k51qzi5uqu5dg7fkiet37k5jvb81ou2u01k2wvl4namtby5lrp8lvro8wp9oi9: /ipfs/QmU9EdAfNYFNojbzcRxo3in6sD7TxDVFZL1tM7D53nnCfn

You want your TXT record on Cloudflare to use the PEERID hash  k51qzi5uqu5dg7fkiet37k5jvb81ou2u01k2wvl4namtby5lrp8lvro8wp9oi9

dnslink=/ipns/k51qzi5uqu5dg7fkiet37k5jvb81ou2u01k2wvl4namtby5lrp8lvro8wp9oi9

Example simple script, addipfs.sh, I use for pos.watch

#!/bin/bash
TMP=`/usr/local/bin/ipfs add -r /home/denarius/website/ | awk 'END{printf $2}'` && /usr/local/bin/ipfs name publish $TMP
NAME=$(/usr/local/bin/ipfs name resolve k51qzi5uqu5dg7fkiet37k5jvb81ou2u01k2wvl4namtby5lrp8lvro8wp9oi9)

Which you can go to these variations, notice the PEERID for pos.watch in the cloudflare TXT record and below IPFS gateway link.

image.thumb.png.c67f75c0f2c3acd7e1a9553c39358297.png

https://pos.watch/
https://gateway.ipfs.io/ipns/pos.watch/
https://gateway.ipfs.io/ipns/k51qzi5uqu5dg7fkiet37k5jvb81ou2u01k2wvl4namtby5lrp8lvro8wp9oi9
http://tiljhkmti5r6mpfjq4zlruizzgbb6rhdplcllhzyh4caff7xjyerphyd.onion/
 

https://denarius.wiki/
https://gateway.ipfs.io/ipns/denarius.wiki/
https://gateway.ipfs.io/ipns/QmY8ED7bPoxQqrbFBbsY3KVpz2GqNmDRtDG8JDTA8kV1H2/
 

  • Like 1

If you enjoy my content please consider donating to the Denarius creator - https://www.patreon.com/carsenk
Join Denarius Discord - https://discord.gg/JQEmXwb

Link to post
Share on other sites

Install IPFS daemon, get latest from here https://dist.ipfs.io/#go-ipfs

wget https://dist.ipfs.io/go-ipfs/v0.7.0/go-ipfs_v0.7.0_linux-amd64.tar.gz
tar xzvf go-ipfs_v0.7.0_linux-amd64.tar.gz
cd go-ipfs/
sudo ./install.sh
ipfs init --profile server

Setup IPFS to run in systemD

sudo nano  /etc/systemd/system/ipfs.service

pasta this in

[Unit]
Description=IPFS daemon
After=network.target

[Service]
### Uncomment the following line for custom ipfs datastore location
# Environment=IPFS_PATH=/path/to/your/ipfs/datastore
ExecStart=/usr/local/bin/ipfs daemon --enable-namesys-pubsub
Restart=on-failure

[Install]
WantedBy=default.target

Get it going

sudo systemctl start ipfs
sudo systemctl enable ipfs

IPFS daemon now running in the background

  • Like 1

If you enjoy my content please consider donating to the Denarius creator - https://www.patreon.com/carsenk
Join Denarius Discord - https://discord.gg/JQEmXwb

Link to post
Share on other sites

Setup a new domain and needed to enable this under SSL/TLS -> Edge Certificates -> Disable Universal SSL

image.png.324afd09472911eb5e0adf6869456907.png

reference: https://support.cloudflare.com/hc/en-us/articles/200170566-Why-am-I-getting-a-SSL-mismatch-error-#h_122b94f3-ff14-4544-b5fa-8875e08ff5f0

  • Like 1

If you enjoy my content please consider donating to the Denarius creator - https://www.patreon.com/carsenk
Join Denarius Discord - https://discord.gg/JQEmXwb

Link to post
Share on other sites

I can't get the service to run on some vps's for some reason, so testing out a reboot cronjob.

@reboot /usr/bin/screen -dmS ipfs /usr/local/bin/ipfs daemon --enable-namesys-pubsub

  • Like 1

If you enjoy my content please consider donating to the Denarius creator - https://www.patreon.com/carsenk
Join Denarius Discord - https://discord.gg/JQEmXwb

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...