Allow anonymous read access to buckets to enable website hosting #6

New Issue

Closed

opened 2020-10-21 12:25:38 +00:00 by quentin · 6 comments

quentin commented 2020-10-21 12:25:38 +00:00

Owner

Copy Link

To enable website hosting, we should start by allowing anonymous access to the bucket.
Either by creating a specific/fake API key or by adding an option to buckets.
Will try to be more precise after reading the code and see how AWS is doing.

To enable website hosting, we should start by allowing anonymous access to the bucket. Either by creating a specific/fake API key or by adding an option to buckets. Will try to be more precise after reading the code and see how AWS is doing.

lx commented 2020-10-21 13:59:53 +00:00

Owner

Copy Link

Suggested architecture: open a third end point (HTTP server) only for anonymous/public access to buckets configured to serve as static websites. This would allow to clearly distinguish the semantics of the S3 API (read/write/list files/etc, authentified) and of the public website access (read only, no auth).

Suggested architecture: open a third end point (HTTP server) only for anonymous/public access to buckets configured to serve as static websites. This would allow to clearly distinguish the semantics of the S3 API (read/write/list files/etc, authentified) and of the public website access (read only, no auth).

quentin commented 2020-10-21 20:48:40 +00:00

Author

Owner

Copy Link

AWS seems to use an independent endpoint for websites, similarly as your recommendation:
https://docs.aws.amazon.com/fr_fr/AmazonS3/latest/dev/WebsiteEndpoints.html

Next, I will see how website management is implemented in S3.

AWS seems to use an independent endpoint for websites, similarly as your recommendation: https://docs.aws.amazon.com/fr_fr/AmazonS3/latest/dev/WebsiteEndpoints.html Next, I will see how website management is implemented in S3.

quentin commented 2020-10-21 21:07:09 +00:00

Author

Owner

Copy Link

It might be possible to implement this as a S3 API (not necessary the option we want).
Here are the relevant endpoints:

• DeleteBucketWebsite
• GetBucketWebsite
• PutBucketWebsite

Some other endpoints, not mandatory, but that could be of interest later:

• PutBucketCors
• GetBucketCors
• DeleteBucketCors

If we choose this solution, creating a website would be as simple as running:

s3cmd ws-create s3://example-bucket

where example-bucket is the bucket.

We could then expose websites on a specific port as suggested by lx, specific port that would be bound to a specific domain in our reverse proxy. Not so simple however...

If we publish buckets as site.deuxfleurs.fr/example-bucket, we might be open to security risks if people use cookies and that sort of things that are bound to a domain name.

If we publish buckets as example-bucket.site.deuxfleurs.fr, we could use wildcards at the proxy and ACME/Let's Encrypt level. Would need to check it can be done in practise.

Finally, if we want to be as generic as possible and support arbitrary websites like example.com, we should use the Consul Catalog feature of Traefik: when PutBucketWebsite is called, an entry is inserted in Consul KV to inform Traefik of the website. Especially, two URLS must be registered: example.com and example.com.site.deuxfleurs.fr. Similarly, with example-bucket and example-bucket.site.deuxfleurs.fr must be registered. In the second case, we can see that Traefik will never be able to register for the domain name example-bucket. We must be careful with that and check that it will not exhaust Let's Encrypt Rate Limiting.
Otherwise, we could check before adding the domain name that its DNS entry is example.com CNAME site.deuxfleurs.fr.

---

Not related to this issue but some other endpoints we could implement:

• ListBuckets and corresponding Get and Put commands if we want to enable a key to manage its own buckets
• PutBucketAcl and corresponding Get and Delete commands if we want to enable a key to manage ACL on buckets

Not sure it is a good idea.

It might be possible to implement this as a S3 API (not necessary the option we want). Here are the relevant endpoints: - [DeleteBucketWebsite](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketWebsite.html) - [GetBucketWebsite](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketWebsite.html) - [PutBucketWebsite](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html) Some other endpoints, not mandatory, but that could be of interest later: - [PutBucketCors](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html) - [GetBucketCors](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketCors.html) - [DeleteBucketCors](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html) If we choose this solution, creating a website would be as simple as running: ```bash s3cmd ws-create s3://example-bucket ``` where `example-bucket` is the bucket. We could then expose websites on a specific port as suggested by lx, specific port that would be bound to a specific domain in our reverse proxy. Not so simple however... If we publish buckets as `site.deuxfleurs.fr/example-bucket`, we might be open to security risks if people use cookies and that sort of things that are bound to a domain name. If we publish buckets as `example-bucket.site.deuxfleurs.fr`, we could use wildcards at the proxy and ACME/Let's Encrypt level. Would need to check it can be done in practise. Finally, if we want to be as generic as possible and support arbitrary websites like `example.com`, we should use the Consul Catalog feature of Traefik: when PutBucketWebsite is called, an entry is inserted in Consul KV to inform Traefik of the website. Especially, two URLS must be registered: `example.com` and `example.com.site.deuxfleurs.fr`. Similarly, with `example-bucket` and `example-bucket.site.deuxfleurs.fr` must be registered. In the second case, we can see that Traefik will never be able to register for the domain name `example-bucket`. We must be careful with that and check that it will not exhaust Let's Encrypt Rate Limiting. Otherwise, we could check before adding the domain name that its DNS entry is `example.com CNAME site.deuxfleurs.fr`. --- Not related to this issue but some other endpoints we could implement: - [ListBuckets](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) and corresponding Get and Put commands if we want to enable a key to manage its own buckets - [PutBucketAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html) and corresponding Get and Delete commands if we want to enable a key to manage ACL on buckets Not sure it is a good idea.

quentin commented 2020-10-21 21:27:25 +00:00

Author

Owner

Copy Link

So my minimal proposition to start:

• Implement S3 commands {Put,Get,Delete}BucketWebsite
• Add a new listening port (7879?) that will handle website traffic
• Add keys to configure Traefik in Consul (if configured to do so)
  • Possibly check bucket CNAME to prevent useless failures on let's encrypt API

What do you think of this plan LX? If you validate it, I will open a [WIP] PR to track my progress :-)

So my minimal proposition to start: - Implement S3 commands {Put,Get,Delete}BucketWebsite - Add a new listening port (7879?) that will handle website traffic - Add keys to configure Traefik in Consul (if configured to do so) - Possibly check bucket CNAME to prevent useless failures on let's encrypt API What do you think of this plan LX? If you validate it, I will open a [WIP] PR to track my progress :-)

lx commented 2020-10-22 16:01:23 +00:00

Owner

Copy Link

In my opinion, a minimal proposition would not even contain the implementation of the {Put,Get,Delete}BucketWebsite endpoints, and only allow configuration using the command line interface. This is currently what we are doing to create buckets and configure access keys (we don't have PutBucket or such). This requires manual intervention for the configuration of every new website, however given the small numbers of website hosted on Deuxfleurs, this is probably an acceptable cost to begin with.

Exposing API endpoints that allowe the user to create or configure buckets should be a separate issue. We probably need more thought as to what permission model we want to implement before we do that.

So my plan for a minimal implementation would only be:

• add a bit in the bucket table that says whether that bucket is exposed as a website
• add a CLI command to set that bit
• create an endpoint for public website access for buckets that have that bit enabled, using the Host: header to read from the correct bucket, if we decide that our convention is that the bucket name must match the domain name of the website

Alternatively, a 1-indirection-layer option exists: use a separate table to store website configuration, so that website host names do not need to match bucket names, and several website host names can be served by the same bucket.

In my opinion, a minimal proposition would not even contain the implementation of the {Put,Get,Delete}BucketWebsite endpoints, and only allow configuration using the command line interface. This is currently what we are doing to create buckets and configure access keys (we don't have PutBucket or such). This requires manual intervention for the configuration of every new website, however given the small numbers of website hosted on Deuxfleurs, this is probably an acceptable cost to begin with. Exposing API endpoints that allowe the user to create or configure buckets should be a separate issue. We probably need more thought as to what permission model we want to implement before we do that. So my plan for a minimal implementation would only be: * add a bit in the bucket table that says whether that bucket is exposed as a website * add a CLI command to set that bit * create an endpoint for public website access for buckets that have that bit enabled, using the Host: header to read from the correct bucket, if we decide that our convention is that the bucket name must match the domain name of the website Alternatively, a 1-indirection-layer option exists: use a separate table to store website configuration, so that website host names do not need to match bucket names, and several website host names can be served by the same bucket.

👍 1

quentin commented 2020-10-22 16:47:35 +00:00

Author

Owner

Copy Link

Agree, let's start without implementing the S3 API. To be as close as possible as S3, I will start by not adding the 1-indirection-layer. We will see later if we need it but having the same website listening on multiple domain name is a bad practise in term of SEO (redirections to a main domain name is preferred)

Agree, let's start without implementing the S3 API. To be as close as possible as S3, I will start by **not** adding the 1-indirection-layer. We will see later if we need it but having the same website listening on multiple domain name is a bad practise in term of SEO (redirections to a main domain name is preferred)

👍 1

quentin referenced a pull request that will close this issue 2020-10-31 16:30:25 +00:00

Support website publishing #7

lx closed this issue 2021-01-15 16:49:51 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

main-0.9.x

db-no-unsafe

main-0.8.x

k2v/shared_http_client

feat/website-redir

smithy2

test/compilation

poc/nomad-ci

test-ci-wait

pnet_datalink-0.33.0

optimal-layout

k2v-watch-range

db-debug-log

build-convert-db

demonstrate-cargo2nix-bug

dangerous/no-fsync

dev0.7.3

doc/benchmarks

bug/check_static

bucket-cors-more

storage-optimizations

old-main

v1.0.0

v0.9.4

v1.0.0-rc1

v0.8.7

v0.9.3

v0.9.2

v0.8.6

v0.9.2-rc1

v0.9.1

v0.8.5

v0.10.0-beta1

v0.9.0

v0.9.0-rc2

v0.9.0-rc1

v0.9.0-beta4

v0.9.0-beta3

v0.9.0-beta2

v0.8.4

v0.9.0-beta1

v0.8.3

v0.8.3-rc1

format_table-v0.1.1

format_table-v0.1.0

v0.8.2

v0.8.1

v0.8.0

v0.8.0-rc2

v0.8.0-rc1

v0.8.0-dangerous-no-fsync

v0.8.0-beta2-k2v

v0.8.0-beta2

v0.8.0-beta1-k2v

v0.8.0-beta1

v0.7.99.3-k2v

v0.7.3

v0.7.3-beta2

v0.7.3-beta1

v0.7.2.1

v0.7.2

v0.7.2_ci-test-2

v0.7.2+ci-test-version

v0.7.99.2-k2v

v0.7.99.1-k2v

v0.7.99-k2v

v0.7.2-k2v

v0.7.1-admin-k2v-2

v0.7.1-admin-k2v

v0.7.1-k2v

v0.7.1

v0.7.0

v0.7.0-rc1

v0.6.1

v0.6.0

v0.6.0-rc1

v0.5.1

v0.5.0.1

v0.5.0

v0.5-beta1

v0.4.0

v0.4-rc2

v0.4-rc1

0.4-beta

0.4-alpha

v0.3.0.2

v0.3.0.1

v0.3.0

v0.2.1.5

v0.2.1

v0.2.0

0.1.1b

0.1.1

0.1.0b

0.1.0

Labels

Clear labels   

AdminAPI

Issues concerning the administration API

  

Bug

  

Check AWS

The behaviour should be checked against AWS S3

  

CI

Issues with Nix, Drone, Rust Compiler, etc.

  

Correctness

Issues of theoretical correctness that may impact edge-case scenarios

  

Critical

  

Documentation

  

Ideas

For abstract ideas/proposal to make Garage better, to better communicate our not yet achieved aims

  

Improvement

  

Low priority

For issues that we don't want to spend time on until made absolutely necessary

  

Newcomer

A bug that should be newcomer friendly.

  

Performance

  

S3 Compatibility

  

Testing

  

Usability

Propositions to make Garage easier to operate, by improving error reporting, CLI, etc.

No Label

AdminAPI

Bug

Check AWS

CI

Correctness

Critical

Documentation

Ideas

Improvement

Low priority

Newcomer

Performance

S3 Compatibility

Testing

Usability

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Deuxfleurs/garage#6

No description provided.