coosld/kubo
1
0
Fork 0
mirror of https://github.com/ipfs/kubo.git synced 2026-02-21 18:37:45 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
8ab2de5ff0
kubo/docs/content-blocking.md
Hector Sanjuan a0f34b16dd
feat: built-in content blocking based on IPIP-383 (#10161) 
Fixes #8492

This introduces "nopfs" as a preloaded plugin into Kubo
with support for denylists from https://github.com/ipfs/specs/pull/383

It automatically makes Kubo watch *.deny files found in:

- /etc/ipfs/denylists
- $XDG_CONFIG_HOME/ipfs/denylists
- $IPFS_PATH/denylists

* test: Gateway.NoFetch and GatewayOverLibp2p

adds missing tests for "no fetch" gateways one can expose,
in both cases the offline mode is done by passing custom
blockservice/exchange into path resolver, which means
global path resolver that has nopfs intercept is not used,
and the content blocking does not happen on these gateways.

* fix: use offline path resolvers where appropriate

this fixes the problem described in
https://github.com/ipfs/kubo/pull/10161#issuecomment-1782175955
by adding explicit offline path resolvers that are backed
by offline exchange, and using them in NoFetch gateways
instead of the default online ones

---------

Co-authored-by: Henrique Dias <hacdias@gmail.com>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
2023-10-28 05:34:14 +02:00

2.6 KiB
Raw Blame History


content blocking logo
Content Blocking in Kubo

Kubo ships with built-in support for denylist format from IPIP-383.

Default behavior

Official Kubo build does not ship with any denylists enabled by default.

Content blocking is an opt-in decision made by the operator of ipfs daemon.

How to enable blocking

Place a *.deny file in one of directories:

  • $IPFS_PATH/denylists/ ($HOME/.ipfs/denylists/ if IPFS_PATH is not set)
  • $XDG_CONFIG_HOME/ipfs/denylists/ ($HOME/.config/ipfs/denylists/ if XDG_CONFIG_HOME is not set)
  • /etc/ipfs/denylists/ (global)

Files need to be present before starting the ipfs daemon in order to be watched for updates.

If a new denylist file is added, ipfs daemon needs to be restarted.

CLI and Gateway users will receive errors in response to request impacted by a blocklist:

Error: /ipfs/QmQvjk82hPkSaZsyJ8vNER5cmzKW7HyGX5XVusK7EAenCN is blocked and cannot be provided

End user is not informed about the exact reason, see How to debug if you need to find out which line of which denylist caused the request to be blocked.

Denylist file format

NOpfs supports the format from IPIP-383.

Clear-text rules are simple: just put content paths to block, one per line. Paths with unicode and whitespace need to be percend-encoded:

/ipfs/QmbWqxBEKC3P8tqsKc98xmWNzrzDtRLMiMPL8wBuTGsMnR
/ipfs/bafybeihfg3d7rdltd43u3tfvncx7n5loqofbsobojcadtmokrljfthuc7y/927%20-%20Standards/927%20-%20Standards.png

Sensitive content paths can be double-hashed to block without revealing them. Double-hashed list example: https://badbits.dwebops.pub/badbits.deny

See IPIP-383 for detailed format specification and more examples.

How to suspend blocking without removing denylists

Set IPFS_CONTENT_BLOCKING_DISABLE environment variable to true and restart the daemon.

How to debug

Debug logging of nopfs subsystem can be enabled with GOLOG_LOG_LEVEL="nopfs=debug"

All block events are logged as warnings on a separate level named nopfs-blocks.

To only log requests for blocked content set GOLOG_LOG_LEVEL="nopfs-blocks=warn":

WARN (...) QmRFniDxwxoG2n4AcnGhRdjqDjCM5YeUcBE75K8WXmioH3: blocked (test.deny:9)