IPFS API - connection refused

Created a Digital Ocean Ubuntu 20.04 droplet and setup an IPFS server node in it based on this tutorial.

If I run the following command in the server

ipfs swarm peers

I get the expected results

enter image description here

In addition, according to the documentation

Every command usable from the cli is also available through the HTTP API. For example:

ipfs swarm peers

curl -X POST http://127.0.0.1:5001/api/v0/swarm/peers

so, as I try

  • In Postman

Error: connect ECONNREFUSED 164.92.254.19:5001

enter image description here

  • In curl

curl: (7) Failed to connect to 164.92.254.19 port 5001 after 2295 ms: Connection refused

enter image description here


For reference, here’s the firewall

enter image description here

and as you can see TCP 5001 is open.

2 Likes

IPFS bind the API on localhost:5001 that mean this API is only accessible on the same machine running the IPFS deamon.
You can change the API field in ~/.ipfs/config but publicly exposing your API is not recomended and have security issues.

2 Likes

Bro use nginx or apache proxy if you are on the server

1 Like

No, just don’t expose the API like that publicly.
Use ssh tunneling like this to safely remotly access your API:

ssh remoteIPFSServer -L 5001:localhost:5001 -L 8080:localhost:8080
2 Likes

You can expose your api, you can check for request headers, or even cookies in the request before forwarding them to local ipfs daemon

1 Like

Based on a tip from the Reddit user techiesaravana who says

Hi, you have to edit ipfs config file you need to change the Address field to

“/ip4/0.0.0.0/tcp/5001”

I was able to solve the issue. To do so, I ran

ipfs config Addresses.API /ip4/0.0.0.0/tcp/5001

and then

systemctl restart ipfs

Now I get the expected result

enter image description here

1 Like

don’t expose the API like that publicly

If you authenticate with bearer headers for example, that not public. :slight_smile:
That a really smart way to do it too, I think it’s better if you want a long term solution. However ssh tunneling is more low efforts and take seconds to get running.

2 Likes

No pls don’t do that.
You are allowing anyone to access your IPFS node and could be used to hack your server.

2 Likes

I wouldn’t say you automatically get hack by letting anyone use it, the other way to say it would be anyone who can use it can hack your server, that’s none sense, you know what hackers do too, they steal your headers in applications or your ssh key in memory, just accept it being a public api like ipfs.io.
people can’t hack your server just like that, plus ipfs isn’t your regular php backend that you can cut yourself with it, they can use your resource though if they have access to it.
In applications you do want to use a local ipfs node or one that’s embedded in the application itself.

I wouldn’t say you automatically get hack by letting anyone use it

Oh no no you do.
People can override binary files and gain RCE that way.

IPFS API access = RCE as the user of the process.

1 Like

You’ve got a point there. Though it’s strange, ipfs-go should mark files as non executable when it writes any data to the local file system as a safety prevention. But I trust they must’ve done something like that already, and if they haven’t done that, ipfs doesn’t store any files as a whole either but segments of the object in its repository folder so no way it’s going to get executed just like that ! The chances are too weak for that !
Until I see a binary file getting executed just by exposing ipfs’s API, I won’t believe that for one sec. It’s the developer’s job to make sure the api can be used safely we’re the one who’re supposed to protect people for harming themselves with what we’ve made. I know the people who’s building ipfs, they’re all great people I’ve watched many of their videos on youtube when they are talking about ipfs on some sorts of conventions, there’s nothing to be worried about !

marking files non executable doesn’t protect you, you can clobber shared object that gets loaded such as libs, or bash scripts that get run often bash script.sh or python script.py execute files that doesn’t have the executable bits sets perfectly fine (in all of thoses cases that just because it’s reading the file and interpreting it, executable bit only protect you against direct execution)

2 Likes