The development of FAsset protocol was commissioned for and on behalf of the Flare Foundation, accordingly all completed repos for the protocol have been moved to Flare Foundation Github, the protocol's ultimate owner. New repository
The service is a secure way to expose files within a specified directory via https. It is useful for exposing logs generated by an infrastructure provider's program to its developers.
A minimal dockerized python code for exposing files within a specified directory via http. To setup, run
cp .env.example .envand fill in the .env file with required fields. Then build locally via
docker build . -t log-viewerand run
docker compose up -dAppend the below configuration to your existing nginx configuration:
location /<ROOT_API_PATH> {
proxy_pass http://127.0.0.1:<API_PORT>;
rewrite ^/<ROOT_API_PATH>/(.*)$ /$1 break;
}
To allow access only from selected IP, prepend
allow <IP>;
deny all;
to the previous nginx location rule.
To password-protect endpoint access for user via basic auth, run
sudo sh -c "echo -n '<USERNAME>:' >> /etc/nginx/.htpasswd"
sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd" # choose passwordthen prepend
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
to the previous nginx location rule (after IP whitelisting).
Example nginx configuration is
{
listen 443 ssl http2;
server_name mydomain.com;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
location /flare/view-logs {
allow 155.130.131.55;
deny all;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://127.0.0.1:57005;
rewrite ^/flare/view-logs/(.*)$ /$1 break;
}
}
access by navigating to hostname.ext/<ROOT_API_PATH>/ (note the ending frontslash).
The service guarantees that only files within the specified .env directory LOG_DIR_PATH are exposed, via multiple layers of protection:
- Application: Application is a 30-line python script, without external dependencies, that can be quickly reviewed by the user. It explicitly ensures that no files outside the given directory are exposed, and serves locally on 127.0.0.1.
- Container: The service is dockerized with only the specified directory mounted as a volume. Effectively, even if there is a bug at the application layer, it would have great difficulty penetrating outside the docker host's filesystem.
Additionally, the service is further secured by the deployer's nginx configuration:
- IP Whitelisting: Only requests from the specified IP are allowed,
- Basic Auth: Only requests with the configured correct username and password are allowed.
Even though the served files should not be sensitive in nature, the nginx configuration needs to provide TLS encryption, because e.g. the basic auth password is sent in plaintext.