Skip to content

IPC zh HK

ArchiBot edited this page Aug 12, 2021 · 34 revisions

IPC

ASF ๅŒ…ๅซ่‡ชๅทฑ็จ็‰น็š„ IPC ๆŽฅๅฃ๏ผŒๅฏ็”จๆ–ผ่ˆ‡ๆต็จ‹้€ฒไธ€ๆญฅไบคไบ’ใ€‚ IPCๆ„็‚บ** ้€ฒ็จ‹้–“้€šไฟก ๏ผŒๆœ€็ฐกๅ–ฎ็š„ๅฎš็พฉๆ˜ฏๅŸบๆ–ผ Kestrel HTTPไผบๆœๅ™จ **็š„โ€œASF็ถฒ้ ็•Œ้ขโ€œ๏ผŒๅฏ็”จๆ–ผ่ˆ‡ๆต็จ‹้€ฒไธ€ๆญฅ้›†ๆˆ๏ผŒๆ˜ฏๆœ€็ต‚็”จๆˆถ็š„ๅ‰็ซฏ๏ผˆASF-ui๏ผ‰๏ผŒไบฆๆ˜ฏ็ฌฌไธ‰ๆ–นๅทฅๅ…ท้›†ๆˆ็š„ๅพŒ็ซฏ๏ผˆASF API๏ผ‰ใ€‚

ๆ นๆ“šๆ‚จ็š„้œ€ๆฑ‚ๅ’ŒๆŠ€่ƒฝ๏ผŒIPC ๅฏ็”จๆ–ผ่ซธๅคšไธๅŒ็š„ไบ‹ๆƒ…ใ€‚ ไพ‹ๅฆ‚๏ผŒๆ‚จๅฏไปฅไฝฟ็”จๅฎƒไพ†็ฒๅ– ASF ๅ’Œๆ‰€ๆœ‰ๆฉŸๆขฐไบบ็š„็‹€ๆ…‹๏ผŒ็™ผ้€ ASF ๅ‘ฝไปค๏ผŒ็ฒๅ–ๅ’Œ็ทจ่ผฏๅ…จๅŸŸ/ๆฉŸๆขฐไบบ้…็ฝฎ๏ผŒๆทปๅŠ ๆ–ฐๆฉŸๆขฐไบบ๏ผŒๅˆช้™ค็พๆœ‰ๆฉŸๆขฐไบบ๏ผŒๆไบค** <a href =โ€œhttps๏ผš/ /github.com/JustArchiNET/ArchiSteamFarm/wiki/Background-games-redeemer">BGR **ๆˆ–่จชๅ• ASF ็š„ๆ—ฅ่ชŒๆช”ๆกˆใ€‚ ๆ‰€ๆœ‰้€™ไบ›ๆ“ไฝœ้ƒฝ็”ฑๆˆ‘ๅ€‘็š„ API ๅ…ฌ้–‹๏ผŒ้€™ๆ„ๅ‘ณ่‘—ๆ‚จๅฏไปฅ็ทจ่ผฏ่‡ชๅทฑ็š„ๅทฅๅ…ทๅ’Œ่…ณๆœฌ๏ผŒไปฅๅ…ถ่ˆ‡ ASF ้€šไฟกไธฆๅœจ้‹่กŒๆ™‚ๅฐๅ…ถ็”ข็”Ÿๅฝฑ้Ÿฟใ€‚ ้™คๆญคไน‹ๅค–๏ผŒๆˆ‘ๅ€‘็š„ ASF-ui ้‚„ๅฏฆ็พไบ†้ธๅฎš็š„ๆ“ไฝœ๏ผˆไพ‹ๅฆ‚็™ผ้€ๅ‘ฝไปค๏ผ‰๏ผŒๆ‚จๅฏไปฅ้€š้Žๅ‹ๅฅฝ็š„ Web ็•Œ้ข่ผ•้ฌ†่จชๅ•ๅฎƒๅ€‘ใ€‚


ไฝฟ็”จๆ–นๆณ•

Unless you manually disabled IPC through IPC global configuration property, it's enabled by default. ASF ๅฐ‡ๅœจๅ…ถๆ—ฅ่ชŒไธญ่ฒๆ˜Ž IPC ๅ•Ÿๅ‹•, ๆ‚จๅฏไปฅไฝฟ็”จ่ฉฒๆ—ฅ่ชŒ้ฉ—่ญ‰ IPC ไป‹้ขๆ˜ฏๅฆๅทฒๆญฃๅธธๅ•Ÿๅ‹•๏ผš

INFO|ASF|Start() Starting IPC server...
INFO|ASF|Start() IPC server ready!

ASF ็š„ http ไผบๆœๅ™จ็พๅœจๆญฃๅœจๅต่ฝ้ธๅฎš็š„็ซฏ้ปžใ€‚ ๅฆ‚ๆžœๆ‚จๆฒ’ๆœ‰็‚บ IPC ๆไพ›่‡ช่จ‚้…็ฝฎๆช”๏ผŒ้ ่จญ็ซฏ้ปžๅฐ‡็‚บๅŸบๆ–ผIPv4 ** 127.0.0.1 ๅ’ŒๅŸบๆ–ผIPv6็š„ [:: 1] **็š„1242็ซฏ้ปžใ€‚ ๆ‚จๅฏไปฅๅพž่ˆ‡้‹่กŒ ASF ้€ฒ็จ‹ๅŒไธ€ๅฐ้›ป่…ฆ้€š้ŽไปฅไธŠ้€ฃ็ต่จชๅ•ๆˆ‘ๅ€‘็š„ IPC ๆŽฅๅฃใ€‚

ASF ็š„ IPC ๆŽฅๅฃๆไพ›ไบ†ไธ‰็จฎไธๅŒ็š„่จชๅ•ๆ–นๅผ๏ผŒๅ…ท้ซ”ๅ–ๆฑบๆ–ผๆ‚จ็š„่จˆๅŠƒ็”จๆณ•ใ€‚

ๅœจๆœ€ไฝŽ็ดšๅˆฅ๏ผŒ** ASF API **ๆ˜ฏๆˆ‘ๅ€‘ IP CๆŽฅๅฃ็š„ๆ ธๅฟƒ๏ผŒไธฆๅ…่จฑๅ…ถไป–ๆ‰€ๆœ‰ๆ“ไฝœใ€‚ ้€™ๆ˜ฏๆ‚จๅธŒๆœ›ๅœจ่‡ชๅทฑ็š„ๅทฅๅ…ท๏ผŒๅฏฆ็”จ็จ‹ๅบๅ’Œ้ …็›ฎไธญไฝฟ็”จ็š„๏ผŒไปฅไพฟ็›ดๆŽฅ่ˆ‡ ASF ้€ฒ่กŒ้€šไฟกใ€‚

ๅœจไธญ็ญ‰็ดšๅˆฅ๏ผŒๆˆ‘ๅ€‘็š„** Swagger ๆ–‡ไปถ็ทจ่ฃฝ **ๅ……็•ถไบ† ASF API ็š„ๅ‰็ซฏใ€‚ ๅฎƒๅ…ทๆœ‰ ASF API ็š„ๅฎŒๆ•ดๆ–‡ไปถ็ทจ่ฃฝ๏ผŒ้‚„ๅ…่จฑๆ‚จๆ›ด่ผ•้ฌ†ๅœฐ่จชๅ•ๅฎƒใ€‚ ๅฆ‚ๆžœๆ‚จ่จˆๅŠƒ็ทจๅฏซ้€š้Žๅ…ถ API ่ˆ‡ ASF ้€šไฟก็š„ๅทฅๅ…ทใ€ๅฏฆ็”จ็จ‹ๅบๆˆ–ๅ…ถไป–้ …็›ฎ๏ผŒ้‚ฃ้บผๆ‚จๅฏไปฅๆชขๆŸฅ้€™ไธ€้ปžใ€‚

ๅœจๆœ€้ซ˜็ดšๅˆฅ๏ผŒ** ASF-ui **ๅŸบๆ–ผๆˆ‘ๅ€‘็š„ ASF API๏ผŒไธฆๆไพ›ๅฐ็”จๆˆถๅ‹ๅฅฝ็š„ๆ–นๅผไพ†ๅŸท่กŒๅ„็จฎ ASF ๆ“ไฝœใ€‚ ้€™ๆ˜ฏๆˆ‘ๅ€‘็‚บๆœ€็ต‚็”จๆˆถ่จญ่จˆ็š„้ป˜่ช IPC ๆŽฅๅฃ๏ผŒไนŸๆ˜ฏๆ‚จไฝฟ็”จ ASF API ๆง‹ๅปบ็š„ๅฎŒ็พŽ็คบไพ‹ใ€‚ ๅฆ‚ๆžœๆ‚จ้ก˜ๆ„๏ผŒๅฏไปฅไฝฟ็”จ่‡ช่จ‚ Web UI ่ˆ‡ ASF ไธ€่ตทไฝฟ็”จ๏ผŒๆ–นๆณ•ๆ˜ฏๆŒ‡ๅฎš --path ๅ‘ฝไปคๅˆ—ๅƒๆ•ธ๏ผŒไธฆไฝฟ็”จไฝๆ–ผ้‚ฃ่ฃก็š„่‡ชๅฎš็พฉwww็›ฎ้Œ„ใ€‚


ASF-ui

ASF-ui ๆ˜ฏไธ€ๅ€‹็คพๅ€้ …็›ฎ๏ผŒๆ—จๅœจๅ‰ตๅปบ็”จๆˆถๅ‹ๅฅฝ็š„ๅœ–ๅฝข Web ็•Œ้ขใ€‚ ็‚บไบ†ๅฏฆ็พ้€™ไธ€็›ฎๆจ™๏ผŒๅฎƒไฝœ็‚บๆˆ‘ๅ€‘** ASF API **็š„ๅ‰็ซฏ๏ผŒ่ฎ“ๆ‚จ่ผ•้ฌ†ๅœฐๅŸท่กŒๅ„็จฎๆ“ไฝœใ€‚ ้€™ๆ˜ฏ ASF ้™„ๅธถ็š„้ป˜่ช UIใ€‚

ๅฆ‚ไธŠๆ‰€่ฟฐ๏ผŒASF-ui ๆ˜ฏไธ€ๅ€‹็คพๅ€้ …็›ฎ๏ผŒไธ็”ฑ ASF ๆ ธๅฟƒ้–‹็™ผไบบๅ“ก็ถญ่ญทใ€‚ ๅฎƒ็š„ๆ‰€ๆœ‰็›ธ้—œๅ•้กŒใ€้Œฏ่ชค๏ผŒๆผๆดžๅ ฑๅ‘Šๅ’Œๅปบ่ญฐๆ‡‰้ตๅพช่‡ชๅทฑ็š„ๆต็จ‹** ASF-ui repo **ใ€‚

ASF-ui


ASF API

ๆˆ‘ๅ€‘็š„ASF APIๆ˜ฏๅ…ธๅž‹็š„** RESTful ** Web API๏ผŒๅฎƒ็š„ไธป่ฆๆ•ธๆ“šๆ ผๅผๅŸบๆ–ผJSONใ€‚ ๆˆ‘ๅ€‘ๆญฃๅœจ็›กๅŠ›ไฝฟ็”จHTTP็‹€ๆ…‹ไปฃ็ขผ๏ผˆๅœจ้ฉ็•ถ็š„ๆƒ…ๆณไธ‹๏ผ‰็ฒพ็ขบๆ่ฟฐ้Ÿฟๆ‡‰๏ผŒไปฅๅŠๆ‚จๅฏไปฅ่‡ชๅทฑ่งฃๆž็š„้Ÿฟๆ‡‰๏ผŒไปฅไพฟไบ†่งฃ่ซ‹ๆฑ‚ๆ˜ฏๅฆๆˆๅŠŸ๏ผŒไปฅๅŠๅฏ่ƒฝ็š„ๅคฑๆ•—ๅŽŸๅ› ใ€‚

ๅฏไปฅ้€š้Žๅ‘/Api็ซฏ้ปž็™ผ้€่ซ‹ๆฑ‚ไพ†่จชๅ•ๆˆ‘ๅ€‘็š„ ASF APIใ€‚ ๆ‚จๅฏไปฅไฝฟ็”จ้€™ไบ› API ็ซฏ้ปžไพ†ๅ‰ตๅปบ่‡ชๅทฑ็š„ๅนซๅŠฉ็จ‹ๅบ่…ณๆœฌใ€ๅทฅๅ…ทใ€GUI ็ญ‰ใ€‚ This is exactly what our ASF-ui achieves under the hood, and every other tool can achieve the same. ASF API is officially supported and maintained by core ASF team.

ๆœ‰้—œๅฏ็”จ็ซฏ้ปžใ€ๆ่ฟฐใ€่ซ‹ๆฑ‚ใ€้Ÿฟๆ‡‰ใ€http ็‹€ๆ…‹ไปฃ็ขผไปฅๅŠ็›ธ้—œ ASF API ๆ‰€ๆœ‰ๅ…ถไป–ๅ…งๅฎน็š„ๅฎŒๆ•ดๆ–‡ไปถ็ทจ่ฃฝ ๏ผŒ่ซ‹ๅƒ้–ฑๆˆ‘ๅ€‘็š„** swaggerๆ–‡ไปถ็ทจ่ฃฝ **ใ€‚

ASF API


่‡ช่จ‚้…็ฝฎ

Our IPC interface supports extra config file, IPC.config that should be put in standard ASF's config directory.

When available, this file specifies advanced configuration of ASF's Kestrel http server, together with other IPC-related tuning. Unless you have a particular need, there is no reason for you to use this file, as ASF is already using sensible defaults in this case.

่จญๅฎšๆช”ๅŸบๆ–ผไปฅไธ‹ JSON ็ตๆง‹๏ผš

{
    "Kestrel": {
        "Endpoints": {
            "example-http4": {
                "Url": "http://127.0.0.1:1242"
            },
            "example-http6": {
                "Url": "http://[::1]:1242"
            },
            "example-https4": {
                "Url": "https://127.0.0.1:1242",
                "Certificate": {
                    "Path": "/path/to/certificate.pfx",
                    "Password": "passwordToPfxFileAbove"
                }
            },
            "example-https6": {
                "Url": "https://[::1]:1242",
                "Certificate": {
                    "Path": "/path/to/certificate.pfx",
                    "Password": "passwordToPfxFileAbove"
                }
            }
        },
        "KnownNetworks": [
            "10.0.0.0/8",
            "172.16.0.0/12",
            "192.168.0.0/16"
        ],
        "PathBase": "/"
    }
}

Endpoints - This is a collection of endpoints, each endpoint having its own unique name (like example-http4) and Url property that specifies Protocol://Host:Port listening address. By default, ASF listens on IPv4 and IPv6 http addresses, but we've added https examples for you to use, if needed. You should declare only those endpoints that you need, we've included 4 example ones above so you can edit them easier.

Host accepts a variety of values, including * value that binds ASF's http server to all available interfaces. Be extremely careful when you use Host values that allow remote access. Doing so will enable access to ASF's IPC interface from other machines, which may pose a security risk. We strongly recommend to use IPCPassword (and preferably your own firewall too) at a minimum in this case.

KnownNetworks - This variable specifies network addresses which we consider trustworthy. By default, ASF is configured to trust loopback interface (localhost, same machine) only. This property is used in two ways. Firstly, if you omit IPCPassword, then we'll allow only machines from known networks to access ASF's API, and deny everybody else as a security measure. Secondly, this property is crucial in regards to reverse-proxies accessing ASF, as ASF will honor its headers only if the reverse-proxy server is from within known networks. Honoring the headers is crucial in regards to ASF's anti-bruteforce mechanism, as instead of banning the reverse-proxy in case of a problem, it'll ban the IP specified by the reverse-proxy as the source of the original message. Be extremely careful with the networks you specify here, as it allows a potential IP spoofing attack and unauthorized access in case the trusted machine is compromised or wrongly configured.

PathBase - This is base path that will be used by IPC interface. This property is optional, defaults to / and shouldn't be required to modify for majority of use cases. By changing this property you'll host entire IPC interface on a custom prefix, for example http://localhost:1242/MyPrefix instead of http://localhost:1242 alone. Using custom PathBase may be wanted in combination with specific setup of a reverse proxy where you'd like to proxy a specific URL only, for example mydomain.com/ASF instead of entire mydomain.com domain. Normally that would require from you to write a rewrite rule for your web server that would map mydomain.com/ASF/Api/X -> localhost:1242/Api/X, but instead you can define a custom PathBase of /ASF and achieve easier setup of mydomain.com/ASF/Api/X -> localhost:1242/ASF/Api/X.

้™ค้žๆ‚จ็ขบๅฏฆ้œ€่ฆๆŒ‡ๅฎš่‡ช่จ‚ๅŸบๆœฌ่ทฏๅพ‘๏ผŒๅฆๅ‰‡ๆœ€ๅฅฝๅฐ‡ๅ…ถไฟ็•™็‚บ้ ่จญ่ทฏๅพ‘ใ€‚

้…็ฝฎ็ฏ„ไพ‹

The following config will allow remote access from all sources, therefore you should ensure that you read and understood our security notice about that, available above.

{
    "Kestrel": {
        "Endpoints": {
            "HTTP": {
                "Url": "http://*:1242"
            }
        }
    }
}

If you do not require access from all sources, but for example your LAN only, then it's much better idea to use something like 192.168.0.* instead of *. Adapt the network address appropriately if you use a different one.


่บซไปฝ้ฉ—่ญ‰

ASF IPC ๆŽฅๅฃไธ้œ€่ฆไปปไฝ•้กžๅž‹็š„่บซไปฝ้ฉ—่ญ‰๏ผŒๅ› ็‚บ้ ่จญๆƒ…ๆณไธ‹IPCPassword็‚บnullใ€‚ ไฝ†ๆ˜ฏ๏ผŒๅฆ‚ๆžœ้€š้Ž่จญ็ฝฎ็‚บไปปไฝ•้ž็ฉบๅ€ผไพ†ๅ•Ÿ็”จIPCPassword๏ผŒๅ‰‡ๆฏๆฌก่ชฟ็”จ ASF ็š„ API ้ƒฝ้œ€่ฆ่ˆ‡IPCPasswordๅŒน้…็š„ๅฏ†็ขผใ€‚ ๅฆ‚ๆžœ็œ็•ฅ่บซไปฝ้ฉ—่ญ‰ๆˆ–่ผธๅ…ฅ้Œฏ่ชค็š„ๅฏ†็ขผ๏ผŒๆ‚จๅฐ‡ๆ”ถๅˆฐ401 - Unauthorized้Œฏ่ชคใ€‚ ๅฆ‚ๆžœๆ‚จ็นผ็บŒ็™ผ้€ๆœช็ถ“่บซไปฝ้ฉ—่ญ‰็š„่ซ‹ๆฑ‚๏ผŒๆœ€็ต‚ๆ‚จๅฐ‡ๆšซๆ™‚่ขซ403 - Forbidden ้Œฏ่ชคๅฐ็ฆใ€‚

่บซไปฝ้ฉ—่ญ‰ๅฏไปฅ้€š้Žๅ…ฉ็จฎไธๅŒ็š„ๆ–นๅผๅฎŒๆˆใ€‚

Authentication header

้€šๅธธ๏ผŒๆ‚จๆ‡‰่ฉฒ้€š้Ž่จญ็ฝฎAuthenticationๅญ—ๆฎต็™ผ้€ๅฐๆ–ผๆจ™้ ญ็š„ HTTP ่ซ‹ๆฑ‚ใ€‚ The way of doing that depends on the actual tool you're using for accessing ASF's IPC interface, for example if you're using curl then you should add -H 'Authentication: MyPassword' as a parameter. This way authentication is passed in the headers of the request, where it in fact should take place.

password parameter in query string

Alternatively you can append password parameter to the end of the URL you're about to call, for example by calling /Api/ASF?password=MyPassword instead of /Api/ASF alone. This approach is good enough, but obviously it exposes password in the open, which is not necessarily always appropriate. In addition to that it's extra argument in the query string, which complicates the look of the URL and makes it feel like it's URL-specific, while password applies to entire ASF API communication.


Both ways are supported and it's totally up to you which one you want to choose. We recommend to use HTTP headers everywhere where you can, as usage-wise it's more appropriate than query string. However, we support query string as well, mainly because of various limitations related to request headers. A good example includes lack of custom headers while initiating a websocket connection in javascript (even though it's completely valid according to the RFC). In this situation query string is the only way to authenticate.


Swagger ๆ–‡ไปถ็ทจ่ฃฝ

Our IPC interface, in additon to ASF API and ASF-ui also includes swagger documentation, which is available under /swagger URL. Swagger documentation serves as a middle-man between our API implementation and other tools using it (e.g. ASF-ui). It provides a complete documentation and availability of all API endpoints in OpenAPI specification that can be easily consumed by other projects, allowing you to write and test ASF API with ease.

Apart from using our swagger documentation as a complete specification of ASF API, you can also use it as user-friendly way to execute various API endpoints, mainly those that are not implemented by ASF-ui. ็”ฑๆ–ผๆˆ‘ๅ€‘็š„ swagger ๆ–‡ๆช”ๆ˜ฏๅพž ASF ไปฃ็ขผ่‡ชๅ‹•็”Ÿๆˆ็š„๏ผŒๅ› ๆญคๆ‚จๅฏไปฅไฟ่ญ‰ๆ–‡ๆช”ๅง‹็ต‚่ˆ‡ๆ‚จ็š„ ASF ็‰ˆๆœฌไธญๅŒ…ๅซ็š„API็ซฏ้ปžไธญ็š„ๆœ€ๆ–ฐๆ–‡ๆช”ไฟๆŒๅŒๆญฅใ€‚

Swagger ๆ–‡ไปถ็ทจ่ฃฝ


ๅฆ‚ไฝ•ไฝฟ็”จ

Is ASF's IPC interface secure and safe to use?

ASF by default listens only on localhost addresses, which means that accessing ASF IPC from any other machine but your own is impossible. Unless you modify default endpoints, attacker would need a direct access to your own machine in order to access ASF's IPC, therefore it's as secure as it can be and there is no possibility of anybody else accessing it, even from your own LAN.

However, if you decide to change default localhost bind addresses to something else, then you're supposed to set proper firewall rules yourself in order to allow only authorized IPs to access ASF's IPC interface. In addition to doing that, you will need to set up IPCPassword, as ASF will refuse to let other machines access ASF API without one, which adds another layer of extra security. You may also want to run ASF's IPC interface behind a reverse proxy in this case, which is further explained below.

ๆˆ‘ๅฏไปฅ้€š้Ž่‡ชๅทฑ็š„ๅทฅๅ…ทๆˆ–็”จๆˆถ่…ณๆœฌ่จชๅ• ASF API ๅ—Ž๏ผŸ

ๆ˜ฏ็š„๏ผŒ้€™ๅฐฑๆ˜ฏASF API็š„่จญ่จˆ็›ฎ็š„๏ผŒๆ‚จๅฏไปฅไฝฟ็”จไปปไฝ•่ƒฝๅค ็™ผ้€HTTP่ซ‹ๆฑ‚็š„ๅทฅๅ…ทไพ†่จชๅ•ๅฎƒใ€‚ Local userscripts follow CORS logic, and we allow access from all origins for them (*), as long as IPCPassword is set, as an extra security measure. This allows you to execute various authenticated ASF API requests, without allowing potentially malicious scripts to do that automatically (as they'd need to know your IPCPassword to do that).

ๆˆ‘ๅฏไปฅๅพžๅฆไธ€ๅฐๆฉŸๅ™จ้ ็จ‹่จชๅ• ASF IPC ๅ—Ž๏ผŸ

Yes, we recommend to use a reverse proxy for that. This way you can access your web server in typical way, which will then access ASF's IPC on the same machine. Alternatively, if you don't want to run with a reverse proxy, you can use custom configuration with appropriate URL for that. For example, if your machine is in a VPN with 10.8.0.1 address, then you can set http://10.8.0.1:1242 listening URL in IPC config, which would enable IPC access from within your private VPN, but not from anywhere else.

ๆˆ‘ๅฏไปฅๅœจๅๅ‘ไปฃ็†๏ผˆไพ‹ๅฆ‚ Apache ๆˆ– Nginx๏ผ‰ๅพŒไฝฟ็”จ ASF IPC ๅ—Ž๏ผŸ

ๆ˜ฏ็š„๏ผŒๆˆ‘ๅ€‘็š„ IPC ่ˆ‡ๆญค้กž่จญ็ฝฎๅฎŒๅ…จๅ…ผๅฎน๏ผŒๅ› ๆญคๅฆ‚ๆžœๆ‚จ้ก˜ๆ„็š„่ฉฑ๏ผŒๆ‚จๅฏไปฅๅœจไฝฟ็”จ่‡ชๅทฑ็š„ๅทฅๅ…ทๅ‰่‡ช็”ฑ่จ—็ฎกๅฎƒ๏ผŒไปฅ็ฒๅพ—้กๅค–็š„ๅฎ‰ๅ…จๆ€งๅ’Œๅ…ผๅฎนๆ€งใ€‚ In general ASF's Kestrel http server is very secure and possesses no risk when being connected directly to the internet, but putting it behind a reverse-proxy such as Apache or Nginx could provide extra functionality that wouldn't be possible to achieve otherwise, such as securing ASF's interface with a basic auth.

็คบไพ‹ Nginx ้…็ฝฎๅฏไปฅๅœจไธ‹้ขๆ‰พๅˆฐใ€‚ We've included full server block, although you're interested mainly in location ones. Please refer to nginx documentation if you need further explanation.

server {
    listen *:443 ssl;
    server_name asf.mydomain.com;
    ssl_certificate /path/to/your/certificate.crt;
    ssl_certificate_key /path/to/your/certificate.key;

    location ~* /Api/NLog {
        proxy_pass http://127.0.0.1:1242;

        # Only if you need to override default host
#       proxy_set_header Host 127.0.0.1;

        # X-headers should always be specified when proxying requests to ASF
        # They're crucial for proper identification of original IP, allowing ASF to e.g. ban the actual offenders instead of your nginx server
        # Specifying them allows ASF to properly resolve IP addresses of users making requests - making nginx work as a reverse proxy
        # Not specifying them will cause ASF to treat your nginx as the client - nginx will act as a traditional proxy in this case
        # If you're unable to host nginx service on the same machine as ASF, you most likely want to set KnownNetworks appropriately in addition to those
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;

        # We add those 3 extra options for websockets proxying, see https://nginx.org/en/docs/http/websocket.html
        proxy_http_version 1.1;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Upgrade $http_upgrade;
    }

    location / {
        proxy_pass http://127.0.0.1:1242;

        # Only if you need to override default host
#       proxy_set_header Host 127.0.0.1;

        # X-headers should always be specified when proxying requests to ASF
        # They're crucial for proper identification of original IP, allowing ASF to e.g. ban the actual offenders instead of your nginx server
        # Specifying them allows ASF to properly resolve IP addresses of users making requests - making nginx work as a reverse proxy
        # Not specifying them will cause ASF to treat your nginx as the client - nginx will act as a traditional proxy in this case
        # If you're unable to host nginx service on the same machine as ASF, you most likely want to set KnownNetworks appropriately in addition to those
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Example Apache configuration can be found below. Please refer to apache documentation if you need further explanation.

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName asf.mydomain.com

        SSLEngine On
        SSLCertificateFile /path/to/your/fullchain.pem
        SSLCertificateKeyFile /path/to/your/privkey.pem

        # TODO: Apache can't do case-insensitive matching properly, so we hardcode two most commonly used cases
        ProxyPass "/api/nlog" "ws://127.0.0.1:1242/api/nlog"
        ProxyPass "/Api/NLog" "ws://127.0.0.1:1242/Api/NLog"

        ProxyPass "/" "http://127.0.0.1:1242/"
    </VirtualHost>
</IfModule>

ๆˆ‘ๅฏไปฅ้€š้Ž HTTPS ๅ”่ญฐ่จชๅ• IPC ๆŽฅๅฃๅ—Ž๏ผŸ

Yes, you can achieve it through two different ways. A recommended way would be to use a reverse proxy for that, where you can access your web server through https like usual, and connect through it with ASF's IPC interface on the same machine. This way your traffic is fully encrypted and you don't need to modify IPC in any way to support such setup.

Second way includes specifying a custom config for ASF's IPC interface where you can enable https endpoint and provide appropriate certificate directly to our Kestrel http server. This way is recommended if you're not running any other web server and don't want to run one exclusively for ASF. Otherwise, it's much easier to achieve a satisfying setup by using a reverse proxy mechanism.


Why am I getting 403 Forbidden error when not using IPCPassword?

Starting with ASF V5.1.2.1, we've added additional security measure that, by default, allows only loopback interface (localhost, your own machine) to access ASF API without IPCPassword set in the config. This is because using IPCPassword should be a minimum security measure set by everybody who decides to expose ASF interface further. You're still able to override this decision by specifying the networks which you trust to reach ASF without IPCPassword specified, you can set those in KnownNetworks property in custom config. However, unless you really know what you're doing and fully understand the risks, you should instead use IPCPassword as declaring KnownNetworks will allow everybody from those networks to access ASF API unconditionally.

Clone this wiki locally