In the Kubo RPC API doc, it is written that it must not be exposed to the public internet:
NEVER EXPOSE THE RPC API TO THE PUBLIC INTERNET
The RPC API provides admin-level access to your Kubo IPFS node, including
/api/v0/config
.It is bound to
localhost
by default on purpose. You should never expose it to the public internet, just like you would never expose a SQL database or other backend service.If you are looking for an interface designed for browsers and public internet, consider implementation-agnostic HTTP Gateway instead.
That makes sense, since a lot of operations are admin level. However, this could be interesting to expose a subset of this API behind some restrictions to be able to “lend” an IPFS node to use case where we can not embark one in the app or it does not make sense.
For example, we could expose:
/api/v0/dag/put
behind a rate limiter, knowing that spam could trigger garbage collection but with a frequency limit/api/v0/pin/add
behind a password protection in http header so that trusted users can pin some files
Is there a known project which achieves that? Or is it a terrible idea? That would allow to use a remote IPFS node without system level VPN setup for instance.