Cloudflare is an American multinational technology company headquartered in San Francisco, with offices in London, UK. Cloudflare's main business is to provide customers with website security management, performance optimization and related technical support.

Clouflare's IPFS Gateway

Today, we’re excited to launch Cloudflare’s IPFS Gateway, an easy way to access content from the InterPlanetary File System (IPFS) that doesn’t require any special software to be installed and run on your computer. We hope that the Gateway, hosted at cloudflare-ipfs.com , will serve as a platform for many new high-reliability and security-enhanced web applications. The IPFS Gateway is the first product to be released as part of our Distributed Web Gateway project, which will eventually encompass all of our efforts to support new distributed web technologies .

This article will provide a brief introduction to IPFS. It will also describe what we built on top of the gateway , as well as documentation on how to serve your own content using your own custom hostnames through our gateway .

IPFS Quick Start

Typically, when you visit a website from your browser, the browser tracks down an origin server (or servers), which is the ultimate centralized repository for the website’s content. It then sends your computer’s request to that origin server, no matter where in the world it is, and that server sends the content back to your computer. This system has served the internet well for decades, but there’s one pretty big drawback: centralization makes it impossible to keep content online longer than the origin server that’s hosting it. If that origin server is hacked or taken out by a natural disaster, that content is unavailable. If the website owner decides to remove it, the content is gone. In short, mirrors aren’t a first-class concept on most platforms ( Cloudflare’s Always Online is a notable exception).

The InterPlanetary File System aims to change that. IPFS is a peer-to-peer file system made up of thousands of computers around the world, each storing files on behalf of the network. These files can be anything: pictures, 3D models, or even entire websites. More than 5,000,000,000 files have already been uploaded to IPFS .

IPFS and Traditional Web

There are two main differences between IPFS and the web as we think of it today.

First, with IPFS, anyone can cache and serve any content for free. Currently, the most common practice with the traditional web is to rely on large hosting providers in remote locations to store content and serve it to the rest of the web. If you want to build a website, you have to pay one of these major services to do it for you. With IPFS, anyone can register their computer as a node in the system and start serving data. It doesn't matter if you're using a Raspberry Pi or running the world's largest server. You can still be an efficient node in the system.

The second key difference is that data is content-addressed, rather than position-addressed. It’s a subtle difference, but the impact is huge, so it’s worth breaking down.

Currently, when you open your browser and navigate to example.com, you tell the browser "get the data stored at the IP address of example.com" (which happens to be 93.184.216.34). That IP address marks where on the web the content you want is stored. You then send a request to a server at that IP address for the content of "example.com," and the server sends back the relevant information. So, at the most basic level, you tell the web where to look, and the web sends back what it finds.

IPFS turns this on its head.

With IPFS, each block of data stored in the system is addressed by a cryptographic hash of its contents, that is, a unique string of letters and numbers for that block. When you want a piece of data in IPFS, you request it by its hash. So instead of asking the network, “Let me get the content stored at 93.184.216.34,” you ask, “Give me the content that has a hash of QmXnnyufdzAWL5CqZ2RnSNgPbvCc1ALT73s6epPrRnZ1Xy .” ( QmXnnyufdzAWL5CqZ2RnSNgPbvCc1ALT73s6epPrRnZ1Xy happens to be the hash of a .txt file containing the string “I’m trying IPFS”).

What's the difference?

Remember, with IPFS, you tell the network what to look for, and the network figures out where to look.

Why is this important?

First, it makes the network more resilient. A piece of content with the hash QmXnnyufdzAWL5CqZ2RnSNgPbvCc1ALT73s6epPrRnZ1Xy can be stored on dozens of nodes, so if one node caching that content goes down, the network will simply look for the content on another node.

Second, it introduces an automatic level of security. Let's say you know the hash of the file you want. So you ask the network, "Give me the file with the hash QmXnnyufdzAWL5CqZ2RnSNgPbvCc1ALT73s6epPrRnZ1Xy " (the example.txt file above). The network responds and sends the data. When you receive all the data back, you can resend it. If the data was changed at all in transit, the hash you got back will be different than the hash you asked for. You can think of a hash as a unique fingerprint of a file. If you send back a different file than you expected to receive, it will have a different fingerprint. This means the system has a built-in way to know if the content has been tampered with.

A note about IPFS addresses and cryptographic hashes

Since we’ve spent some time discussing why this content addressing system is so special, it’s worth talking about how IPFS addresses are constructed. Every address in IPFS is a multihash , which means that the address combines information about the hashing algorithm used and the hash output into a single string. There are three distinct parts to an IPFS multihash: the first byte of the mulithash indicates which hashing algorithm has been used to produce the hash; the second byte indicates the length of the hash; and the remaining bytes are the value output by the hash function. By default, IPFS uses the SHA-256 algorithm, which produces a 32-byte hash value. This is represented by the string “Qm” in Base58 (the default encoding for IPFS addresses), which is why all of the example IPFS addresses in this post are of the form “Qm…”

While SHA-256 is the standard algorithm currently in use, this Doha format allows the IPFS protocol to support addresses generated by other hashing algorithms. This allows the IPFS network to move to a different algorithm if the world discovers a flaw in SHA-256 at some point in the future. If someone hashes a file with another algorithm, the address of that file will start with some characters other than "Qm".

The good news is that, at least for now, SHA-256 is considered to have a number of properties that make it a strong cryptographic hash algorithm. The most important of these is that SHA-256 is collision-resistant. A collision occurs when there are two different files that produce the same hash when run through the SHA-256 algorithm. To understand the importance of preventing collisions, consider this brief scenario. Imagine that some IPFS user Alice uploads a file with some hash, and another user Bob uploads a different file that happens to produce the exact same hash. If this happens, there will be two different files in the network with the exact same address. So if some third person Carol makes an IPFS request for content at that address, she doesn't necessarily know whether she'll receive Bob's file or Alice's file.

SHA-256 makes collisions extremely unlikely. Because SHA-256 computes a 256-bit hash, there are 2^256 possible IPFS addresses that the algorithm can generate. Therefore, the probability of two files existing in IPFS that would produce a collision is low. Very low. If you're interested in more details, the Birthday Attack Wikipedia page has a cool table showing the likelihood of a collision with a sufficiently powerful hash algorithm.

How do you access content on IPFS?

Now that we've gone over all the ins and outs of IPFS, you might be wondering how to use it. There are many ways to access content stored in the IPFS network, but we'll discuss two popular ones here. The first method is to download IPFS to your computer. This turns your computer into a node of the IPFS network, which is the best way to interact with the network if you want to use it .

But what if you want to access content stored on IPFS without having to go through the hassle of operating a node locally on your computer? That's where IPFS gateways come into play. An IPFS gateway is a third-party node that fetches content from the IPFS network and serves it to you over HTTPS. To use a gateway, you don't have to download any software or type any code. You simply open a browser and type in the name of the gateway and the hash of the content you're looking for, and the gateway will serve the content in your browser.

Assume you know that you want to access the example.txt file from before, which has the hash QmXnnyufdzAWL5CqZ2RnSNgPbvCc1ALT73s6epPrRnZ1Xy , and that there is a public gateway accessible https://example-gateway.com

To access this content, just open your browser and type

 https://example-gateway.com/ipfs/QmXnnyufdzAWL5CqZ2RnSNgPbvCc1ALT73s6epPrRnZ1Xy 

And you will get the data stored at that hash. The combination of the /ipfs/ prefix and the hash is called the file path. You always need to provide the full file path to access content stored in IPFS.

What can you do with Cloudflare’s Gateway?

At the most basic level, you can access any of the billions of files stored on IPFS from your browser. But that's not the only cool thing you can do. Using Cloudflare's Gateway, you can also build a website that's hosted entirely on IPFS but still available to your users via a custom domain name. Additionally, we'll issue any website connected to our Gateway a free SSL certificate, ensuring that every website connected to a Cloudflare Gateway is safe from snooping and manipulation.

Dealing with abuse

IPFS is a peer-to-peer network, so it is possible for users to share abusive content. This is not something we support or condone. However, just like how Cloudflare works with more traditional customers, Cloudflare's IPFS Gateway is just a cache in front of IPFS. Cloudflare cannot modify or delete content from the IPFS network. If you become aware of any abusive content served by Cloudflare's IPFS Gateway, you can use the standard abuse reporting mechanisms.

Embracing a distributed future

IPFS is just one of a host of technologies that are embracing a new, decentralized vision of the web. At Cloudflare, we’re excited about the possibilities these new technologies bring, and we see the Gateway as a tool that helps bridge the gap between the traditional web and a new generation of distributed web technologies under the title of IPFS. By enabling everyday people to explore IPFS content in their browsers, we make the ecosystem stronger and support its growth. Just as Cloudflare changed the game for web media assets when it launched in 2010 by providing the security, performance, and availability previously available only to internet giants, we think the IPFS Gateway will provide the same boost for content on the distributed web.

Dieter Shirley, CTO of Dapper Labs and co-founder of CryptoKitties, said:

We’ve wanted to store CryptoKitty art on IPFS since we launched, but the technology wasn’t ready. Cloudflare’s announcement transforms IPFS from a promising experiment into a powerful tool for commercial deployment. Good stuff!

The IPFS Gateway is exciting, but it’s not the end. There are other equally interesting distributed web technologies that can benefit from Cloudflare’s massive global network, and we’re currently exploring those possibilities.