ic-gateway is the core service of the HTTP gateway that allows direct HTTP access to the canisters hosted on the Internet Computer.
ic-gateway enables direct HTTP access to canisters hosted on the Internet Computer, allowing you to host full dapps - both frontend and backend - entirely on-chain. It translates incoming HTTP requests into IC API calls and maps the canisters' responses back into HTTP responses.
ic-gateway also provides essential features for running a production HTTP gateway, including:
- TLS Termination: Automatically obtains and renews certificates using an ACME client and transparent OCSP stapling.
- Caching Layer: Improves user-perceived performance of hosted dapps.
- Denylist: Allows compliance with local legal frameworks (e.g., by restricting access to illegal content).
- Load Shedding: Drops the incoming requests if the moving average latency grows over defined threshold.
To install and set up ic-gateway, follow these steps:
- Grab the latest package from the releases page and install it
- Edit
/etc/default/ic-gatewayfile to configure the service using environment variables. SeeUsagesection below. - Start the service with
systemctl start ic-gateway
-
Clone the repository
git clone [email protected]:dfinity/ic-gateway.git cd ic-gateway
-
Install Rust
Follow the official Rust installation guide.
-
Build
Execute
cargo build --releasein theic-gatewayfolder and you'll get a binary intarget/releasesubfolder. -
Generate the certificate
If you want to run the service locally you'll need a certificate.
Store the certificate and private key in a directory with the names
<domain>.pemand<domain>.key, respectively. For example, to serve the domaingateway.icp, the files should be namedgateway.icp.pemandgateway.icp.key.For local testing, you can use self-signed certificates created with mkcert. For production, obtain a certificate from Let's Encrypt using
certbotor the built-in certificate provider.
- Domain name that points to the IP address where
ic-gatewaywill be running. It's denoted asgateway.icpin the examples below. - Port 443 open in the firewall
To run a minimal ic-gateway instance, use the following configuration in /etc/default/ic-gateway:
LOG_STDOUT="true"
HTTP_SERVER_LISTEN_TLS="[::]:443"
IC_URL="https://icp-api.io"
DOMAIN="gateway.icp"
ACME_CHALLENGE="alpn"
ACME_CACHE_PATH="/var/lib/ic-gateway/acme"
Create a folder to store ACME certificates & account info:
# mkdir -p /var/lib/ic-gateway/acme
Start the service:
# systemctl start ic-gateway
Once it is running, you can test it from the command-line using the following curl commands:
# fetch the NNS dapp
curl -sLv \
--resolve qoctq-giaaa-aaaaa-aaaea-cai.gateway.icp:443:127.0.0.1 \
https://qoctq-giaaa-aaaaa-aaaea-cai.gateway.icp
# fetch the main Internet Computer site
curl -sLv \
--resolve oa7fk-maaaa-aaaam-abgka-cai.gateway.icp:443:127.0.0.1 \
https://oa7fk-maaaa-aaaam-abgka-cai.gateway.icp
# fetch the Internet Identity dapp
curl -sLv \
--resolve rdmx6-jaaaa-aaaaa-aaadq-cai.gateway.icp:443:127.0.0.1 \
https://rdmx6-jaaaa-aaaaa-aaadq-cai.gateway.icp
ic-gateway offers various options that can be configured via command-line arguments or environment variables. For a full list, run ic-gateway --help.
Key settings include:
--http-server-listen-plain: Address for HTTP connections (only redirect to HTTPS).--http-server-listen-tls: Address for HTTPS connections.
--domain: Domains served byic-gateway--domain-canister-alias: "Pretty" names for specific canisters (e.g.,nnsinstead ofqoctq-giaaa-aaaaa-aaaea-cai).
--policy-denylist-*: All options to configure a canister denylist.
--ic-url: URL of the upstream API boundary nodes.--ic-use-discovery: Use discovery library for API boundary nodes.
Configures certificate management via from Let's Encrypt using either the TLS-ALPN-01 or the DNS-01 challenge. This is mostly suitable for single instance deployments.
--metrics-listen: Port for Prometheus metrics scraping.- Logging options like log level and output destination
External code contributions are currently not being accepted to this repository.
This project is licensed under the Apache License, Version 2.0. See the LICENSE file for more details.