Move the "examples" to docs.kroki.io

[mirogta]

As an security engineer I want to block access to kroki.io So that our developers are not accidentally leaking information

Background: We'd like to remove kroki.io from our firewall's whitelist, to enforce our developers to use our private kroki server exclusively, so that they don't accidentally leak our private Intellectual Property stored in our diagrams to a 3rd party.

Unfortunately, we have to whitelist kroki.io, because developers still want to access the https://kroki.io/examples.html which are not hosted on https://docs.kroki.io/kroki/

Can the examples be moved to the documentation?

[mirogta]

Would it make any sense to separate kroki.io website (leave it as project homepage) and the API (move e.g. to api.kroki.io?). We could then effectively whitelist kroki.io but block the api.kroki.io. I understand that this would be a breaking change, but perhaps it could be staged over a couple of months - e.g. spin up api.kroki.io and run it in parallel with kroki.io and eventually retire the API endpoint on kroki.io. I haven't created a separate issue, because you may disagree and just say No, we won't do that.

[ggrossetie]

As an security engineer I want to block access to kroki.io So that our developers are not accidentally leaking information

I think that's the correct way to do it.

Background: We'd like to remove kroki.io from our firewall's whitelist, to enforce our developers to use our private kroki server exclusively, so that they don't accidentally leak our private Intellectual Property stored in our diagrams to a 3rd party. Unfortunately, we have to whitelist kroki.io, because developers still want to access the https://kroki.io/examples.html which are not hosted on https://docs.kroki.io/kroki/

I guess you will need to add a more complex rules to your firewall. You could whitelist:

GET /css/*
GET /assets/*
GET /js/*
GET /index.html
GET /examples.html

And deny everything else.

Can the examples be moved to the documentation?

Probably but it might require a bit of work to have the same look and feel in docs.kroki.io. To be honest, I don't want to spend too much time on it :sweat_smile:

Would it make any sense to separate kroki.io website (leave it as project homepage) and the API (move e.g. to api.kroki.io?). We could then effectively whitelist kroki.io but block the api.kroki.io. I understand that this would be a breaking change, but perhaps it could be staged over a couple of months - e.g. spin up api.kroki.io and run it in parallel with kroki.io and eventually retire the API endpoint on kroki.io. I haven't created a separate issue, because you may disagree and just say No, we won't do that.

Indeed, I don't really want to do that :smile:

[mirogta]

OK. Apologies for so many comments, I'm not reading yours from different issues in the "right" order ;-) More complex firewall rules seems like a good workaround, we could live with that.

Thinking this through - if we block kroki.io but allow HTML+JS+CSS content from it, the diagrams wouldn't show up on the examples page. How difficult would it be to include the same examples page in the yuzutech/kroki docker image? We wouldn't then need any complex rules.

[ggrossetie]

OK. Apologies for so many comments, I'm not reading yours from different issues in the "right" order ;-) More complex firewall rules seems like a good workaround, we could live with that.

No worries :+1:

Thinking this through - if we block kroki.io but allow HTML+JS+CSS content from it, the diagrams wouldn't show up on the examples page.

The https://kroki.io/examples.html page is static (ie. the diagrams are inlined in the HTML page).

How difficult would it be to include the same examples page in the yuzutech/kroki docker image? We wouldn't then need any complex rules.

That should be possible but I need to give it some thought.