feat: close port 8000 with configurable origin routing#43
Merged
Conversation
Add two new env vars to sst.config.ts for optional port 8000 hardening: - ORIGIN_URL: when set, API Gateway routes through this URL (tunnel, Caddy, or any HTTPS frontend) instead of directly to the Lightsail IP. - MCP_PORT_CIDRS: controls port 8000 on the Lightsail firewall, same format as SSH_CIDRS. "none" maps to a non-routable CIDR (RFC 5737). Together they close the plaintext HTTP exposure on port 8000. Forkers who don't configure either get identical behavior to today. Extracted parseCidrs helper shared by SSH and MCP firewall logic. Updated deploy pipeline, DEPLOY.md (full Cloudflare Tunnel walkthrough with VM recovery procedure), ARCHITECTURE.md, and .env.example. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
NON_ROUTABLE_CIDR and OPEN_TO_ALL are now named constants. The fallback parameter is removed — undefined always means open to all, eliminating the risk of an empty-array fallback. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ORIGIN_URLenv var — when set, API Gateway routes through this URL (Cloudflare Tunnel, Caddy, or any HTTPS frontend) instead of directly to the Lightsail IP on port 8000MCP_PORT_CIDRSenv var — controls port 8000 on the Lightsail firewall, same format asSSH_CIDRS.nonemaps to a non-routable CIDR (RFC 5737)parseCidrshelper shared by SSH and MCP firewall logicTest plan
npm run build— type-check passesnpm test— 469 tests pass (no app code changes)sst deploywithoutORIGIN_URL— routes to direct IP (backward-compat)sst deploywithORIGIN_URL+MCP_PORT_CIDRS=none— routes through tunnelcurl <lightsailIp>:8000— connection timeout (port closed on firewall)curl <PUBLIC_URL>/healthz— 200 OK (API GW → Cloudflare Tunnel → localhost)curl <tunnel-hostname>/healthz— 200 OK (direct tunnel access)🤖 Generated with Claude Code