You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have recently realized that we can use fly wireguard connections as a zero-trust authentication mechanism. The idea is that we can deploy apps inside Fly infrastructure but not exposed to the real world, and the only way to connect to those apps is via fly wireguard.
A small plug can be written that:
Validate conn.host is either "my-app.internal" or ends with ".my-app-internal"
For each request, we get conn.remote_ip, validate it is ipv6, and do a remote dns look up (equivalent to dig PTR +short reverse.ip6.arpa and see if the IP is known. Currently it only validates ipv6, it does not return any user information
For it to work, you need to generate a wireguard with a custom name fly wireguard create ORG REGION my-name
PS: Here is how to do compute the reverse lookup of a IPv6 address:
We should also explore flycast. As far as I understand this would allow having Livebook accessible at myapp.flycast privately, only when connected via WireGuard.
We need to check if the reverse lookup still works the same.
I have recently realized that we can use
fly wireguard
connections as a zero-trust authentication mechanism. The idea is that we can deploy apps inside Fly infrastructure but not exposed to the real world, and the only way to connect to those apps is viafly wireguard
.A small plug can be written that:
Validate
conn.host
is either "my-app.internal" or ends with".my-app-internal"
For each request, we get
conn.remote_ip
, validate it is ipv6, and do a remote dns look up (equivalent todig PTR +short reverse.ip6.arpa
and see if the IP is known. Currently it only validates ipv6, it does not return any user informationFor it to work, you need to generate a wireguard with a custom name
fly wireguard create ORG REGION my-name
PS: Here is how to do compute the reverse lookup of a IPv6 address:
The text was updated successfully, but these errors were encountered: