Open lightnin opened 3 years ago
zamentur
commented
3 years ago 1. One wonders if such a service could be automated or provided by YunoHost
I think we couldn't do that because proxying from YunoHost infra means a lot of bandwith. In more it centralize things.
lightnin
commented
3 years ago @zamentur I can see your point. So maybe it would be better to focus on enabling other hosting providers to serve as proxies, so that and end user can work with whoever they wish to.
alexAubin
commented
1 year ago Changing the name of the issue according to previous comment
Imho there's definitely some interesting R&D to be done using Wireguard or maybe Zerotier to host your stuff @ home (or wherever) and setup a small online VPS whose only role would be to exposed the server using VPN-like technology
lightnin
commented
1 year ago Note that disadvantage #2 above (need to trust VPS provider) is no longer an issue, as it's now feasible to setup a zero trust reverse proxy. Here is an example open implementation: https://github.com/fractalnetworksco/selfhosted-gateway
alexAubin
commented
1 year ago Sounds pretty awesome :open_mouth:
Though I remains slightly skeptical about the "zero trust" if you're still pointing your A/AAAA records to a third-party, in which case that third party would be able to generate a Lets Encrypt cert anytime for that domain and effectively running a MiTM on all your traffic :sweat_smile:
lightnin
commented
1 year ago Though I remains slightly skeptical about the "zero trust" if you're still pointing your A/AAAA records to a third-party, in which case that third party would be able to generate a Lets Encrypt cert anytime for that domain and effectively running a MiTM on all your traffic 😅
Ah - so maybe it is still an issue! I thought that since the tunnel on the VPS itself doesn't have your SSL cert, and only your local machine at the (home) end of the tunnel does, then the ISP couldn't man in the middle you. But I guess you're right, and they could get the same domain cert and then just add another layer of reverse proxy on top of yours. Hmm, I wonder if there is any way to prevent such a thing? I guess wouldn't the local system be able to tell if this is happening as all its clients would be from the evil proxy (and not proper TLS connections from various IPs out in the world, the normal / healthy state of affairs?)
alexAubin
commented
1 year ago Hmm the ISP cannot interfere with that traffic, I was more thinking about the third party hosting the gateway - assuming that this is effectively someone else hosting the gateway and not just yourself.
I was thinking about "zero trust" like in "zero knowledge" where you obtain a service from a third party without having to actually trust that party - and/or them not knowing what they serve such as https://privatebin.info/ (though we could debate about the lack of mechanism to effectively trust the javascript code but i digress ;P)
Anyway maybe I'm being overpendantic, the point is that one can definitely self-host such a reverse-proxy-over-VPN on a VPS
lightnin
commented
1 year ago Ah where I said ISP I should have said "VPS provider". But agreed, it's doable with a VPS. But if the goal is to make self-hosting available to more people, we should aim for some sort of zero trust (or pretty near zero? low-trust? Auditable?) way that they can have their self-hosted server connect to the world wide webs without having to deal with router ports (and ideally DNS). So, to reason from the UX side towards the technical, something that would allow the end user to plug their raspberry pi or whatever into their network, choose and register a domain or use a free one, choose applications and assign them to subdomains, and have it just work. So the user only has to interact with a single application - in this case, YunoHost. That might require that there be some sort of service on a VPS that their pi reaches out to that somebody, maybe YunoHost, keeps running. But the less trust they need for it the better.
Develop documentation explaining user setup experience using a reverse proxy / tunneling service like boringproxy.io. This is a step towards a simplified solution for end users in which they simply flash yunohost on their local device and then signup for a service that handles DNS and tunneling proxies to their device, thereby radically simplifying the install process and making self-hosting a realistic option for many more users.
Advantages:
Using a reverse proxy / tunnel manager, it should be possible to avoid having to open ports on the router (or interact with the router at all), thereby removing one of the more difficult steps in setting up yunohost.
It seems likely that DNS for customized domains could be potentially integrated into the process (similar to how it is with nohost.me), thereby simplifying another layer of complexity for the end user.
Disadvantages:
2. Requires trust of the forwarding server / VPS in that it could man in the middle the user's home based server.(Zerotrust implementations are possible, see https://github.com/fractalnetworksco/selfhosted-gateway for an example.)Documentation should be modeled on the scenarios already described here: https://yunohost.org/en/dns_nohost_me
Resources: https://boringproxy.io/usage/
Related threads: On Yunohost forums: https://forum.yunohost.org/t/simplifying-yunohost-installation-with-a-reverse-proxy-and-tunnel-managing-service/14524 On boringproxy.io github (with boringproxy creator Anderspitman) https://github.com/boringproxy/boringproxy/issues/61#issuecomment-779360080