Open Myridium opened 2 years ago
What you're describing is a small variation of the 3rd setup variant.
As a sysadmin myself, I wasn't also convinced by installing a proxy on my tablet, so I run the 2nd and 3rd setup variants. As what you're suggesting doesn't work on some public/company networks that filters name resolution, 3rd is not perfect.
Also, it is not possible to fit everyone setups, for me the best we can do is to improve the documentation to make things clear on how to use it with nginx
, treafik
, HAproxy
, Caddy
, ... or whatever will be fashionable in the future.
/etc/hosts
is something far more simple and responding to 99% cases than bind9
which comes with a lot of questions (what to do if you already run a name server, what to do on networks filtering name resolution, what to do if I want to use my own NS how to do that with knot, unbound, powerdns, ..., oops it didn't work because I only share TCP port in docker, not UDP, ...): that's what a sysadmin needs to address, not a rmfakecloud user, nor a rmfakecloud developer. That's why the documentation asks to use the automagic script/toltec, as it should be the way for most people. Then it describes alternate ways for sysadmin.
What you're describing is a small variation of the 3rd setup variant.
As a sysadmin myself, I wasn't also convinced by installing a proxy on my tablet, so I run the 2nd and 3rd setup variants. As what you're suggesting doesn't work on some public/company networks that filters name resolution, 3rd is not perfect.
Also, it is not possible to fit everyone setups, for me the best we can do is to improve the documentation to make things clear on how to use it with
nginx
,treafik
,HAproxy
,Caddy
, ... or whatever will be fashionable in the future.
/etc/hosts
is something far more simple and responding to 99% cases thanbind9
which comes with a lot of questions (what to do if you already run a name server, what to do on networks filtering name resolution, what to do if I want to use my own NS how to do that with knot, unbound, powerdns, ..., oops it didn't work because I only share TCP port in docker, not UDP, ...): that's what a sysadmin needs to address, not a rmfakecloud user, nor a rmfakecloud developer. That's why the documentation asks to use the automagic script/toltec, as it should be the way for most people. Then it describes alternate ways for sysadmin.
3rd setup variant still requires running a reverse-proxy on the reMarkable.
Editing /etc/hosts
to point to the remote server directly (instead of 127.0.0.1
) is not a satisfactory solution as it drops information about the specific domain name. Then there is no way to route traffic on the server to the rmfakecloud
program as the usual method of redirecting traffic based on hostname
cannot work.
3rd setup variant still requires running a reverse-proxy on the reMarkable.
No, no proxy/reverse-proxy on reMarkable. The only reverse-proxy is the one to redirect ingress traffic on the server hosting rmfakecloud. On the reMarkable, you need to add the CA, then either edit /etc/hosts
or overwrite some DNS records, ...
Editing
/etc/hosts
to point to the remote server directly (instead of127.0.0.1
) is not a satisfactory solution as it drops information about the specific domain name. Then there is no way to route traffic on the server to thermfakecloud
program as the usual method of redirecting traffic based onhostname
cannot work.
No, the /etc/hosts
doesn't work the way you describe. When a program like curl
asks for a domain in /etc/hosts
, it calls getaddrinfo(3)
which returns the IP in /etc/hosts
, but it has no indication on how the domain has been resolved (through NS or through /etc/hosts
or whatever nsswitch is configured for). So curl
adds the Host:
header with the domain name, the same way. So it is possible to direct ingress trafic as usual. Try it, it's what I use :)
3rd setup variant still requires running a reverse-proxy on the reMarkable.
No, no proxy/reverse-proxy on reMarkable. The only reverse-proxy is the one to redirect ingress traffic on the server hosting rmfakecloud. On the reMarkable, you need to add the CA, then either edit
/etc/hosts
or overwrite some DNS records, ...Editing
/etc/hosts
to point to the remote server directly (instead of127.0.0.1
) is not a satisfactory solution as it drops information about the specific domain name. Then there is no way to route traffic on the server to thermfakecloud
program as the usual method of redirecting traffic based onhostname
cannot work.No, the
/etc/hosts
doesn't work the way you describe. When a program likecurl
asks for a domain in/etc/hosts
, it callsgetaddrinfo(3)
which returns the IP in/etc/hosts
, but it has no indication on how the domain has been resolved (through NS or through/etc/hosts
or whatever nsswitch is configured for). Socurl
adds theHost:
header with the domain name, the same way. So it is possible to direct ingress trafic as usual. Try it, it's what I use :)
Oh, interesting, I don't know why I thought /etc/hosts
worked otherwise. I guess it acts just like a domain name resolver. There's still the issue of having to redirect to a static IP though... better to have the reMarkable route name resolution requests to the server. Then if new domains need to be added, or the IP of the rmfakecloud
changes, then no issues. But, I understand the problems with this as you have raised.
Do any scripts automatically modify /etc/hosts
or is that file meant to be user-editable?
I'm actually confused now why there's a proxy running on the reMarkable at all. Why is it needed if we can simply edit /etc/hosts
?
Do any scripts automatically modify
/etc/hosts
or is that file meant to be user-editable?
This file is like /etc/passwd
, its contents is never replaced automatically, contrary to /etc/resolv.conf
. It's safe to edit.
I'm actually confused now why there's a proxy running on the reMarkable at all. Why is it needed if we can simply edit
/etc/hosts
?
I don't understand neither.
I'm actually confused now why there's a proxy running on the reMarkable at all. Why is it needed if we can simply edit
/etc/hosts
?I don't understand neither.
To have a self-signed cert that is trusted by the device, and to simplify hosting requirements for rmfakecloud itself, since you'd have to setup your host on the other end to allow all the various hostnames required. Not to mention you might be hosting behind something like cloudflare, so you don't want to use a direct IP address.
Do any scripts automatically modify
/etc/hosts
or is that file meant to be user-editable?This file is like
/etc/passwd
, its contents is never replaced automatically, contrary to/etc/resolv.conf
. It's safe to edit.I'm actually confused now why there's a proxy running on the reMarkable at all. Why is it needed if we can simply edit
/etc/hosts
?I don't understand neither.
Thanks, good to know.
To have a self-signed cert that is trusted by the device, and to simplify hosting requirements for rmfakecloud itself, since you'd have to setup your host on the other end to allow all the various hostnames required. Not to mention you might be hosting behind something like cloudflare, so you don't want to use a direct IP address.
Can you elaborate on why cloudflare means we can't use a direct IP address? I've never used cloudflare.
To have a self-signed cert that is trusted by the device, and to simplify hosting requirements for rmfakecloud itself, since you'd have to setup your host on the other end to allow all the various hostnames required. Not to mention you might be hosting behind something like cloudflare, so you don't want to use a direct IP address.
Can you elaborate on why cloudflare means we can't use a direct IP address? I've never used cloudflare.
It's not that you can't, it's that you can't if you want to use their features like ddos protection etc. In order to use those you have to route through their network, which would not be a static IP address due to how their edge networks work.
Instead of running a full HTTPS proxy on the reMarkable, why not simply run a DNS proxy (on the reMarkable)? This should (1) reduce the memory footprint and (2) eliminate the need for a static IP in /etc/hosts
. The DNS proxy would forward all requests as normal, except that requests for the cloud servers would instead resolve to the user's server.
I think full dnsmasq
is probably overkill, but there are some lightweight alternatives (after a quick search): blocky
dprox
you have to generate a cert for all the hostnames the tablet is using, then install the ca on all devices you use (like browsers etc) which is just a hassle and hard to automate
also about the memory usage @Myridium , VSZ is virtual memory (https://go.dev/doc/faq#Why_does_my_Go_process_use_so_much_virtual_memory), the real memory the proxy is using is around 10MB grep Vm /proc/$(pidof rmfake-proxy)/status
Current problem with RAM usage on reMarkable
Currently, in order to redirect traffic from our PC or the reMarkable tablet to our
rmfakecloud
, we are advised to edit/etc/hosts
to point tolocalhost
, and then run a local proxy on each PC and reMarkable.Editing the
/etc/hosts
file directly is something that irks me; it feels like poor practice. Then we must also run the reverse proxy locally. I don't like doing this as it's quite an opaque setup that is provided right now with this fork ofsecure
, and it uses binaries archived withininstaller.sh
. This is quite a poxy setup.Perhaps more importantly, the current setup consumes a huge amount of memory on the reMarkable; far more than anything else on the device!
(why
VSZ%
adds up to more than100%
I don't understand) That's really bad and it takes away from what other developers in the reMarkable ecosystem can do, because the RAM is mostly consumed byrmfake-proxy
.A better solution for 90% of users (using
dhcpcd
or having control over theirnameserver
selection)There is a solution to this, which is more elegant and simplifies setup on the client devices (I believe as much setup as possible should happen on the server). I am currently running this setup myself on my PC and it is working. The same can be done for the reMarkable. (I have not done it yet because I'm running this through
wireguard
which is not available for the reMarkable)Here's the idea: run
traefik
andbind9
alongsidermfakecloud
to provide SSL encryption (https
) and domain name resolution on the server side, taking that burden off of the clients.rmfakecloud
host, e.g. abind9
container. This can be packaged alongsidermfakecloud
using adocker-compose.yml
.rmfakecloud
host, e.g. atraefik
container.stdout
letting the user know that they can copy the Certificate Authority file to their devices)rmfakecloud
server preferentially. This can be accomplished very easily for most people by editing (creating if necessary)/etc/resolv.conf.head
and prepending the linenameserver IP_OF_RMFAKECLOUD
. (It may also be possible to use a hostname as the nameserver, I am not sure)dhcpcd
service.8.8.8.8
and8.8.4.4
, they can put in theirrmfakecloud
IP first.Some users will already be familiar with the popular software
pihole
(I am not) in which case I think they can configure custom domain name resolution their own way.For the other 10%
Unfortunately, this setup does require the nameserver running alongside
rmfakecloud
to take priority over any nameservers. Some users may not be willing to use theirrmfakecloud
server as the nameserver for ALL name resolutions. In that case, the user could runbind9
locally on their client devices and still benefit from thetraefik
proxy running on the server. This would free up all that memory.Additional client setup + mobile device support
Setting up a custom domain name server will enable users to use any of their devices (provided they are not so locked down that they can't edit its settings-- e.g. maybe iPhone).
Users would just do 2 things when setting up a new device:
rmfakecloud
IP.That's it! As long as a user has enough control over their device to do these things, then they can point all relevant traffic to their own
rmfakecloud
server. The only issue would be ifreMarkable
started using hard-coded IPs in their software.Other benefits
As long as no new Certificate Authorities have to be generated (new SSL certs are fine), then any changes to the list of reMarkable domains can be promulgated by simply updating
rmfakecloud
's nameserver. After theTTL
of DNS records expires (maybe 5 minutes?) client devices will detect the changes.Potential drawbacks
rmfakecloud
at a location geographically to them, else the queries to their nameserver may have high latency, which could (moderately) affect their other internet traffic.docker-compose.yml
. An advanced user can ignore it, use theDockerfile
and sort out the domain name resolution and SSL encryption themselves.Splitting
rmfakecloud
repositoryThe
rmfakecloud
repository currently takes on a number of tasks. Ideally, it would only deal with theDockerfile
and maybe some helper scripts. Things like proxies and domain name resolution would ideally be split out into their own projects, or sub-repositories. This is something to consider.