search

livebook-dev / livebook

Automate code & data workflows with interactive Elixir notebooks
https://livebook.dev
Apache License 2.0
4.86k stars 415 forks source link

Support Fly for zero-trust authentication #2610

Closed josevalim closed 4 days ago

josevalim commented 4 months ago

I have recently realized that we can use fly wireguard connections as a zero-trust authentication mechanism. The idea is that we can deploy apps inside Fly infrastructure but not exposed to the real world, and the only way to connect to those apps is via fly wireguard.

A small plug can be written that:

  1. Validate conn.host is either "my-app.internal" or ends with ".my-app-internal"

  2. For each request, we get conn.remote_ip, validate it is ipv6, and do a remote dns look up (equivalent to dig PTR +short reverse.ip6.arpa and see if the IP is known. Currently it only validates ipv6, it does not return any user information

  3. For it to work, you need to generate a wireguard with a custom name fly wireguard create ORG REGION my-name

PS: Here is how to do compute the reverse lookup of a IPv6 address:

"fdaa:0:36c9:a7b:9476:0:a:802"
|> String.split(":")
|> Enum.map(&String.pad_leading(&1, 4, "0"))
|> Enum.flat_map(&String.to_charlist/1)
|> Enum.reverse()
|> Enum.map_join(".", &<<&1>>)
|> Kernel.<>(".ip6.arpa")
#=> "2.0.8.0.a.0.0.0.0.0.0.0.6.7.4.9.b.7.a.0.9.c.6.3.0.0.0.0.a.a.d.f.ip6.arpa"
jonatanklosko commented 4 months ago

We should also explore flycast. As far as I understand this would allow having Livebook accessible at myapp.flycast privately, only when connected via WireGuard.

We need to check if the reverse lookup still works the same.

josevalim commented 4 days ago

Closing this for now. We will probably explore other routes for authentication for now.