Closed josevalim closed 4 days ago
We should also explore flycast. As far as I understand this would allow having Livebook accessible at myapp.flycast
privately, only when connected via WireGuard.
We need to check if the reverse lookup still works the same.
Closing this for now. We will probably explore other routes for authentication for now.
I have recently realized that we can use
fly wireguard
connections as a zero-trust authentication mechanism. The idea is that we can deploy apps inside Fly infrastructure but not exposed to the real world, and the only way to connect to those apps is viafly wireguard
.A small plug can be written that:
Validate
conn.host
is either "my-app.internal" or ends with".my-app-internal"
For each request, we get
conn.remote_ip
, validate it is ipv6, and do a remote dns look up (equivalent todig PTR +short reverse.ip6.arpa
and see if the IP is known. Currently it only validates ipv6, it does not return any user informationFor it to work, you need to generate a wireguard with a custom name
fly wireguard create ORG REGION my-name
PS: Here is how to do compute the reverse lookup of a IPv6 address: