necrosato
commented
5 years ago @margielamadman Sorry, the email for this went to my junk box for some reason. Just now seeing it.
Remember in the future we plan on adding authentication to the control server so this whole deal is publicly accessible just to the admin. The whole point of the control server is that it will allow a single point of authentication to all home alert nodes, so it is the only part of the internal network that needs to be publicly accessible. If the control server gets moved outside the private network of the main servers, then each of the main servers has to have a way for the control server to forward traffic from main server to the end user. I can think of two options off the top of my head.
- Each main server has to become publicly accessible to everyone. This is unfortunate because then we really have to make sure our firewall rules are set up properly, we can be much more lax if we're on a private network.
- It may be possible for each main server to initiate a an ssh tunnel to the control server exposing the main server port (a la iron-biscotti but instead of attaching to ssh you attach to the main server service). I like this option because then the main servers are never publicly accessible. Only thing I'm not sure about is if one can hit multiple endpoints with one tunnel. Definitely worth looking into. Another reason I like this option is it would eliminate any need for firewall rules. The application is never exposed to the network. It just accepts requests from localhost through the ssh tunnel. Also, this option works for both control servers on the private network or in the cloud.
How would the config file need to be changed so that I can have a control server in the cloud reachable with a public ip that then controls the locations in my house? That way I can use the app from anywhere. Does the reverse proxy on the control server just handle that?