BIND_IP should apply to sandcats UDP & HTTPS requests

[paulproteus]

Context:

• A user filed a support request today because their server has two public IP addresses on different network interfaces, and they've carefully configured BIND_IP= to bind their Sandstorm to the right one.
• However, sandcats.io detects their IP address as the other one. This is because sandcats.io autodetects the IP address, and because the Sandstorm code that communicates with sandcats.io ignores BIND_IP.

Plan:

• Adjust sandcats.js so that the UDP communication and HTTPS communication prefer BIND_IP.
  • FWIW I'm a little worried that for misconfigured servers, this could result in the HTTPS communication failing.

Other possible plans:

• Use network namespaces to achieve something similar to the above. However, I don't know a way to do it that way and don't know if it's possible, just stating that here in case it is possible.
• Use iptables (e.g. this tutorial on iptables + user ID filtering to set a rule that the Sandstorm UID always uses a particular IP. This would require root, which is a little sad.

[paulproteus]

@kentonv curious for your +1/-1 on the above plan.

[kentonv]

I guess this could conceivably go wrong if someone has configured a reverse proxy to sit in front of their server and therefore configured Sandstorm to listen on localhost only. I think this case could be handled by not using BIND_IP if it is in 127.0.0.0/8 -- clearly, using it in this case wouldn't work anyway.

Other than that case, this seems like clearly the right thing to do.

The two alternate plans both seem like the wrong solution to me, and overcomplicated in any case.

[gpl34]

Is there a milestone or an idea of date resolution for this item? Thank you.

[paulproteus]

Hi @gpl34 ,

There isn't at the moment. I suspect that's not the answer you were looking for, but at least it is an answer. :)

Hope that helps! Let me know if you have any other questions.

[gpl34]

Hi @paulproteus No, it's ok, it was just to be sure the problem was not going off radar. :-) Thank you!