You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to add a built in self-hosted ngrok system to Casket. This would allow you to say, run a Casket instance on a server with an interface to a public IP, and another Casket instance on your computer behind a NAT, and trivially expose the Casket instance on your computer by forwarding requests from the remote server.
Problems to solve:
Authentication (ensure that only authorized Casket clients can expose sites on the remote server).
Configuration (how should configuration look like on both sides?)
Networking (how should the client communicate with the server?)
Configuration
On the Internet facing server
You would need to add a Casket server block for each server you want to run in order for TLS to work nicely. The inconvenience of this can be mitigated by allowing the use of wildcard blocks on the Internet facing server side that can resolve to as many different clients as desired. A secret must also be specified to authenticate clients.
Proposed configuration:
mysite.com {
tun mysecret
}
*.mysite.com {
tun mysecret2
}
:4000 {
tun mysecret3
tls self_signed
}
On the client server (i.e. computer behind NAT)
Proposed configuration:
tun://mysite.com {
tun mysecret # if unspecified, defaults to environment variable maybe? CASKET_TUN_SECRET perhaps?# etc...
}
tun://example.mysite.com {
tun mysecret2
# etc...
}
tun://mysite.com:4000 {
tun mysecret3 {
insecure # tunnel is insecure as communication will be over plaintext HTTP/TCP
}
tls # TLS is mandatory# etc...
}
Networking
The client shall communicate to the server by connecting to the hostname specified
as the server block name, and forming a WebSocket connection to /.well-known/tun/{secret}.
With the client configuration examples above, it would look like connecting to:
The last example is over ws:// as determined by the insecure parameter. All
connections will be over wss:// otherwise.
The implementation specifics is to be determined, but I will likely use multiple (say 10 or so) multiplexed WebSocket connections that requests or connections will be round-robined across.
The Internet facing server is to return 404 Not Found for incorrect secrets, we ideally do not want to reveal
hosts that have Casket tunnels running on them.
This discussion was converted from issue #16 on January 18, 2024 02:14.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I want to add a built in self-hosted ngrok system to Casket. This would allow you to say, run a Casket instance on a server with an interface to a public IP, and another Casket instance on your computer behind a NAT, and trivially expose the Casket instance on your computer by forwarding requests from the remote server.
Problems to solve:
Configuration
On the Internet facing server
You would need to add a Casket server block for each server you want to run in order for TLS to work nicely. The inconvenience of this can be mitigated by allowing the use of wildcard blocks on the Internet facing server side that can resolve to as many different clients as desired. A secret must also be specified to authenticate clients.
Proposed configuration:
mysite.com { tun mysecret } *.mysite.com { tun mysecret2 } :4000 { tun mysecret3 tls self_signed }On the client server (i.e. computer behind NAT)
Proposed configuration:
tun://mysite.com { tun mysecret # if unspecified, defaults to environment variable maybe? CASKET_TUN_SECRET perhaps? # etc... } tun://example.mysite.com { tun mysecret2 # etc... } tun://mysite.com:4000 { tun mysecret3 { insecure # tunnel is insecure as communication will be over plaintext HTTP/TCP } tls # TLS is mandatory # etc... }Networking
The client shall communicate to the server by connecting to the hostname specified
as the server block name, and forming a WebSocket connection to
/.well-known/tun/{secret}.With the client configuration examples above, it would look like connecting to:
The last example is over
ws://as determined by theinsecureparameter. Allconnections will be over
wss://otherwise.The implementation specifics is to be determined, but I will likely use multiple (say 10 or so) multiplexed WebSocket connections that requests or connections will be round-robined across.
The Internet facing server is to return
404 Not Foundfor incorrect secrets, we ideally do not want to revealhosts that have Casket tunnels running on them.
Beta Was this translation helpful? Give feedback.
All reactions