[Freedombox-discuss] public + private http services
On Mon, Jul 15, 2013 at 10:23 PM, Nick Daly <nick.m.daly at gmail.com> wrote:
> > Quoting Timur Mehrvarz (2013-07-15 07:05:29)
> >> Hi, is there an agreed upon best practice on how to separate public
> >> http services from those that shall only be accessible on the private
> >> network? Private only services could be offered on a separate port and
> >> the firewall would ensure that access to this port is shielded. One
> >> could also offer public + private services on the same port, but make
> >> sure - within the code - that private services will only respond to
> >> requests coming from the internal network. Any other options? How do
> >> you prefer to handle this? Thanks.
> Which private network do you mean? I can think of two:
> 1. The internal network (intranet) that my FreedomBox runs on (the
> home network, with IPs usually in the range of 192.168...).
> 2. The private network produced by my authenticated friends connecting
> to my FreedomBox to use services I provide.
> 1 is easy: we're serving services on the internal network, so we can
> ignore the larger Internet all together.
> 2 is more difficult but can be accomplished through a number of tools
> like SSH forwarding, Tor Hidden Services, or GNUnet applications. In
> that case, you're looking to authenticate the user before providing
> the service. In case 1, authentication was assumed by the fact that
> the user was on your network (assuming your network is secure...).
> Different use cases could require different methods, and we'd better
> make sure we plan for supporting at least one of the common methods
> for v2, at least. Jonas, could you put up a wiki page detailing your
> thoughts on the goals of first few releases? I think they're pretty
> much what I was thinking, but they might be a little more developed.
> On Mon, Jul 15, 2013 at 5:31 AM, Jonas Smedegaard <dr at jones.dk> wrote:
> > Good idea to try map out what are best practices for different contexts.
> Jonas, I concur! I think the mailing list might be a good place for
> discussing the ideas though, a more permanent wiki page seems
> appropriate when we have more solid solutions.
Actually, I would recommend you start a wiki and document the relative
advantages and disadvantages of each possible approach. That way you will
develop a body of evidence, and also have something for new people to look
at to understand why you didnt follow the "obvious" solution of using
tethered zeppelins as DNS servers or whatever.
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
-------------- next part --------------
An HTML attachment was scrubbed...