nebula icon indicating copy to clipboard operation
nebula copied to clipboard

Published 20 hours ago verified publisher icon slackhq

Add Lighthouse Virtual Host Support

Open dinooz opened this issue 4 years ago • 5 comments
trafficstars

Similar to Apache & Nginx, adding Virtual Host Support will allow Handle request on Same Lighthouse IP:4242 for multiple domains/subdomains.

mylighthose.com net1.lighthouse.com lighthouse.other_domain.com

This will Alliow Create a Service that can work for many subdomains. perhaps with some ability of being configured via API, for portal provisioning convenience.

dinooz avatar May 23 '21 14:05 dinooz

I don't really get where you're going with this, if you just want to re-use a single lighthouse instance for multiple networks you can just make the lighthouse trust all the CAs from all the networks involved.

Some recent discussion here https://github.com/slackhq/nebula/issues/306#issuecomment-846474506

caguiclajmg avatar May 23 '21 17:05 caguiclajmg

That is precisely the point, to have 1 lighthouse that serve multiple networks without trust each other.

dinooz avatar May 23 '21 23:05 dinooz

Why would trusting all the CAs at the lighthouse be an issue for your use case?

The networks aren't getting bridged anyway (unless you tell it to) even if the lighthouse trusts them.

caguiclajmg avatar May 24 '21 00:05 caguiclajmg

@caguiclajmg I think one potential issue with the approach of a single lighthouse trusting all network CAs is that this way if a node from network A asks the lighthouse about the real IP of a node from network B, the lighthouse will provide it, since there is no access control built into the lighthouse as the firewalls are on node level.

This means that there could be a DDOS issue if a malicious node in one network asks the lighthouse of all real ips it knows from all networks. The only solution to this currently is to run separate lighthouses on different machines or ports, which is slightly annoying if you need to dynamically configure separate nebula networks.

e-nikolov avatar May 26 '21 02:05 e-nikolov

Honest and naive question: What are the reasons a lighthouse does not trust all CAs by default? The answer to this question may be the same as for why it's not desired for a multi-network setup ...

solarkraft avatar Mar 27 '22 17:03 solarkraft

Honest and naive question: What are the reasons a lighthouse does not trust all CAs by default? The answer to this question may be the same as for why it's not desired for a multi-network setup ...

I think one big reason is that if you have multiple nodes connect to the Lighthouse, claiming to be the same Nebula IP, what happens next?

johnmaguire avatar Dec 07 '22 19:12 johnmaguire