livebook

livebook copied to clipboard

I have recently realized that we can use fly wireguard connections as a zero-trust authentication mechanism. The idea is that we can deploy apps inside Fly infrastructure but not exposed to the real world, and the only way to connect to those apps is via fly wireguard.

A small plug can be written that:

1. Validate conn.host is either "my-app.internal" or ends with ".my-app-internal"

2. For each request, we get conn.remote_ip, validate it is ipv6, and do a remote dns look up (equivalent to dig PTR +short reverse.ip6.arpa and see if the IP is known. Currently it only validates ipv6, it does not return any user information

3. For it to work, you need to generate a wireguard with a custom name fly wireguard create ORG REGION my-name

PS: Here is how to do compute the reverse lookup of a IPv6 address:

"fdaa:0:36c9:a7b:9476:0:a:802"
|> String.split(":")
|> Enum.map(&String.pad_leading(&1, 4, "0"))
|> Enum.flat_map(&String.to_charlist/1)
|> Enum.reverse()
|> Enum.map_join(".", &<<&1>>)
|> Kernel.<>(".ip6.arpa")
#=> "2.0.8.0.a.0.0.0.0.0.0.0.6.7.4.9.b.7.a.0.9.c.6.3.0.0.0.0.a.a.d.f.ip6.arpa"

We should also explore flycast. As far as I understand this would allow having Livebook accessible at myapp.flycast privately, only when connected via WireGuard.

We need to check if the reverse lookup still works the same.

Closing this for now. We will probably explore other routes for authentication for now.