If a service is bonding only to ::1, and not 0.0.0.0 or your current routable ip it's explicitly deciding that it shouldn't be accessible from beyond the local computer. And in a lot of cases, it's right even if it doesn't explain why exactly. When exactly did we decide local port forwarding was too hard even for technical people? Or, I dunno, servers?
If inexperienced devs and users could suddenly drop their pants at will, imagine the mayhem that would occur if experienced devs with malicious intent were set loose in that environment? You can't pretend they don't exist - in fact, it's better to assume everyone who's not you is out to utterly destroy your data ASAP. Some would argue don't even trust yourself.
Those firewalls, ids, utms and assumptions are pretty much the only thing protecting inexperienced users from themselves.
Maybe they should just make it bind to a port below 1024, so it requires root/Administrator privileges to run. Then, if you are your own sysadmin, you can let yourself in--and if someone else is, you'll have to take it up with them.
The way to test a web project in development is to put it on a cheap web host or VPS. If you want to help newbie developers, make that one-click easy.
Heroku's almost the right thing for this, I think, though it still requires a credit card to sign up fully (it doesn't technically, but it does to enable free add-ons, so without a credit card you don't get, say, database persistence.) Obviously, Heroku is geared for adult developers--or, more specifically, to start-ups that Heroku hopes will become monsters dependent on Heroku's stack.
What would be perfect is a service like Heroku, but specifically for people learning to code; maybe something joined-at-the-hip with an online coding-school website. When you attend a real CS program, you get access to the labs and mainframes to test your programs on--where's the online version of that?
So, anything like this already exist? Or should I build it?
On the other hand, no one ever learned much by always taking the perfectly safe path. And who am I to judge whether people are "ready" for the Web? It's the old freedom vs. security argument.
Amazon does provide a free tier of EC2, which is great for tinkering around. But it takes a certain amount of knowledge to get one working as a web server. A tutorial, or a project that makes it easier, might be a good place to start.
I was trained to do this by reflex. Anytime you expose anything on your network, not matter what it is, without some layer of security between you and the internet, you're asking for trouble.
Whether this is a warranted reaction or not, I don't know. I'm pretty sure its from spending too much time hanging out with hackers and sys admins. It's just locked in my brain not to doing something like this - ever.
(disclaimer: I created https://pagekite.net/ which is one of localtunnel's competitors)
And while a bit toung in cheek, i'm not too aware of this whole ip address scarcity thing. I've got a decent chunk of a /29, if you could use a /48 or ten for your local networks just ask! Or would it be tough to squeeze down to only 18,446,744,073,709,551,616 local addresses?
Tools like PageKite and localtunnel are completely in line with that philosophy, nothing is exposed to the outside world until you explicitly request it and then only the named service you chose (as opposed to whatever is on the port or god forbid everything listening on a particular IP). I personally feel more secure temporarily exposing a server using PageKite than I would if my router had been reconfigured to always allow traffic through on particular ports - it's a lot easier to turn PageKite off than it is to go reconfigure my router every time I am done testing.
Convenient security is good security, because it is more likely to be used correctly.
IPv6... well, good luck with that. :-) Aside from how few western ISPs offer IPv6 service, consider the fact that the majority of our devices are mobile these days. My laptop changes networks and IPs many times a day and I still like being able to run a visible server on it. Configuring plain IPv4 or IPv6 to do that elegantly is decidedly nontrivial.
Are you arguing that it is a good thing for people who have no idea what they're doing to have a 1 button click to remove all security?
No, we can not. From both personal experience (developers can be dumb as bricks and know nothing outside their specific knowledge domain) and good security practices (you don't trust the user, even if they say they're good for it).
And yes I hope it was just sarcasm I missed, but that's why I had to ask.
I haven't tried it, but it seems to forward a single port that's running service X that I want to make available on the net.
Any way whatsoever of fulfilling that need (no matter if it's one button click or setting up a separate VM for that service) would involve making a hole in all relevant firewalls and making the (possibly buggy) service X available to everyone.
Is the user goal of "making service X available to everyone" bad in itself?
When you allow public connections to a service running on a machine, security for that entire machine now largely depends on that service. Are you 100% sure that your copy of Apache or Nginx is patched up to date? That the web app you just coded up won't allow arbitrary command execution? That the OS has no local privilege escalation vulnerabilities?
If you are using a web host or VPS, the risk is limited to the code you're testing. You could lose the whole machine and it's no big deal.
But if you've exposed your personal machine--with all your documents, files, settings, etc.--then you've got a lot more to lose if a bad guy gets in. Worst case is a rootkit install that collects all your passwords and sends them out.
You'll still want to use ngrok if you want to do any traffic inspection or request replays.
Lastly, I have some new features coming up for ngrok including the ability for it to auto-update without your intervention so that I can push features more rapidly without bothering everyone to update every other day. I've open sourced the code to do it as a separate library (https://github.com/inconshreveable/go-update), and I'll be writing a blog post about the techniques necessary to make it work. Stay tuned!
A great use for it is cross-browser web dev. To test out our JS library on IE6 for example I'll use Proxylocal in conjunction with Sauce Labs.
$ sudo echo "GatewayPorts clientspecified" >> /etc/ssh/sshd_config
$ sudo service ssh restart
$ ssh -R 0.0.0.0:3000:127.0.0.1:3000 user@your-server
Both cases provide interesting information, in the first case things that every new person posts are generally pretty widely interesting. In the second case it is interesting to see reputation manipulation through gaming. Some people see a "score" and are compelled to "win."
And yeah, it's stable. I've been running it since it came out without any issues.
If you have a DigitalOcean account, you can have a 100% copy of your dev environment running on DO within 2 minutes of `$ vagrant up`... and as soon as you want it removed you would simply `$ vagrant destroy`!
Localtunnel and PageKite overlap, but the focus of the two projects is actually very different. Localtunnel is just for quick one-off tests. Although PageKite can do that as well, our (I am the author) real goal was to make self-hosting easy for folks who don't necessarily have full control over their networking infrastructure or are using primarily mobile devices.
The two projects started at roughly the same time though, in fact I think localtunnel predates PageKite by a few months.
What are you doing on this website if you can't do that?