As part of our mission to maintain transparency, we open sourced our TLS SNI reverse proxy. This uses a LRU cache [1] to improve DNS caching and performance as well as the usual suspects in GoLang for the Go Magic.
Every part of the transport in our stack is running on open source now.
If this instant GUI window interests you, you may also be interested in controlling a system tray menu (cross platform, Windows, Mac and Linux) from a JSON file! [1]
If you make a script that handles building the traefik config from various inputs, you could make a gui config for it with Configurator [1] which we built and open sourced to make it easy to config stuff!
This was a tremendous write-up. I appreciate the detail including your ingressd setup. I agree, though, that this is a pain. It's for this reason that we made Cloud Seeder [1] so you can have hands-free setup of your homelab and IPv6rs for painless ingress [2] </shameless>
I didn't know about IPv6rs, but thanks for supporting raw WireGuard configs[1]! Being able to use just WireGuard without having to install any additional daemons or wrappers is always appreciated.
If only I had known about this service before AWS launched its eu-south-2 region (Spain), I would have seriously considered it. But unfortunately I already have my stuff all setup and working, tunneling through an EC2 instance.
Still, bookmarked. I won't say I'll be using it in the future, but I'll definitely keep it in mind for the next time I need to change/update my homeserver stuff.
I'd set up IPv6 on there, but the problem is that I use Flannel (which is IPv4 only) and my 8 gigabit fiber ISP only gives me IPv4 connectivity. I'll look into more details, but I've slightly given up on IPv6 for now. Maybe I'll set up Calico or something, but IPv6 seems to have been made artificially difficult by everything in the stack. I hate it.
> 8 gigabit fiber ISP only gives me IPv4 connectivity.
Just like my ISP (but not 8 gbit!). Luckily, IPv6rs actually tunnels through IPv4 (or 6) and provides an IPv6 address. You don't need one to start!
I don't know the ins and outs for flannel, but maybe you could setup IPv4 internally and use IPv6 (and an IPv4 Reverse Proxy) for the public internet?
I agree, though, IPv6 on its own can be hard but thanks to WireGuard, tayga (NAT64), and nginx/caddy/etc. (reverse proxy), it's definitely quite usable!
We just launched NAT64 support [1] and we had some issues with IP addresses. Luckily, we're developers, so we coded a simple solution. NAT64+DNS64 requires names to work, so we create these pseudonyms for IP addresses.
host 8.8.8.8.visibleip.com returns 8.8.8.8
We setup visibleip.com on an anycast IP in 16 different POPs incase anyone relies on it!
You could try IPv6.rs (shameless plug). We provide a routed IPv6 IP and reverse proxy for IPv4. We made it easy to run servers with Cloud Seeder [2], our open source server manager.
What I want is a transparent reverse proxy for both IPv4 and IPv6. Ideally it should work with encrypted SNI and ECH, using a static IP, because this is where the internet is going and anything else is probably a dead end I would like to avoid investing time in today.
Ideally, it has some simple firewall IDS/IPS capabilities (limit destination ports, limit source IPs…).
My threat scenario is, once someone has my home IP, they can cut off my internet very easily, just brute force traffic to my IP will clog my internet access.
The same would work via the above described reverse proxy, but I can diagnose it and turn off the proxy. My self hosted services will be down but at least I have Internet. If my home IP is known, there isn’t much I can do… My ISP doesn’t rotate the IP of a user very often (think months).
Currently I feel that cloudflare tunnelling is less worse than the above described risk, but it’s far from ideal, hence looking for alternatives.
IPv6.rs doesn't work with ESNI because you'll have to decrypt the encrypted packet to read it. Cloudflare decrypts your traffic so it can read it.
> If my home IP is known,
IPv6.rs hides your home IP. The only exposed IP will be the IPv6 IP you receive from IPv6rs. The reverse proxy proxies to your IPv6 address, so your home IP will never be exposed (and technically you could change the IPv6rs IP if you wanted to at ANYTIME).
If you're interested in giving it a shot I can give you a coupon that discounts significantly!
Im sorry if it’s a trivial question, but why does a “dumb” forwarder have to decrypt the packet? I only need to tunnel/forward it, static destination IP, there are no decisions taken on the base of the SNI as far as I can tell.
Setting up *Arr and QBitTorrent is a chore. We made it easy with a single click. This was by far the most difficult appliance to automate into a non-interactive install.
Since it's open source[1], we hope many people will benefit from this. :-)
Submission: This is a simple terminal for 'output/read-only' usage in a Fyne GoLang app. You can basically run a command and it will feel like its running in a terminal and the output will go to said terminal. This strips out all ansi, escape and control codes.
It's part of Cloud Seeder [1] which we wrote open source and in a way so that everyone can use the parts [2][3] easily.
As part of our mission to maintain transparency, we open sourced our TLS SNI reverse proxy. This uses a LRU cache [1] to improve DNS caching and performance as well as the usual suspects in GoLang for the Go Magic.
Every part of the transport in our stack is running on open source now.
We hope you all enjoy!
[1] https://github.com/ipv6rslimited/lrucache
reply