[Freedombox-discuss] public + private http services

Nick Daly nick.m.daly at gmail.com
Mon Jul 15 12:53:53 UTC 2013 

> Quoting Timur Mehrvarz (2013-07-15 07:05:29)
>> Hi, is there an agreed upon best practice on how to separate public
>> http services from those that shall only be accessible on the private
>> network? Private only services could be offered on a separate port and
>> the firewall would ensure that access to this port is shielded. One
>> could also offer public + private services on the same port, but make
>> sure - within the code - that private services will only respond to
>> requests coming from the internal network. Any other options? How do
>> you prefer to handle this? Thanks.

Which private network do you mean?  I can think of two:

1. The internal network (intranet) that my FreedomBox runs on (the
home network, with IPs usually in the range of 192.168...).

2. The private network produced by my authenticated friends connecting
to my FreedomBox to use services I provide.

1 is easy: we're serving services on the internal network, so we can
ignore the larger Internet all together.

2 is more difficult but can be accomplished through a number of tools
like SSH forwarding, Tor Hidden Services, or GNUnet applications.  In
that case, you're looking to authenticate the user before providing
the service.  In case 1, authentication was assumed by the fact that
the user was on your network (assuming your network is secure...).

Different use cases could require different methods, and we'd better
make sure we plan for supporting at least one of the common methods
for v2, at least.  Jonas, could you put up a wiki page detailing your
thoughts on the goals of first few releases?  I think they're pretty
much what I was thinking, but they might be a little more developed.

On Mon, Jul 15, 2013 at 5:31 AM, Jonas Smedegaard <dr at jones.dk> wrote:
> Good idea to try map out what are best practices for different contexts.

Jonas, I concur!  I think the mailing list might be a good place for
discussing the ideas though, a more permanent wiki page seems
appropriate when we have more solid solutions.

Nick

More information about the Freedombox-discuss mailing list