External Services: Difference between revisions

So! You want to run services on CGHMN. But you also want them to be accessible to the broader internet?

By default the network is designed to be effectively "hermetically sealed". IE: Clients can connect into the network but aren't really meant to have internet access or the ability to talk to "the outside"

This is still "the default" for the innumerable amount of security (and legal!) issues that could arise for the network if we effectively acted as an "open web proxy with extra steps" but that's not a discussion for here!

Currently the two ways to bridge external services are

1. Run your own gateway! We can't really "stop" you from running a proxy to the real internet or other services. We can (and do) heavily suggest against this as anything (and everything) that comes out of it is effectively "your" traffic.

At the bare minimum you probably want to use some kind of IP whitelisting (both for source and destination) and bandwidth limiting. Anything you can do to minimize harm to yourself the better!

2. Use a middlebox! Okay so this isn't much "more" fool-proofed than option #1 but is effectively how we've got the (few) services that warrant internet access configured.