You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which works if you have the _sish.mac-test.macchaffee.com TXT record created and the key fingerprint matches.
But if domain validation fails (either the TXT record is missing or the fingerprints don't match) sish still creates the tunnel:
$ ssh -i ./incorrect_key -R mac-test.macchaffee.com:80:localhost:8000 tuns.sh
Enter passphrase for key '/Users/mac/.ssh/id_ed25519_homelab':
Press Ctrl-C to close the session.
Starting SSH Forwarding service for http:80. Forwarded connections can be accessed via the following methods:
Service console can be accessed here: https://mac-mac-test.macchaffee.com.tuns.sh/_sish/console?x-authorization=<omitted>
HTTP: http://mac-mac-test.macchaffee.com.tuns.sh
HTTPS: https://mac-mac-test.macchaffee.com.tuns.sh
Because the domain has dots in it, the wildcard cert for *.tuns.sh won't work, so a new Let's Encrypt cert is provisioned, which is bad because the cert counts towards tuns.sh's Let's Encrypt rate limit. Not a huge deal since the worst a malicious user could do is prevent you from launching new TLS-protected sites on subdomains of tuns.sh (doesn't affect renewals of existing certs).
I think ideally, sish should return an error if someone tries to bind to a *.tuns.sh domain with dots in it. This would make it easier to debug DNS validation errors, while also preventing people from hitting Let's Encrypt rate limits on your behalf. Thoughts?
The text was updated successfully, but these errors were encountered:
Sish supports binding to custom domains like this:
Which works if you have the
_sish.mac-test.macchaffee.comTXT record created and the key fingerprint matches.But if domain validation fails (either the TXT record is missing or the fingerprints don't match) sish still creates the tunnel:
Because the domain has dots in it, the wildcard cert for
*.tuns.shwon't work, so a new Let's Encrypt cert is provisioned, which is bad because the cert counts towardstuns.sh's Let's Encrypt rate limit. Not a huge deal since the worst a malicious user could do is prevent you from launching new TLS-protected sites on subdomains of tuns.sh (doesn't affect renewals of existing certs).I think ideally, sish should return an error if someone tries to bind to a *.tuns.sh domain with dots in it. This would make it easier to debug DNS validation errors, while also preventing people from hitting Let's Encrypt rate limits on your behalf. Thoughts?
The text was updated successfully, but these errors were encountered: