<ocdtrekkie>
I will poke around the repo when I have time
<mnutt>
congrats kentonv!
<mnutt>
I like the capability bindings example, it's a historically a pain to let people run arbitrary code and prevent it from accessing all services the runner has access to
<mnutt>
*people = coworkers, not random internet users, fortunately
<kentonv>
yeah I'm very happy with how that worked out
<ocdtrekkie>
wait... is Origin Rules what I've needed forever?
<ocdtrekkie>
Will this let me run Sandstorm on multiple wildcard hosts and/or multiple ports?
<ocdtrekkie>
...And some are included in the free plan?
<ocdtrekkie>
Ahhhhhhh
<ocdtrekkie>
Partially yes, partially no.
<ocdtrekkie>
Destination port override is free (which would've helped a ton on my old ISP) but the Host/SNI/etc. override is Enterprise plan only.
<ocdtrekkie>
Very very cool, but it's at the "ask for pricing" price tier.
Nik has joined #sandstorm
Nik is now known as Nikolai
Nikolai is now known as NikolaiG
<kentonv>
ocdtrekkie, why do you need host header overrides?
<ocdtrekkie>
I have long had a musing about migrating to my own domain for Sandstorm without breaking my existing Sandcats setup. This is, of course, something that could be done in Sandstorm, but conceivably could be done with CF rules?
<kentonv>
trouble with host header overrides is it lets you do some nefarious things unless we can prove the hostname and origin server are actually "yours"
<ocdtrekkie>
"need" is definitely a strong term here, but if I had the ability I would probably play with it. And yeah, if I'm overwriting to my Sandcats subdomain, I am in fact doing a thing with a domain I don't own.
<ocdtrekkie>
Which is something I definitely pondered about, and the Enterprise limitation definitely makes sense there.
<kentonv>
I would argue that your sandcats subdomain is "yours", but proving that is kind of hard
<kentonv>
or rather, building an automated mechanism to prove it is kind of hard
<kentonv>
which is what we'd need before allowing host header overrides
<ocdtrekkie>
Yeah I was speaking in a "as far as Internet infrastructure folks would consider it", its not mine. :p
<ocdtrekkie>
My use case aside, would it be safe to allow overrides amongst any domain you own on Cloudflare?
cwebber has joined #sandstorm
NikolaiG has quit [Ping timeout: 244 seconds]
<kentonv>
ocdtrekkie, I suspect that would be safe but I am not completely sure. The main problem is some origins use IP allowlists to accept traffic only from cloudflare, because they think this guarantees that the traffic went through their CF zone. But then you can just configure your own origin to the same IP address as theirs, and turn off security on your own zone. What saves a lot of people is that they don't accept requests that ha
<kentonv>
ve an unrecognized Host header...
<ocdtrekkie>
I don't have a full grasp of the scaling or security concerns, but would it make sense to do something like TXT records and/or .well-known to prove domain control/tie permission to use a given domain to a specific Cloudflare account?