Allow TCP port forwarding to cloud VMs #107
Loading…
x
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
We have some firewall port exemptions on the public cloud IP address. We should use the NGINX stream module to forward TCP connections to cloud VMs.
IMPORTANT: we still need to comply with the university's security policies. In particular, this means that SSH, SMTP(S), and IMAP(S) are banned because we cannot enforce 2FA on those. So we will need some kind of periodic port scanner which checks if one of these services is running, and if so, disables the port forwarding, and also temporarily bans the user from creating any new port forwardings until they send an email to syscom.
I also strongly suggest that we add Minecraft to the ban list, for the following reasons:
If someone wants to run their own Minecraft server, they should do so on AWS/GCP/Azure instead. They should be eligible for some free credits while they are a student.
The easiest way to do it would be to use nginx stream proxy (http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html). We are already dealing with nginx configs with pyceo and this method involves literally 6 lines of code to make a proxy work:
Hm, one of the feature that csc constantly uses to sell to new members is the ability to host mc server.
I don't know who is "selling" this to new members, but in my opinion, they really shouldn't be, for the reasons mentioned above.
If someone wants to run Minecraft on a general-use machine using one of the existing port exemptions, we can't really stop them, but we should make it clear that this isn't condoned or supported.
Another problem of this approach is that every forwarded port requires one unused public port on the Nginx machine. The available ports might be depleted quickly if only a few ports are allowed by firewall.