[platform] hero_proxy should default-deny unrouted hosts at boot so a tester is never briefly reachable without sign in during install #290

New issue

Open

opened 2026-06-15 23:26:24 +00:00 by mik-tf · 0 comments

mik-tf commented 2026-06-15 23:26:24 +00:00

Owner

Copy link

During install the deployer now always seeds a catch-all deny route on the tester's hero_proxy and pushes it before the sign-in route, so a tester is fail-closed once that step runs (lhumina_code/home#253). One brief gap remains: setup-binaries.sh starts hero_proxy and the cockpit near the start of the install, but the deny route is only added at the end of the install payload, so for the minute or so in between a request that reaches the VM (by its public address or its raw overlay address) can be served without sign in. The clean fix is to have hero_proxy itself start in a default-deny posture at boot, so it refuses any unrouted host from its very first request and the install only ever opens specific routes on top of that. This is a hero_proxy change, separate from the deployer-side fix above; filing it so the brief install-time window is closed properly rather than only narrowed.

During install the deployer now always seeds a catch-all deny route on the tester's hero_proxy and pushes it before the sign-in route, so a tester is fail-closed once that step runs (https://forge.ourworld.tf/lhumina_code/home/issues/253). One brief gap remains: setup-binaries.sh starts hero_proxy and the cockpit near the start of the install, but the deny route is only added at the end of the install payload, so for the minute or so in between a request that reaches the VM (by its public address or its raw overlay address) can be served without sign in. The clean fix is to have hero_proxy itself start in a default-deny posture at boot, so it refuses any unrouted host from its very first request and the install only ever opens specific routes on top of that. This is a hero_proxy change, separate from the deployer-side fix above; filing it so the brief install-time window is closed properly rather than only narrowed.

mik-tf referenced this issue 2026-06-16 18:17:34 +00:00

[deployer/admin] Deployer admin: a tester whose web gateway domain was not recorded shows a blank Cockpit URL, cannot be repaired from the admin, and is served with no login #253

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

development

main

No results found.

Labels

Clear labels   

meeting-notes

Meeting notes and follow-ups

  

meeting-sensitive

Sensitive meeting; no shared archive or AI processing

  

meeting-transcript

Raw meeting transcript; AI drafts the report

  

platform

Hero platform work: the integrated stack + deployer/onboarding/gateway/admin/lab (the whole-product layer)

  

service

Hero service work: a feature/bug inside one app (slides, books, voice, biz, ...)

No labels

meeting-notes

meeting-sensitive

meeting-transcript

platform

service

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/home_lhumina#290

No description provided.