Optionally set source-address critical extension? #93
Labels
enhancement
New feature or request
Comments
|
Ran into another use case this would be a problem for: If you're SSHing into something on your local network, then your source address will be a local IP, but hallow would still see your global IP. |
|
Having it be optional could be interesting - but passing it would either mean breaking API (and doing something like #66) or passing a header |
|
I was thinking it'd be a configuration option for hallow itself. Maybe
`HALLOW_SOURCE`, default=`none`. Other values: `auto` (set it to the
requesting IP) or a comma separated CIDR list
…On Sat, Mar 7, 2020 at 12:08 PM Paul Tagliamonte ***@***.***> wrote:
Having it be optional could be interesting - but passing it would either
mean breaking API (and doing something like #66
<#66>) or passing a header
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#93?email_source=notifications&email_token=AAAAGBFUXYPSARFAJNGWUPLRGJ5PVA5CNFSM4KWSVVNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOD6PJY#issuecomment-596109223>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBA7TTXL7LU2XPHETETRGJ5PVANCNFSM4KWSVVNA>
.
--
All that is necessary for evil to succeed is for good people to do nothing.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Certs can set a critical extension
source-addressto an IP address, which is then the only IP allowed to use this certificate.Since we're issuing short lived certs, roaming is probably not a concern. Would it make sense to automatically set this to the requesting client's IP?
The text was updated successfully, but these errors were encountered: