/images/avatar.png

ssh-via-cloudflare-tunnel: Alternative way to expose machines behind NAT

I have an intermittent issue where one of my machines on a specifc network seems to be operational locally on network but not accessible over netbird some of the time. I could not tell if the problem was due to the network the problematic machine was on or due to netbird.

So to debug this I:

  1. Setup a grafana node agent to report journald logs to https://grafana.com/

  2. Setup to docker to log to journald

  3. Wrote ssh-via-cloudflare-tunnel docker-compose stack to tunnel ssh over websocat to internet over cloudflared . Set docker compose to restart-on-failure.

Today netbird had some downtime (tailscale had theirs just a few days before that). I was able to log into grafana, look up the temporary hostname cloudflare assigned to me and ssh in using

ssh -o ProxyCommand="websocat -E --binary - -v ws://%h" -o ServerAliveInterval=10 library-won-nt-gauge.trycloudflare.com

Architecture

Conclusion

This turned out trivial to do. However it took me over 5 years of pondering, discovering ssh ProxyCommand, cloudflared, websocat and deciding to combine them to conveniently expose ssh over web.

I think it’s pretty cool how Cloudflare allows one expose geographically distributed tunnels without requiring any signups. I wish their UX simpler so it was equally easy to expose tunnels with fixed dns. Cloudflare actually has something similar as an official ssh feature , but it requires more hoop jumping.

websocat is amazing. I use websockets a lot more now that I have a robust way to utilize them without writing any code.

Why Would I Want To Do This?

  • As a fallback to tailscale/netbird that uses a completely different network topology as in this case
  • To temporarily grant ssh to some machine without requiring end-users to install a vpn
  • To bypass restrictive gsm/wifi networks that block access to ssh
  • As an alternative to port-knocking to obscure ssh (eg hide ssh behind http basic-auth)

How would you improve this?

Checkout ssh-via-cloudflare-tunnel on github.

github-to-sops: Easy way to manage passwords/keys with Github and SOPS

Let’s face it, managing secrets in software projects can be as thrilling as being stabbed in the eye. Yet, it’s a necessary evil that we all have to deal with.

Problem: we have a set of a developers and set of infrastructure that all needs to share secrets. Would like to minimize infrastructure and keep cognitive load to a minimum so we can focus on writing code. Sure you’ve got AWS Secrets Manager and Hashicorp Vault for the heavy lifting, but that’s like using a tractor to crack a nut. And then there’s the keep-all-your-secrets-in-github-action-ENVs which leads to “push-and-pray” mentality (https://dagger.io/ talks on CI/CD are awesome). Not exactly the pinnacle of security or convenience, right?

Enter SOPS , the cool kid on the block that encrypts your files without the bullshit (You know it’s cool cos it’s the latest in a long line of tech abandoned by Mozilla). But setting it up? Still sucks. This post is about how github-to-sops helps.

Trying pixi: Modern package management for Python

I have been working with Python a lot more recently, and it feels like I spend more time fighting packaging than writing code.

Python’s primary package manager, pip, is roughly equivalent to the best 1990s had to offer(Perl CPAN), it makes it depressingly easy to end up with a broken environment.

Pixi: A modern packaging system for Python

pixi is a modern package manager along the lines of deno/pnpm, but for Python. It’s a single binary that you can download and run. It will install Python + native packages within a single subdirectory. It will use pixi.toml file to track dependencies + pixi.lock to track exact versions of transitive dependencies.

Overlooked on HN: Databases That Process Data Faster Than Memory Bandwidth

13 GiB/s per core!

Sneller posted a blog on HN on how they use AVX-512 to decompress data at 13 gigabytes per second per core.

This a fantastic ad for their “lets turn logs on S3 into cheap database” product. This is a solution I wanted multiple times, will definitely consider them next time the need comes up.

Faster than RAM

Now this post did not get overlooked, but what did get overlooked is that the post engaged the clickhouse CTO. He posted a link to a presentation on how Clickhouse uses compression to process in-memory data faster than RAM bandwidth .

As a result of discussion in these comments, clickhouse might get even faster.

Overlooked on HN: Discovering High-quality Technical Content

I’m gonna start a column on cool blog posts I found, that got 0 or minimal traction. I suspect I will also have no traction doing that 🤦‍♂️.

The Problem

I really enjoy thoughtful writing on deep technical problems. It’s even better when one sees thoughtful comments, that further contribute new directions to throughts presented. HackerNews is where most of that writing tends to land. Unfortunately it tends to not do well vs trendy, click-baity, etc content. Twitter is even worse.

First, a blog post on my tooling for reading HN.