This seems pretty dang useful. I needed something similar for a non-Sandstorm server a few weeks ago and, since all of my domains are hosted on Route53, I wrote this:
Port forwarding would also be a handy feature, albeit a major (impossible?) technical challenge to deal with the varying support for interfaces to set it up. Or perhaps an ngrok-style tunnelling feature (which would obviously be more expensive to run).
(Hi! I'm the author of the blog post & maintainer of the Sandcats service.)
I'm excited about Sandstorm eventually helping people tackle issues like port forwarding. There's enough to do that it's not something I'm personally prioritizing, but it would definitely be very interesting. I can imagine the initial version of this feature working using UPnP for example, for routers that support it.
Thanks for taking an interest in Sandstorm!
As for ngrok-style tunneling, that's something I'm less interested in hosting/maintaining as part of the Sandcats toolkit for Sandstorm self-hosters. I'd be happy to see Sandstorm grow the ability to integrate with services that offer something ngrok-like, though.
Somewhat hilariously, a Tor hidden service is easy to set up and has built-in NAT traversal, if I understand things correctly, so maybe one day we'll see a "Run your Sandstorm server as a Tor hidden service" feature purely for the connectivity conveniences.
Hello! PageKite is "ngrok-like" (we pre-date them by a fair bit), I'd be happy to work with you guys on exploring whether we can integrate and make it as easy to spin up as Sandcats. Feel free to mail me, bre at pagekite.net if you're interested in exploring this further.
Have you folks considered partnerships with Synology, QNAP, etc? Syno have just embraced Docker in their latest OS version, although that is limited to their Intel-based NAS range. Sandstorm might have an opportunity to provide a platform for lower-end and high-end NAS to run web applications.
We are exploring this direction but don't have anything firm yet. We don't aim to enter the hardware business ourselves so we're happy to partner with anyone building hardware. :)
Sandstorm is limited to x86_64 for probably the same reason Docker is -- our app packages contain binaries and we don't want to burden developers with supporting multiple architectures, at least for now.
I'm biased, obviously, but Docker on Synology strikes me as an odd fit. Docker is optimized for massive SaaS-scale deployments of stateless servers, not so much one-off small-scale stateful app deployments.
Sandstorm is interesting, but I didn't realize it had this sort of DNS requirement. This will also mean it will essentially require a wildcard ssl certificate for people who want to completely host it themselves, which could seriously limit its uptake.
Long version: Yes, Sandstorm requires a wildcard host for security purposes. In general, by splitting things up into lots of small, isolated units, we can protect against bugs in apps. For example:
- First, obviously, hosting each app on a separate origin (hostname) is important if you don't want a bug in one app to allow compromise of other apps or Sandstorm itself (or if you want to run apps that you don't necessarily trust). Since we want app installation to be a one-click process, we need to generate hostnames automatically. But we go a lot further than just allocating a host for each app.
- By hosting every Etherpad document in a separate, isolated container, we can protect you against bugs in Etherpad that leak information from one document to another. Several such bugs have been disclosed in the last few months; none affected Etherpad on Sandstorm.
- By hosting Wordpress's edit interface on a separate host from the public web view -- guarded by Sandstorm access control -- and making the public view read-only, we can protect you against security problems in Wordpress. Several such bugs have been disclosed in the last few months; none affect Wordpress on Sandstorm.
- By creating a new unguessable throw-away host name for every session -- i.e. every time you open the same document, it's on a different host, and that host expires when you close it -- we can protect against XSRF, clickjacking, and reflected-XSS attacks in apps, because the attacker does not know to what hostname to address the attacks.
So there's a lot of really huge advantages to having a wildcard host available. The big disadvantage is that wildcard SSL is expensive -- around $100/yr at its cheapest. But that's an artificial price based on CA's perception that wildcard certs are only needed by people who can pay a lot -- it doesn't cost them any more to create the certs, they're just doing price segmentation. So instead of solving the problem by giving up on our nice security properties in order to make non-wildcard certs work, maybe we can solve the problem in meatspace by convincing the CAs that Sandstorm calls for a different pricing model.
If you are using it for your own use, you can use a self-signed certificate. I think that browsers will warn you if your self-signed certificate changes, even in the absence of certificate pinning (because it is a new-untrusted certificate). If not, then something like certificate patrol[1] should help.
And let's face it - if you are using Sandstorm for the next year or so, you probably understand what a self-signed certificate is.
https://github.com/peterkeen/route53_ddns