Web Management & Secure Access Control of AWS Security Groups. Allows you to create IP leases for incoming connections to AWS instances. Also, allows creating invites to allow guest access by URL/Email Invites.Uses two factor authentication for additional security.
The current code is only compatible with VPC Security Groups and not EC2 Security Groups. Because of this, I am getting the below error upon logging in:
We are not processing the CIDR, we are just checking for the exact match in the whitelisting IPs so, if we pass CIDR with /29, /16. The IPs under these CIDRs will still be added in the ingress with ip.x.x.x/32.
Right now, concierge supports getting a lease on a security group for AWS. As a future extension, this is a proposal to add Traefik support for services running within a kubernetes cluster.
Changes required:
Support Kubernetes Authentication on the backend (/manage/kubernetes) to list all ingresses with label concierge=true
Support patching an ingress to add/edit the traefik.ingress.kubernetes.io/whitelist-source-range annotation. Only the new IP should get added, or an old IP from an expiring lease should get removed.
Lock on an ingress resource while making changes to prevent conflicting updates.
Concierge grants leases to end users by adding their apparent public IP to the inbound allowlist of relevant security group.
This approach assumes client traffic will always originate from a single public IP, which can then be easily filtered.
• I use Airtel 4G dongle, it provides me with a public IPv6 address. 6to4 proxies that sit between AWS & Airtel networks almost always use an egress pool of IPv4 IPs. i.e. my apparent IPv4 keeps on changing.
• I took a direct fiber-to-home broadband connection, my ISP owns a public IPv4 /24 range and use mutiple IPs for egress. Problem remains the same.
Solution
Add JS to concierge that makes periodic calls to a beacon.gif ep., for all the auth'd users.
Once a lease is taken for a security group, concierge opens it up for a single IPv4 address.
Subsequent beacons will help concierge magically add never-seen-before IPs to all the existing leases for that user.
As long as concierge user keeps it open in a tab in their browser.