monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-13. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
5ef2ce57190e00bbe4a3d1ca2b72a8f957254752
greywall/examples/01-dev-server/README.md

90 lines
2.3 KiB
Markdown
Raw Blame History

# Dev Server + Redis Demo
This demo shows how fence controls network access: allowing specific external domains while blocking (or allowing) localhost connections.
## Prerequisites
You need Redis running on localhost:6379:
```bash
docker run -p 6379:6379 redis:alpine
```
## Install
```bash
npm install
```
## Demo 1: Localhost allowed, external blocked
This shows that requests to Redis (local service) works, but external requests are blocked.
```bash
fence -p 3000 --settings fence-external-blocked.json npm start
```
Test it:
```bash
# Works - localhost outbound to Redis allowed
curl http://localhost:3000/api/users
# Blocked - no domains whitelisted for external requests
curl http://localhost:3000/api/external
```
## Demo 2: External Allowed, Localhost Blocked
This shows the opposite: whitelisted external domains work, but Redis (localhost) is blocked.
```bash
fence -p 3000 --settings fence-external-only.json npm start
```
You will immediately notice that Redis connection is blocked on app startup:
```text
[app] Redis connection failed: connect EPERM 127.0.0.1:6379 - Local (0.0.0.0:0)
```
Test it:
```bash
# Works - httpbin.org is in the allowlist
curl http://localhost:3000/api/external
# Blocked - localhost outbound to Redis not allowed
curl http://localhost:3000/api/users
```
## Summary
| Config | Redis (localhost) | External (httpbin.org) |
|--------|-------------------|------------------------|
| `fence-external-blocked.json` | ✓ Allowed | ✗ Blocked |
| `fence-external-only.json` | ✗ Blocked | ✓ Allowed |
## Key Settings
| Setting | Purpose |
|---------|---------|
| `allowLocalBinding` | Server can listen on ports |
| `allowLocalOutbound` | App can connect to localhost services |
| `allowedDomains` | Whitelist of external domains |
## Note: Node.js Proxy Support
Node.js's native `http`/`https` modules don't respect proxy environment variables. This demo uses [`undici`](https://github.com/nodejs/undici) with `ProxyAgent` to route requests through fence's proxy:
```javascript
import { ProxyAgent, fetch } from "undici";
const proxyUrl = process.env.HTTPS_PROXY;
const response = await fetch(url, {
dispatcher: new ProxyAgent(proxyUrl),
});
```
Without this, external HTTP requests would fail with connection errors (the sandbox blocks them) rather than going through fence's proxy.
Reference in New Issue View Git Blame Copy Permalink