Mathieu Virbel
da3a2ac3a4
Rebrand the project from Fence to Greywall, the sandboxing layer of the GreyHaven platform. This updates: - Go module path to gitea.app.monadical.io/monadical/greywall - Binary name, CLI help text, and all usage examples - Config paths (~/.config/greywall/greywall.json), env vars (GREYWALL_*) - Log prefixes ([greywall:*]), temp file prefixes (greywall-*) - All documentation, scripts, CI workflows, and example files - README rewritten with GreyHaven branding and Fence attribution Directory/file renames: cmd/fence → cmd/greywall, pkg/fence → pkg/greywall, docs/why-fence.md → docs/why-greywall.md, example JSON files, and banner.
90 lines
2.3 KiB
Markdown
90 lines
2.3 KiB
Markdown
# Dev Server + Redis Demo
|
|
|
|
This demo shows how greywall controls network access: allowing specific external domains while blocking (or allowing) localhost connections.
|
|
|
|
## Prerequisites
|
|
|
|
You need Redis running on localhost:6379:
|
|
|
|
```bash
|
|
docker run -p 6379:6379 redis:alpine
|
|
```
|
|
|
|
## Install
|
|
|
|
```bash
|
|
npm install
|
|
```
|
|
|
|
## Demo 1: Localhost allowed, external blocked
|
|
|
|
This shows that requests to Redis (local service) works, but external requests are blocked.
|
|
|
|
```bash
|
|
greywall -p 3000 --settings greywall-external-blocked.json npm start
|
|
```
|
|
|
|
Test it:
|
|
|
|
```bash
|
|
# Works - localhost outbound to Redis allowed
|
|
curl http://localhost:3000/api/users
|
|
|
|
# Blocked - no domains whitelisted for external requests
|
|
curl http://localhost:3000/api/external
|
|
```
|
|
|
|
## Demo 2: External Allowed, Localhost Blocked
|
|
|
|
This shows the opposite: whitelisted external domains work, but Redis (localhost) is blocked.
|
|
|
|
```bash
|
|
greywall -p 3000 --settings greywall-external-only.json npm start
|
|
```
|
|
|
|
You will immediately notice that Redis connection is blocked on app startup:
|
|
|
|
```text
|
|
[app] Redis connection failed: connect EPERM 127.0.0.1:6379 - Local (0.0.0.0:0)
|
|
```
|
|
|
|
Test it:
|
|
|
|
```bash
|
|
# Works - httpbin.org is in the allowlist
|
|
curl http://localhost:3000/api/external
|
|
|
|
# Blocked - localhost outbound to Redis not allowed
|
|
curl http://localhost:3000/api/users
|
|
```
|
|
|
|
## Summary
|
|
|
|
| Config | Redis (localhost) | External (httpbin.org) |
|
|
|--------|-------------------|------------------------|
|
|
| `greywall-external-blocked.json` | ✓ Allowed | ✗ Blocked |
|
|
| `greywall-external-only.json` | ✗ Blocked | ✓ Allowed |
|
|
|
|
## Key Settings
|
|
|
|
| Setting | Purpose |
|
|
|---------|---------|
|
|
| `allowLocalBinding` | Server can listen on ports |
|
|
| `allowLocalOutbound` | App can connect to localhost services |
|
|
| `allowedDomains` | Whitelist of external domains |
|
|
|
|
## Note: Node.js Proxy Support
|
|
|
|
Node.js's native `http`/`https` modules don't respect proxy environment variables. This demo uses [`undici`](https://github.com/nodejs/undici) with `ProxyAgent` to route requests through greywall's proxy:
|
|
|
|
```javascript
|
|
import { ProxyAgent, fetch } from "undici";
|
|
|
|
const proxyUrl = process.env.HTTPS_PROXY;
|
|
const response = await fetch(url, {
|
|
dispatcher: new ProxyAgent(proxyUrl),
|
|
});
|
|
```
|
|
|
|
Without this, external HTTP requests would fail with connection errors (the sandbox blocks them) rather than going through greywall's proxy.
|