|
|
|
|
|
|
by Spivak
1595 days ago
|
|
|
I can't share the code since it's internal but here's the broad strokes. * Start with a "gateway" managing your WireGuard "PKI". Basically a group of Wireguard servers with an API that have synced configs. /proxies - Your frontend servers.
/endpoints - Your backend servers.
/gateways - WireGuard servers that your frontend and backend can reach.
* Gateway authenticates your proxies and endpoints and they both hit a /config endpoint to pull something that can be shoved into wg-quick. AllowedIPs restricts what the proxy is allowed to reach.* Proxies handle user-auth like any web service and then act as a reverse proxy to the endpoints using the Wireguard internal address. Nothing at all fancy except that in a normal deployment your frontend and backend would be live in the same datacenter and so you don't need any WireGuard BS. This provides a model where our devs can hit a public endpoint that reverse proxies to their laptops. |
|
|