How do you proxy the SSH connections? I thought you could not do hostname-based proxying with the SSH protocol

[exe.dev co-founder here] You are right, you cannot! It was quite a bit of work. We have a blog post in the works that should come out in a couple of weeks with all the details.

I was just sufficiently nerd sniped by this, so let me know if I’m close:

Based on what the commenter below found about sshpiper I believe that you use the ssh identity + the ip from the slot to resolve the vm target. sshpiper knows how to route the ssh identity + slot ip to the correct VM. I suspect you have a custom sshpiper plugin to do that routing.

You use the slot record indirection so you can change the ip of a slot without having to update everyone’s A records across the customer base. It also makes it easy to shuffle around vm-slot mappings within a customer. I haven’t tested, but I’m guessing this dns server is internal (coredns?), and the ips too.

I did something similar (ip + identity routing) for a project a few weeks ago. Yours is a lot more elegant with the dns indirection.

I’m no ssh expert, but in theory you should be able to ssh -J exe.dev myvm.exe.xyz for a one-liner? Or maybe you don't even need it, if that DNS server within the ssh exe.dev is the same as the public DNS. Pardon for not testing it yet!

Would be interested in this too, I did some work in the past to make it work via Envoy proxy using HTTP CONNECT but that requires plugging in proxytunnel[0] or nc on client side.

  > $ nslookup abc.exe.xyz  
  > abc.exe.xyz canonical name = s001.exe.xyz.  
  > $ telnet s001.exe.xyz 22  
  > Trying 100.20.12.135...  
  > Connected to s001.exe.xyz.  
  > Escape character is '^]'.  
  > SSH-2.0-SSHPiper

Looks like it uses sshpiper[1]?

[0] https://github.com/proxytunnel/proxytunnel

[1] https://github.com/tg123/sshpiper

Looks like it's a combination of SSH server IP address + public key.

Each VM you create (up to 25 of them) gets a different CNAME record of the form s0NN.exe.xyz where NN ranges from 01 to 25. Each of these names, from s001.exe.xyz to s025.exe.xyz, resolves to a different IP address.

Therefore the individual VM can be distinguished this way, and the account they are associated with can be identified using the SSH public key that is used to authenticate.

You can easily check this. It's an iframe of recaptcha.net, loaded in via a gstatic.com javascript file. So it is an actual reCaptcha

This is something that Amos Wenger (fasterthanlime) has worked on: https://github.com/bearcove/loona/blob/main/crates/buffet/RE...

Even simpler, just pay for the feature

Yeah agreed - does anyone really care for $4/month?

I believe the AGPL doesn't actually require this, even though MinIO may think it does. I hope someone gets sued over this some day so we may find out

It would not even make sense. Since you do not even always know what license the thing has you are connecting to. And not even the fsf sees it that way.

Sure, if you're connecting to a service using AGPL, the service operator must offer the source along with a copy of the license.

I'm no lawyer, but unless the software in question makes an exception for the particular API, I wouldn't feel confident.

Or what is the distinction here?

the alpine default shell is called "ash", "dash" is the debian/ubuntu default shell

seems cool but the top of the page says the thing you suggest is now deprecated

Span Metrics Processor is replaced with the very similar Span Metrics Connector which is still supported

The Span Metrics Processor being replaced by the Span Metrics Connector is very, very OpenTelemetry.

every two letter tld is from some country

I think they make their own motherboards (have them made). So they can fully make sure that ECC is supported from start to finish

those are signature algorithms. aes/chacha are symmetric ciphers