Skip to content

chore: replace cvm-reverse-proxy with attested-tls-proxy #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MoeMahhouk wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore: replace cvm-reverse-proxy with attested-tls-proxy #98

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
645965b
chore: replace cvm-reverse-proxy with attested-tls-proxy
MoeMahhouk Feb 19, 2026
ab5f6e2
add missing dependencies
MoeMahhouk Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions bob-common/mkosi.build
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,13 @@ make_git_package \
'go build -trimpath -ldflags "-s -w -buildid= -X github.com/flashbots/go-template/common.Version=v1.0.0" -o ./build/ssh-pubkey-server cmd/httpserver/main.go' \
"build/ssh-pubkey-server:/usr/bin/ssh-pubkey-server"

make_git_package \
"cvm-reverse-proxy" \
"v0.1.8" \
"https://github.com/flashbots/cvm-reverse-proxy" \
"make build-proxy-server" \
"build/proxy-server:/usr/bin/cvm-reverse-proxy"
# Install attested-tls-proxy from pre-built .deb
ATLS_VERSION="v1.1.1"
ATLS_SHA256="539a5f7de6e0b3a80d5279e76fbf46b2531c3c74fa2e22bf55a3dd5c0118690d"
curl -sSfL "https://github.com/flashbots/attested-tls-proxy/releases/download/${ATLS_VERSION}/attested-tls-proxy_1.${ATLS_VERSION}_amd64.deb" \
-o /tmp/attested-tls-proxy.deb
echo "${ATLS_SHA256} /tmp/attested-tls-proxy.deb" | sha256sum --check
dpkg-deb -x /tmp/attested-tls-proxy.deb "$DESTDIR"

# Build input-only-proxy
build_rust_package \
Expand Down
3 changes: 3 additions & 0 deletions bob-common/mkosi.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ Packages=podman
openssh-sftp-server
udev
libsnappy1v5
libtss2-esys-3.0.2-0t64
libtss2-mu-4.0.1-0t64
libtss2-tctildr0t64

BuildPackages=build-essential
git
Expand Down
17 changes: 17 additions & 0 deletions bob-common/mkosi.extra/etc/systemd/system/attested-tls-proxy.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
[Unit]
Description=Attested TLS Proxy for SSH Public Key Server
After=ssh-pubkey-server.service
Requires=ssh-pubkey-server.service

[Service]
Type=simple
ExecStart=/usr/bin/attested-tls-proxy server \
--listen-addr 0.0.0.0:8745 \
--server-attestation-type auto \
--allowed-remote-attestation-type none \
127.0.0.1:5001
Restart=always
RestartSec=5

[Install]
WantedBy=minimal.target
16 changes: 0 additions & 16 deletions bob-common/mkosi.extra/etc/systemd/system/cvm-reverse-proxy.service
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion bob-common/mkosi.postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ for service in \
dropbear.service \
searcher-container.service \
ssh-pubkey-server.service \
cvm-reverse-proxy.service
attested-tls-proxy.service
do
mkosi-chroot systemctl enable "$service"
ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
Expand Down
6 changes: 3 additions & 3 deletions bob-l1/mkosi.extra/etc/bob/firewall-config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
SSH_CONTROL_PORT=22
SSH_DATA_PORT=10022
SSH_REGISTER_PORT=8080
CVM_REVERSE_PROXY_PORT=8745
ATTESTED_TLS_PROXY_PORT=8745
SEARCHER_INPUT_UDP_PORT=27017
SEARCHER_INPUT_TCP_PORT=27018

Expand Down Expand Up @@ -38,10 +38,10 @@ accept_dst_port $CHAIN_ALWAYS_IN tcp $SSH_CONTROL_PORT "SSH control port"
accept_dst_port $CHAIN_ALWAYS_IN udp $SEARCHER_INPUT_UDP_PORT "Searcher UDP input channel"
accept_dst_port $CHAIN_ALWAYS_IN tcp $SEARCHER_INPUT_TCP_PORT "Searcher TCP input channel (input-only-proxy)"

# CVM reverse-proxy serves server attestation
# Attested TLS proxy serves server attestation
# Also forwards request to ssh pubkey server on localhost:5001,
# which serves searcher-container openssh server pubkey
accept_dst_port $CHAIN_ALWAYS_IN tcp $CVM_REVERSE_PROXY_PORT "CVM reverse-proxy"
accept_dst_port $CHAIN_ALWAYS_IN tcp $ATTESTED_TLS_PROXY_PORT "Attested TLS proxy"

# Note: this is CL running on the host
accept_dst_port $CHAIN_ALWAYS_IN tcp $CL_P2P_PORT "CL P2P (TCP)"
Expand Down
6 changes: 3 additions & 3 deletions bob-l2/mkosi.extra/etc/bob/firewall-config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
SSH_CONTROL_PORT=22
SSH_DATA_PORT=10022
SSH_REGISTER_PORT=8080
CVM_REVERSE_PROXY_PORT=8745
ATTESTED_TLS_PROXY_PORT=8745
SEARCHER_INPUT_UDP_PORT=27017
SEARCHER_INPUT_TCP_PORT=27018

Expand Down Expand Up @@ -34,10 +34,10 @@ accept_dst_port $CHAIN_ALWAYS_IN tcp $SEARCHER_INPUT_TCP_PORT "Searcher TCP inpu
# We assume here that static peers in config are only syn nodes
accept_src_ip_dst_port $CHAIN_ALWAYS_IN tcp "$CONFIG_EL_PEERS_IPS" $ENGINE_API_PORT "Engine API"

# CVM reverse-proxy serves server attestation
# Attested TLS proxy serves server attestation
# Also forwards request to ssh pubkey server on localhost:5001,
# which serves searcher-container openssh server pubkey
accept_dst_port $CHAIN_ALWAYS_IN tcp $CVM_REVERSE_PROXY_PORT "CVM reverse-proxy"
accept_dst_port $CHAIN_ALWAYS_IN tcp $ATTESTED_TLS_PROXY_PORT "Attested TLS proxy"

###########################################################################
# (2) ALWAYS_OUT: Outbound rules that are always applied
Expand Down