Skip to content

[docs] add VNet warnings#56601

Merged
nklaassen merged 3 commits intomasterfrom
nklaassen/docs-vnet-warnings
Jul 9, 2025
Merged

[docs] add VNet warnings#56601
nklaassen merged 3 commits intomasterfrom
nklaassen/docs-vnet-warnings

Conversation

@nklaassen
Copy link
Copy Markdown
Contributor

@nklaassen nklaassen commented Jul 9, 2025

This PR adds warnings against:

  • using VNet on multi-user machines
  • exposing plain HTTP apps over VNet

The VNet RFD mentioned that users should be warned about both of these, but I never added the warnings to the docs.

Fixes https://github.com/gravitational/teleport-private/issues/2033

@nklaassen nklaassen added no-changelog Indicates that a PR does not require a changelog entry vnet labels Jul 9, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jul 9, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
nklaassen/docs-vnet-warnings f72ce92 3 ✅SUCCEED nklaassen-docs-vnet-warnings 2025-07-09 22:49:36

ravicious
ravicious approved these changes Jul 9, 2025
View reviewed changes
Comment thread docs/pages/connect-your-client/vnet.mdx
following mitigations for DNS rebinding attacks:
- upgrade these APIs to HTTPS or another protocol
- enforce a Host header allowlist at the HTTP server
- block browser access to HTTP websites
Copy link
Copy Markdown
Member

@ravicious ravicious Jul 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just checking if you meant "HTTP APIs" here instead of "HTTP websites"?

Copy link
Copy Markdown
Contributor Author

@nklaassen nklaassen Jul 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the concern is the user navigating to an HTTP website in the browser, and JS on that website then hitting an HTTP API over VNet, so I think it's correct to mention blocking access to HTTP websites in the browser

Copy link
Copy Markdown
Member

@ravicious ravicious Jul 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I see. I assumed it talks about somehow blocking access to HTTP websites that the user owns, since the previous two points are related to modifying resources owned by the user too.

Comment thread docs/pages/enroll-resources/application-access/guides/vnet.mdx Outdated
Comment thread docs/pages/enroll-resources/application-access/guides/vnet.mdx Outdated
Comment thread docs/pages/enroll-resources/application-access/guides/vnet.mdx Outdated
Comment thread docs/pages/connect-your-client/vnet.mdx Outdated
@nklaassen @ravicious
Apply suggestions from code review
80cac14 
Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>
@nklaassen nklaassen enabled auto-merge July 9, 2025 22:42
@nklaassen nklaassen added this pull request to the merge queue Jul 9, 2025
Merged via the queue into master with commit 49bf940 Jul 9, 2025
40 checks passed
@nklaassen nklaassen deleted the nklaassen/docs-vnet-warnings branch July 9, 2025 22:58
nklaassen added a commit that referenced this pull request Jul 9, 2025
@nklaassen
[v18][docs] add VNet warnings
d55c6b5 
Backport #56601 to branch/v18
nklaassen added a commit that referenced this pull request Jul 9, 2025
@nklaassen
[v17][docs] add VNet warnings
136e9f7 
Backport #56601 to branch/v17
@nklaassen nklaassen mentioned this pull request Jul 9, 2025
Merged
nklaassen added a commit that referenced this pull request Jul 9, 2025
@nklaassen
[v18][docs] add VNet warnings
0abaf0d 
Backport #56601 to branch/v18
@nklaassen nklaassen mentioned this pull request Jul 9, 2025
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Jul 10, 2025
@nklaassen
[v17][docs] add VNet warnings (#56645)
64d67a8 
Backport #56601 to branch/v17
github-merge-queue Bot pushed a commit that referenced this pull request Jul 10, 2025
@nklaassen
[v18][docs] add VNet warnings (#56646)
ff28037 
Backport #56601 to branch/v18
marcoandredinis pushed a commit that referenced this pull request Jul 10, 2025
@nklaassen @ravicious @marcoandredinis
[docs] add VNet warnings (#56601)
82d3656 
* [docs] add VNet warnings

* Apply suggestions from code review

Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>

* fix typo

---------

Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>
github-merge-queue Bot pushed a commit that referenced this pull request Jul 22, 2025
@nklaassen @ravicious @gzdunek
[v18][vnet] feat: VNet SSH (#55311)
dbaeee7 
* [v18][vnet] feat: TCP dial to SSH targets

Backport #55087 to branch/v18

* [v18][vnet] feat: accept incoming SSH connections

Backport #55155 to branch/v18

* [v18][vnet] feat: forward SSH connections to target

Backport #55156 to branch/v18

* [v18][vnet] feat: write VNet SSH keys to TELEPORT_HOME

Backport #55228 to branch/v18

* [v18][vnet] feat: write OpenSSH-compatible config file for VNet SSH

Backport #55239 to branch/v18

* [v18][vnet] fix: support <hostname>.<leaf-cluster> for VNet SSH

Backport #55688 to branch/v18

* [v18][vnet] feat: add "Connect with VNet" button to SSH servers

Backport #55623 to branch/v18

* fix test in backport

* [v18][vnet] feat: support VNet SSH when cluster name does not match proxy public addr

Backport #55655 to branch/v18

* [v18][vnet] feat: add SSH configuration diagnostic

Backport #55594 to branch/v18

Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>

* [v18][vnet] feat: show SSH status in VNet slider

Backport #55755 to branch/v18

Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>

* [v18][vnet] feat: support proxy recording mode with VNet SSH

Backport #55788 to branch/v18

* [v18][vnet] feat: support diag checks on windows

Backport #55856 to branch/v18

* [v18] fix: data race in vnet.TestSSH

Backport #55980 to branch/v18

* [v18][vnet] feat: mention SSH on VNet info page

Backport #55973 to branch/v18

* [v18][vnet] feat: serve DNS on IPv4

Backport #55539 to branch/v18

* [v18][vnet] fix: close proxied channel only after data and requests are complete

Backport #56020 to branch/v18

* [v18][vnet] feat: automatic SSH client configuration

Backport #55923 to branch/v18

* VNet diag notification: Do not show button to open report if there's no workspace selected (#56067)

* VNet diag report: Don't show button in notification if there's no workspace

* Replace deprecated MutableRefObject with RefObject

* Make openReport not depend on value of rootClusterUri

Otherwise the effect that uses setInterval re-runs whenever the user
switches to another workspace.

* [v18][vnet] feat: automatic SSH client configuration in Connect

Backport #55924 to branch/v18

Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>
Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>

* [v18][vnet] fix: avoid empty host matchers in generated SSH config

Backport #56103 to branch/v18

* [v18][docs] VNet SSH

Backport #56147 to branch/v18

* [v18][docs] add VNet warnings

Backport #56601 to branch/v18

* [v18][vnet] feat: SSH usage reporting

Backport #56537 to branch/v18

* [v18][vnet] fix: mask default IP route on windows

Backport #56957 to branch/v18

---------

Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>
Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ravicious ravicious ravicious approved these changes

@zmb3 zmb3 zmb3 approved these changes

Assignees

No one assigned

Labels

documentation no-changelog Indicates that a PR does not require a changelog entry size/sm vnet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nklaassen @ravicious @zmb3