How do Health Checks Work?
In order to reliably send print and led sign requests, Core-v4 needs to check if Quasar services are up and running. Below is a diagram of how we use SSH tunnels to bridge the gap between Core-v4 and Quasar.
Currently, there is a one way firewall between the server running the sce homepage and the one running Quasar. Although Core-v4 cannot reach Quasar, Quasar is able to ping Core-v4. We can use this to create a bidirectional SSH tunnel between the two.
On the Quasar side, a docker container initializes the ssh tunnel on startup. This is done by a bash script which can be found .
Typically, you think about a SSH as a one way connection into a remote computer. However, there is a way to create a reverse tunnel using the -R switch. While this sounds complicated, in practice Core-v4 is able to send an HTTP request to localhost:14000. Instead of routing the request back to Core-v4’s port 14000, the request flies through the tunnel and lands at Quasar’s port 9000. On Quasar, we have an HTTP server running on port 9000 to handle incoming health check requests.
Since we’re using SSH, the tunnel is encrypted. Furthermore, the tunnel on the Quasar side connected to a docker container, isolated from the Quasar virtual machine. On Quasar’s end, we have a known_hosts file which contains Core-v4’s public SSH key; every time Quasar initiates the SSH connection, it can verify the identity of Core-v4 to avoid man-in-the-middle attacks.
TODO
TODO