github henrygd/beszel v0.12.0-beta1
on GitHub

latest releases: v0.15.4, v0.15.3, v0.15.2...
pre-release3 months ago

Warning

This is a beta release. Please make a hub backup before upgrading.

Version 0.12.0 adds the ability for agents to initiate an outgoing connection to the hub.

It also introduces universal tokens, which can be used to register systems without needing to add them manually in the hub. It also allows you to deploy multiple agents with the same configuration, which should make cluster deployments easier.

Please report issues or provide feedback in #951. Thanks!

Upgrading

  • Docker: Switch to the :edge tag.
  • Other: This is the first beta release so I'm not sure how the different package managers handle it. To run manually, download the new binary, replace the old one, then add the new env vars and restart the service. I'm working on updating the install scripts and will look further into the package manager situation tomorrow.

Details

The WebSocket connection works in tandem with the agent's existing SSH server. If the agent connects successfully via WebSocket it will stop the SSH server. Likewise, if the agent connects via SSH it will stop attempting to connect via WebSocket.

Note: Don't add the HUB_URL env var to an agent that connects to multiple hubs. This isn't supported yet with WebSocket. Otherwise everything should be fully backwards compatible.

The agent gets two new environment variables:

  • HUB_URL: The URL of the hub.
  • TOKEN: The token associated with the system, provided in the hub.

You can copy these values for existing systems in the hub at /settings/tokens.

WebSocket authentication

We use a mutual authentication handshake that ensures both parties are trusted before any data is exchanged. Let me know if you have ideas for improvement.

  1. Initial connection and token verification: The agent initiates a WebSocket connection to the hub. It includes a unique registration token as an HTTP header during the upgrade request. The hub verifies that the token is associated with an existing system before upgrading the connection.

  2. Hub challenge: To prove its identity to the agent, the hub signs the token using its private key and sends the signature back to the agent. The agent verifies the signature using its public key.

  3. Fingerprint authentication: After verifying the hub, the agent responds by sending its fingerprint. This fingerprint is a secure hash of unique identifiers, locking the agent's registration to the machine it's running on. The hub verifies the received fingerprint against the one stored for the system. If they match, the connection is authorized.

New Contributors

Full Changelog: v0.11.1...v0.12.0-beta1

Check out latest releases or
releases around henrygd/beszel v0.12.0-beta1

Don't miss a new beszel release

NewReleases is sending notifications on new releases.

Get notifications