Add VM-to-VM HTTP request authentication with VM identity headers

[josharian]

Author: philz42
Channel: #feedback
Link: https://discord.com/channels/1405685085923049482/1405686161791516873/1488287689794125884

---

Description

Implement a feature to authenticate VM-to-VM HTTP requests by including a header that identifies the connecting VM. This would make it as easy to authenticate VM-to-VM requests as it currently is to authenticate user HTTP requests.

Use Case

Build a proxy that:

• Runs on one VM and holds secrets
• Validates HTTP requests from other VMs
• Uses VM identity headers for authentication
• Allows connecting VMs to remain secret-free

Considerations

• VM names can be renamed, so an immutable VM identifier may be needed instead of (or in addition to) the VM name
• Should follow the same authentication pattern as the existing user HTTP request header authentication

Context

This request came from a discussion about improving VM-to-VM communication security on exe.dev.

[skybrian]

Also, it probably should only allow same-user or same-team VM-to-VM connections unless more access is explicitly turned on, much like making a VM's website public is done with an explicit command.

[skybrian]

Thinking about it a bit more, it seems like there are couple ways to go: (1) the minimalist way where you get a header with an opaque id and each VM has its own permissions table and makes authorization decisions itself, and (2) the enterprise version where the control plane is separate from the VMs, sort of like Tailscale.

For my own tinkering, the minimalist version would be fine.