Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Add FaQ for network issues due to DPI #546

Merged
merged 1 commit into from
Nov 28, 2024
Merged

docs: Add FaQ for network issues due to DPI #546

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions docs/src/about/faq.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,44 @@ request the signer:
All of this ensures that only ever the latest state gets signed, and
that this signed state doesn't get revoked, making a cheat attempt
impossible.

## Connectivity

### Why can't I connect to the service from my school/work network?

For its authentication and authorization Greenlight uses mTLS (mutual
transport layer security), an extension on the usual TLS used for
secure communication in browsers. Unlike normal websites however,
Greenlight requires two things:

- The server must reply with a server certificate signed by the Greenlight CA.
- The client must use a client certificate signed by the Greenlight CA.

When you try to access a service that uses mTLS (Mutual Transport
Layer Security) with self-signed certificates, you might encounter
connectivity issues, especially on networks with Deep Packet
Inspection (DPI).

DPI is a network security technique used to inspect network traffic to
identify potential threats. Some DPI systems can interfere with
encrypted connections, particularly those using self-signed
certificates. These systems often rely on trusted Certificate
Authorities (CAs) to validate certificates. Since self-signed
certificates are not issued by a trusted CA, they may be flagged as
suspicious and blocked.

The root cause of the issue lies in the network configuration and
security policies of your school or workplace network. They may have
strict security measures in place that restrict traffic based on
certificate validation. 

This is not a Greenlight issue. Greenlight is using a standard
security protocol, mTLS, to protect your data. The problem arises from
the network restrictions imposed by your institution.

We are working on exposing the scheduler and node interfaces over
[`grpc-web`][grpc-web] which can use browser-grade certificates, and
not require a client certificate, thus avoiding these connectivity
issues.

[grpc-web]: https://github.com/grpc/grpc-web
Loading