91 lines
3.7 KiB
Markdown
91 lines
3.7 KiB
Markdown
---
|
|
outline: [2, 3]
|
|
description: beOS Pro network architecture principles, covering application entrance types, local access mechanisms, endpoint configurations and internal network security policies.
|
|
---
|
|
# Network
|
|
|
|
beOS Pro provides users with a barrier-free but secure and versatile network solutions. This documents covers the key networking concepts related to application access.
|
|
|
|
## Entrance
|
|
|
|
Each beOS Pro application can have one or more entrances that serve as access points. There are three types of entrances:
|
|
|
|
### Public entrance
|
|
|
|
- Provides external services such as blogs, social media, etc.
|
|
- Accessible without authentication
|
|
- Basic security through Cloudflare
|
|
|
|
### Private entrance
|
|
|
|
- Provides services exclusively for individual users, families, or teams
|
|
- Suitable for readers, entertainment, productivity tools, desktop applications, etc.
|
|
- Requires [authentication](account.md#multi-factor-authentication-mfa) for access
|
|
|
|
### Internal entrance
|
|
- Functions similarly to private entrance
|
|
- No authentication required when accessing applications through beOS Pro app VPN
|
|
|
|
## Endpoints
|
|
|
|
An endpoint is the access address or point where users interact with an application. Simply put, it's the URL you enter in your browser's address bar to access a specific beOS Pro application or its features.
|
|
|
|
A typical beOS Pro application endpoint follows this format:
|
|
|
|
https://{routeID}.{domain}
|
|
|
|
For example: `https://vault.alice123.beos.local`, where
|
|
|
|
- `vault` is the route ID for a system application.
|
|
- `alice123.beos.local` is derived from the beOS ID `alice123@beos.local`.
|
|
|
|
## Route ID
|
|
|
|
A route ID is a unique identifier used to identify specific applications or application entrances. The default route IDs are automatically generated by the system according to the following rules:
|
|
|
|
- System applications
|
|
- Use predefined memorable Route IDs
|
|
- Examples: `desktop` (for Desktop), `market` (for Market)
|
|
- Community applications
|
|
- Use an 8-character random string + entrance index (starting from 0)
|
|
- Example: For an application with Route ID 92d76a13 and two entrances, the first entrance is `92d76a130`, and the access URL is `92d76a130.bob.beos.local`
|
|
|
|
::: tip Note
|
|
|
|
- The URL of the application is derived from beOS ID.
|
|
- Entrance index refers to the position of entrance in multiple entrances defined in [`beOS ProManifest.yaml`](../develop/package/manifest.md).
|
|
:::
|
|
|
|
## beOS Pro internal network
|
|
|
|
beOS Pro implements a layered proxy routing design in its gateway architecture. Traffic flows through multiple layers:
|
|
|
|
`cluster` -> `user` -> `application` -> `service component`.
|
|
|
|
|
|
|
|
Inside the application, beOS Pro has multiple layers of security.
|
|
|
|
- **Namespace isolation**
|
|
|
|
- Each application operates in its exclusive namespace
|
|
- All resources are namespace-confined
|
|
- Applications cannot connect `ClusterRole` to `ServiceAccount`
|
|
- Cross-namespace resource access is prohibited
|
|
|
|
- **Network policy controls**
|
|
- Each namespace has dedicated network policies
|
|
- Incoming network requests are restricted to cluster applications and system applications of the user
|
|
- User-level network isolation:
|
|
- Applications isolated between users
|
|
- Third-party applications isolated within user space
|
|
- **Pod restrictions**
|
|
- Pods cannot use `hostNetwork` service or `NodePort` service
|
|
- Traffic access requires declared entrance service and system-provided entry proxy
|
|
- The Pod declared as entrance will be forced to join Envoy's sandbox Sidecar to authenticate and authorize incoming traffic.
|
|
|
|
## Learn more
|
|
|
|
- [Set up custom domain name for application](../../manual/olares/settings/custom-app-domain.md#custom-domain-name)
|
|
- [Access beOS Pro via VPN](/manual/larepass/private-network.md)
|