Comments (7)
Hello!
About Web UI. At moment you can start Centrifugo without UI at all just omitting --web
flag. Also if no password set in config file then we can just skip login screen (must be easy to implement).
Could you configure access on location level? For example something like this in Nginx:
location / {
allow 127.0.0.1;
deny all;
}
?
About API. There is option --insecure_api
which can disable sign
check so you can send unsigned requests with JSON commands in request body. Again - is it possible in your case to just restrict access to API endpoint /api/
?
Hope I understood issue correctly.
from centrifugo.
Thanks for the reply!
I realise you can disable web but like I said we would need a way to bypass login like you said so we could run it on separate instance.
Could you configure access on location level?
is it possible in your case to just restrict access to API endpoint /api/?
Could do that but in our case we will probably have an AWS ELB right in front of centrifugo doing TCP load balancing so it can't know anything about http request path or routing... Adding whole extra proxy layer just to secure it is possible but it would be much nicer just to not have the api exposed at all (or only on a separate listening port we can control separately).
If you are unsure it's useful to anyone else, I can implement in a fork but it would be great to not be running custom version!
I think my prefered option would be:
- allow
web_secret
to be empty (or maybefalse
to make it explicit) and if it is skip the login - add config
web_port
andapi_port
which by default are just the same asport
- if web and/or api have different ports configured, add their handlers to a separate
http.ServeMux
and serve them with a separate call toListenAndServe
. This allows you to have same instances used for internal API calls and web UI and public websockets, but gives flexibility to lock down access to api/web ports to only internal machines and/or separate proxy with different authentication layer etc.
The simpler option is:
- allow
web_secret
to be empty (or maybefalse
to make it explicit) and if it is skip the login - make an option
disable_api
which just removes the API handler for being registered at all. - fix it so that
/auth/
,/info/
and/action/
APIs are only enabled ifweb
is also enabled...
from centrifugo.
I think it's better to do as much as possible before forking to custom version. This can happen eventually but at moment all these things seems reasonable.
I think a combination of your points must be done here:
- if
web_password
andweb_secret
are empty then we will skip auth (we can't make itfalse
as config parser expects string). Warning in docs needed here. - option to disable http API
disable_api
- for those who use Nginx. - add
api_port
andweb_port
options /auth/
,/info/
and/action/
APIs should only be enabled if web is enabled (strange that I have not done this before).
I am considering to add some logic into /socket
endpoint i.e. use it not just for web interface needs. But it will be another option so now we can just leave it disabled if web
disabled.
from centrifugo.
Sounds good. If you don't post here I might have a go at this soon but probably not for this week at least so if you want to that will be awesome :)
from centrifugo.
Started implementing this in separate branch (https://github.com/centrifugal/centrifugo/tree/separate_ports), changed some points above:
- explicit
insecure_web
option instead of emptyweb_password
andweb_secret
. - use
admin_port
instead ofweb_port
for option name as this port will most probably be used not only by web interface in future. - as you don't need
disable_api
then I think it's better to not add it right now
from centrifugo.
Commented on commits - looks awesome thanks. I'll give the branch a try really soon - hopefully next day or two.
from centrifugo.
Will be released with v1.3.0
from centrifugo.
Related Issues (20)
- [feature] Precalculated presence stats counters in store HOT 8
- [feature] Add support for Ed25519 signature JWS HOT 2
- [bug] Channel Regex for Namespace cuased Null Pointer Exception HOT 2
- [feature] Add AMQP (RabbitMQ) support in async consumers API HOT 7
- [feature removal] Remove SockJS transport
- [feature] Improve health check by checking redis connection HOT 6
- [bug] The ID specified in XADD is equal or smaller than the target stream top item HOT 5
- [bug] getting "already subscribed" on page refresh HOT 3
- [feature] Silently Reject Publish Attempts on Proxied Channel Without Sending Client Errors HOT 4
- [question] What are the ways of decreasing the message payload? HOT 1
- [feature] Better error message when subscription token is used as connection token
- Unable To Connect With anonymous mode HOT 4
- [feature] serve admin interface via http2 HOT 4
- [feature] Send server time in initial connect response. HOT 2
- [question] Upgrading to 4.1.5 increase in response time HOT 3
- "Websocket Is Closed Before The Connection Is Established" - Web console error HOT 8
- [feature] Support for MessagePack Serialization HOT 2
- How to add multyple aud for a token in config file HOT 1
- [question] History StreamPosition and circular offsets. HOT 7
- [question] Centrifugo customization HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from centrifugo.