Allow server and web admin APIs to listen on separate port to websocket about centrifugo HOT 7 CLOSED

Hello!

About Web UI. At moment you can start Centrifugo without UI at all just omitting --web flag. Also if no password set in config file then we can just skip login screen (must be easy to implement).

Could you configure access on location level? For example something like this in Nginx:

location / {
    allow 127.0.0.1;
    deny  all;
}

?

About API. There is option --insecure_api which can disable sign check so you can send unsigned requests with JSON commands in request body. Again - is it possible in your case to just restrict access to API endpoint /api/?

Hope I understood issue correctly.

from centrifugo.

Thanks for the reply!

I realise you can disable web but like I said we would need a way to bypass login like you said so we could run it on separate instance.

Could you configure access on location level?
is it possible in your case to just restrict access to API endpoint /api/?

Could do that but in our case we will probably have an AWS ELB right in front of centrifugo doing TCP load balancing so it can't know anything about http request path or routing... Adding whole extra proxy layer just to secure it is possible but it would be much nicer just to not have the api exposed at all (or only on a separate listening port we can control separately).

If you are unsure it's useful to anyone else, I can implement in a fork but it would be great to not be running custom version!

I think my prefered option would be:

• allow web_secret to be empty (or maybe false to make it explicit) and if it is skip the login
• add config web_port and api_port which by default are just the same as port
• if web and/or api have different ports configured, add their handlers to a separate http.ServeMux and serve them with a separate call to ListenAndServe. This allows you to have same instances used for internal API calls and web UI and public websockets, but gives flexibility to lock down access to api/web ports to only internal machines and/or separate proxy with different authentication layer etc.

The simpler option is:

• allow web_secret to be empty (or maybe false to make it explicit) and if it is skip the login
• make an option disable_api which just removes the API handler for being registered at all.
• fix it so that /auth/, /info/ and /action/ APIs are only enabled if web is also enabled...

from centrifugo.

I think it's better to do as much as possible before forking to custom version. This can happen eventually but at moment all these things seems reasonable.

I think a combination of your points must be done here:

• if web_password and web_secret are empty then we will skip auth (we can't make it false as config parser expects string). Warning in docs needed here.
• option to disable http API disable_api - for those who use Nginx.
• add api_port and web_port options
• /auth/, /info/ and /action/ APIs should only be enabled if web is enabled (strange that I have not done this before).

I am considering to add some logic into /socket endpoint i.e. use it not just for web interface needs. But it will be another option so now we can just leave it disabled if web disabled.

from centrifugo.

Sounds good. If you don't post here I might have a go at this soon but probably not for this week at least so if you want to that will be awesome :)

from centrifugo.

Started implementing this in separate branch (https://github.com/centrifugal/centrifugo/tree/separate_ports), changed some points above:

• explicit insecure_web option instead of empty web_password and web_secret.
• use  admin_port instead of web_port for option name as this port will most probably be used not only by web interface in future.
• as you don't need disable_api then I think it's better to not add it right now

from centrifugo.

Commented on commits - looks awesome thanks. I'll give the branch a try really soon - hopefully next day or two.

from centrifugo.

Will be released with v1.3.0

from centrifugo.