What should be the default Proxy interface?

cozy / cozy-controller

Cozy Module and Apps deployer

cozy.io

GNU Affero General Public License v3.0

5 stars 13 forks source link

What should be the default Proxy interface? #146

Closed clochix closed 8 years ago

clochix commented 8 years ago

For now, broxy listen by default on public interface: https://github.com/cozy/cozy-controller/blob/master/server/lib/conf.coffee#L14

This allows to use a reverse proxy hosted on another server.

But this means this port stay open for self-hosted users that don't use a firewall (Is this really a security issue? I don't think so. But it allows to connect to cozy-proxy without TLS). See for example this thread.

Should we update the default to the local interface?

Ping @nledez @nono @poupotte

frankrousseau commented 8 years ago

Hi @clochix,

You can connect to the Cozy Proxy without TLS but login to the proxy doesn't work if you don't use a https connection.
This public port allow to see if the Cozy is up from outside and to know if the. Sometimes it's useful to check if there is a configuration problem with the reverse proxy.
It makes configuration easier when Cozy is deployed in a container or in a virtual machine.

NB: the title is misleading. Your text doesn't cover the port number but the fact it is binded to localhost.

clochix commented 8 years ago

Hi @frankrousseau,

oups, fixed the title of the ticket. I opened this issue as a follow-up of a discussion we started with @nono, after a user asked why was our proxy listening on public interface. Seems like there are two legit use case:

for self-hosted users, it would probably be better to only listen on local interface;
for managed instances, we need to listen on the public interface.

The binding interface is set in the controller and in the controller.json configuration file. Maybe could we use this file to have different default values for self-hosted users.

frankrousseau commented 8 years ago

If it's already an option, properly documenting it should be enough. Self-hosted users probably prefer to deploy Cozy in a dedicated container or virtual machine. So the current default value is ok.

For specific cases, like the Raspberry Pi image, we could change this value.

clochix commented 8 years ago

Another user is asking how to make the proxy listen on the local interface. @nono can you confirm that the corresponding syntax in /etc/cozy/controller.json is:

"env": {
  "proxy": {
    "HOST": "127.0.0.1"
  }
}

nono commented 8 years ago

No, it is:

{
  "bind_ip_proxy": "127.0.0.1"
}

And the configuration file is described here: https://github.com/cozy/cozy-controller/blob/master/doc/config.md

clochix commented 8 years ago

Thanks @nono.

I think we can now close this issue, feel free to re-open it if you think it needs more work.