Open arun-prakash-fokus opened 1 year ago
I don't think it's a good idea to allow accessing the whole Moleculer project via a TCP socket. If you expose the port, anybody can join your cluster without any authentication and can make wrong things as well.
If you expose a port, it can be the port of the transporter and you can join from your computed with moleculer-cli
as moleculer connect nats://some-server:4222
.
I don't think it's a good idea to allow accessing the whole Moleculer project via a TCP socket. If you expose the port, anybody can join your cluster without any authentication and can make wrong things as well.
That's a valid concern. However, IMHO since moleculer-repl is added under devDependencies, its never packed during the docker image build or when the moleculerjs package is built with NODE_ENV=production. Furthermore, the broker.repl() is only called when the "--repl" option is passed to the moleculer-runner. Its unlikely that a TCP socket would be opened during production mode by error.
If you expose a port, it can be the port of the transporter and you can join from your computed with
moleculer-cli
asmoleculer connect nats://some-server:4222
.
Thanks for the tip 👍🏾 By expose, do you mean the docker-compose,
expose:
- 4222
or
ports:
- 4222:4222
In my docker-compose, other than the traefik container ports (80, 443 and 8080), no other containers have port forwarding. I use the traefik labels to route http and tcp traffic to the moleculer service container.
@icebob the socket does not have to be public. It can be localhost and ssh port forwarding or a zero-trust network.
telnet
orsocat
tcpPort
REPL opts or with thereplTcpPort
broker configuration.