Open arun-prakash-fokus opened 1 year ago
icebob
commented
1 year ago I don't think it's a good idea to allow accessing the whole Moleculer project via a TCP socket. If you expose the port, anybody can join your cluster without any authentication and can make wrong things as well.
If you expose a port, it can be the port of the transporter and you can join from your computed with moleculer-cli as moleculer connect nats://some-server:4222.
arun-prakash-fokus
commented
1 year ago I don't think it's a good idea to allow accessing the whole Moleculer project via a TCP socket. If you expose the port, anybody can join your cluster without any authentication and can make wrong things as well.
That's a valid concern. However, IMHO since moleculer-repl is added under devDependencies, its never packed during the docker image build or when the moleculerjs package is built with NODE_ENV=production. Furthermore, the broker.repl() is only called when the "--repl" option is passed to the moleculer-runner. Its unlikely that a TCP socket would be opened during production mode by error.
If you expose a port, it can be the port of the transporter and you can join from your computed with
moleculer-cliasmoleculer connect nats://some-server:4222.
Thanks for the tip 👍🏾 By expose, do you mean the docker-compose,
expose:
- 4222or
ports:
- 4222:4222In my docker-compose, other than the traefik container ports (80, 443 and 8080), no other containers have port forwarding. I use the traefik labels to route http and tcp traffic to the moleculer service container.
intech
commented
1 year ago @icebob the socket does not have to be public. It can be localhost and ssh port forwarding or a zero-trust network.
telnetorsocattcpPortREPL opts or with thereplTcpPortbroker configuration.