nginx / unit

NGINX Unit - universal web app server - a lightweight and versatile open source server that simplifies the application stack by natively executing application code across eight different programming language runtimes.
https://unit.nginx.org
Apache License 2.0
5.41k stars 332 forks source link

[Feature Request] Basic Authentication for Control Socket #1315

Open ivanov17 opened 5 months ago

ivanov17 commented 5 months ago

Hello team,

I have an idea. I think it will be safer to secure the Control API with Basic Authentication when using a TCP socket. This would be useful when using a containerized application, since in this case it is impractical to accept API connections only from the localhost. This will also avoid the need to use an additional proxy just for Basic Authentication for API connections.

What do you think?

lcrilly commented 5 months ago

Nice idea, but I think it is insufficient without also making the transport confidential (with TLS).

Is this for local development using Docker, or production-like environments? Are you looking to make changes to the running configuration and/or monitor Unit with the /status API endpoint?

ivanov17 commented 5 months ago

Hello, Liam. I believe this could be used in production-like environments to sent configuration changes using authentication from configuration-management software such as Ansible that operates on the host. At the same time, the need for authentication can protect against unwanted changes that may be sent from an infected container in the same container network. If I'm wrong please correct me.

I think there should be a choice about which endpoints to protect, since it might be desirable for the /status endpoint to be accessible without authentication, e.g. for monitoring purposes. In other cases, the administrator may also want to use authentication to access statistics.

ivanov17 commented 4 months ago

Also, if Unit had a separate /metrics endpoint for metrics in Prometheus format, we could just protect the Prometheus endpoint and API endpoints using different flags for them, since Prometheus also uses Basic Authentication to access protected target endpoints. I think if the API endpoints already have basic authentication implemented, it will be easier to implement Prometheus endpoint protection in the future.