How is reverse proxying a sgci unix-domain socket to localhost:port more secure than publishing sgci directly to localhost:port?

[strazto]

In the wiki, we're strongly discouraged from using network.scgi.open_port, and instead should use a reverse proxy to forward to a local socket.

https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC

We're also strongly advised that the following nginx.conf is insecure

rtorrent.rc:

network.scgi.open_port = 127.0.0.1:5000

nginx.conf:

INSECURE CONFIG, DO NOT USE!

location /RPC2 {
  scgi_pass   127.0.0.1:5000;
  include     scgi_vars;
  scgi_var    SCRIPT_NAME  /RPC2;
}

or (on ubuntu server 14.04)

http {
  server {
    listen 0.0.0.0:8008;
    server_name ngnix-rtorrent;
    access_log /var/log/nginx/rtorrent.access_log;
    error_log /var/log/nginx/rtorrent.error_log;

    location /RPC2 {
      scgi_pass   127.0.0.1:5000;
      include     scgi_params;
    }
  }
}

It's not explicit why exactly this is insecure, & the prevailing advice seems to be "use unix domain sockets, they're more secure".

If I was going to comment on where the real problem with the quoted configs lie I'd say:

• We're listening on 0.0.0.0 - all interfaces, and presumably forwarding full rtorrent rpc access to the public
• Now anyone who can make rtorrent rpc requests functionally has access to our shell, this is obviously very bad

AFAIK, that's the extent of it.

If I was going to speak to why people like unix domain sockets, it seems to be that:

• you get your typical unix ugo permissions on the sockets, so you have decent control about which processes are able to read/write/see your socket.
• These sockets are local, and it's much harder to make a critical mistake that publishes your shell to the public

is the "fix" here that:

1. We need to add some kind of auth to our reverse proxy, for example, basic auth
2. We need to secure our reverse proxy with https so our credentials aren't just sent in the clear

Dos using a local socket, & proxy_pass ing to that add any further security? It's not clear from the wiki

[pyroscope]

Using network.scgi.open_port means any user on the machine you run rTorrent on can execute arbitrary commands with the permission of the rTorrent runtime user. And of course a proper web server config uses basic auth with https, the above is a minimal example, from 2014.

[strazto]

Gotcha, thanks. The distinction was a bit fuzzy to me, as I couldn't tell what specifically the wiki took issue with, but knowing that's the main reason for that aspect helps.

https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC I've:

• updated the page for this to be less messy,
• have slightly better (nginx, at least) examples,
• removed references to network.scgi.open_port (besides conceding that it can be done)

Been very explicit in all examples about the need for auth