Bind on a specific IP address

[meepmeep]

I'm using raneto behind nginx, started it with a specific port with the env variable PORT : PORT=3002 npm start

Is it possible to bind raneto to listen only on a specific interface / ip address ? (by default, raneto is listening on every ip available "::PORT)" I tried with ADDRESS=, IP= without success.

[ryanlelek]

Hi, You are thinking along the right lines, but it's not implemented this way currently.

Can you share more about your use-case? The quick and dirty approach might be fine to add to the project for making the adoption more simple.

This can be done quick/dirty with Node.js as outlined at this link
However, it's not recommended to do it this way.

For "best practices", this falls more in the realm of Nginx/Apache, here's a text diagram for reference: Client -> Nginx/Apache -> Node.js (Raneto) And this is called a "reverse proxy". The thinking is you would host Nginx on the normal 80 and 443 ports and block all other ports with a firewall. Any interaction with Node would be through Nginx, and Nginx would bind to the specific ports using the listen 192.168.0.5:80 directive.
Details on Reverse Proxy setup here

So the "more secure" "best practices" way can be implemented today outside the project. But adding the "not as secure" quick way to an IP environment variable might be useful for people that have simple applications and can accept the risk

[meepmeep]

Thank for the quick answer. My use case is the reverse-proxy with nginx. I don't want to expose other ports on my ip (or having raneto available on all my ipv6 adresses), and nginx is in charge of adding all the correct TLS / headers configurations:

server {

        listen <ipv4>:443 ssl http2;
        listen [ipv6]:443 ssl http2;

        ssl_certificate     /etc/letsencrypt/live/xyz-0001/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/xyz-0001/privkey.pem;

        server_name doc.xyz.tld;
        root /home/lufi/raneto/app;

        # Include security header
        include snippets/headers.conf;

        # Conf SSL
        include snippets/tls.conf;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:3002/;
    }

    error_log /var/log/nginx/raneto_error.log;
    access_log /var/log/nginx/raneto_access.log;
}

It is already running behind nginx, but because raneto listen on all ip, it could be accessed directly on its specific port (3002 in my case : http://ip:3002). Raneto, like my others projects should be listening only on 127.0.0.1

[ryanlelek]

Ok, sounds great. How about we:

• bind to 127.0.0.1 by default, to prevent any unexpected exposure
• add a configuration option / envvar like you expected, and
• update docs with the potential breaking change? Will that work for you?

Highly suggest reviewing firewall options on-device (ufw or iptables) for your other uses if you havent already.

[meepmeep]

great solution :)

[ryanlelek]

Ok, I'll have it done by end of day.
New release version will be required.

[ryanlelek]

Submitted for your review