search

snoyberg / keter

Web app deployment manager
MIT License
260 stars 71 forks source link

is there a way to ask keter to bind only to the loopback interface? #183

Open mwotton opened 6 years ago

mwotton commented 6 years ago

obviously this could be solved at the firewall level too, but you know. defense in depth and all that.

creichert commented 6 years ago

I honestly have no idea, did you end up trying any configurations? Anything that worked?

mwotton commented 6 years ago

no, didn't seem anything accessible - i just blocked it at the firewall level eventually.

looking at it now, it looks like Keter mixes up the idea of the host that it answers queries for, and the interface that gets bound:

reverseProxy :: Bool
             -> Int -> Manager -> HostLookup -> ListeningPort -> IO ()
reverseProxy useHeader timeBound manager hostLookup listener =
    run $ gzip def{gzipFiles = GzipPreCompressed GzipIgnore} $ withClient isSecure useHeader timeBound manager hostLookup
  where
    warp host port = Warp.setHost host $ Warp.setPort port Warp.defaultSettings
    (run, isSecure) =
        case listener of
            LPInsecure host port -> (Warp.runSettings (warp host port), False)
            LPSecure host port cert chainCerts key -> (WarpTLS.runTLS
                (connectClientCertificates hostLookup $ WarpTLS.tlsSettingsChain
                    cert
                    (V.toList chainCerts)
                    key)
                (warp host port), True)

you'd want to be able to set warp's host argument to just 127.0.0.1, but still be able to tell keter "i'm reserving hostname awesomesite.com"

tolysz commented 5 years ago

A bit confusing there are 2 different answers: 1) You only would like to access keter via localhost ip: edit global keter-config.yaml

root: ..

# Keter can listen on multiple ports for incoming connections. These ports can
# have HTTPS either enabled or disabled.
listeners:
    # HTTP
    - host: "127.0.0.1" # Listen on all IPv4 hosts
      port: 80 # Could be used to modify port
    # HTTPS
    - host: "127.0.0.1"
      port: 443
      key: s.ko.sx/privkey.pem
      certificate: s.ko.sx/cert.pem
      chain-certificates:
        - s.ko.sx/chain.pem
      session: true

2) You would like to "export" app binding to the loop-back (you need https://github.com/snoyberg/keter/pull/195) keter.yaml Assuming the app on 3000 is http app/

stanzas:
  - type: reverse-proxy
    reversed-host: 127.0.0.1
    reversed-port: 3000
    reversed-ssl: false
    reversing-host: dev.io.sx
    ssl:
        key: /opt/keter/etc/dev.io.sx/privkey.pem
        certificate: /opt/keter/etc/dev.io.sx/cert.pem
        chain-certificates:
        - /opt/keter/etc/dev.io.sx/chain.pem