Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is there a way to ask keter to bind only to the loopback interface? #183

Open
mwotton opened this issue May 18, 2018 · 3 comments
Open

is there a way to ask keter to bind only to the loopback interface? #183

mwotton opened this issue May 18, 2018 · 3 comments

Comments

@mwotton
Copy link
Contributor

mwotton commented May 18, 2018

obviously this could be solved at the firewall level too, but you know. defense in depth and all that.
@creichert
Copy link
Collaborator

I honestly have no idea, did you end up trying any configurations? Anything that worked?

@mwotton
Copy link
Contributor Author

mwotton commented Jun 21, 2018

no, didn't seem anything accessible - i just blocked it at the firewall level eventually.

looking at it now, it looks like Keter mixes up the idea of the host that it answers queries for, and the interface that gets bound:

reverseProxy :: Bool
             -> Int -> Manager -> HostLookup -> ListeningPort -> IO ()
reverseProxy useHeader timeBound manager hostLookup listener =
    run $ gzip def{gzipFiles = GzipPreCompressed GzipIgnore} $ withClient isSecure useHeader timeBound manager hostLookup
  where
    warp host port = Warp.setHost host $ Warp.setPort port Warp.defaultSettings
    (run, isSecure) =
        case listener of
            LPInsecure host port -> (Warp.runSettings (warp host port), False)
            LPSecure host port cert chainCerts key -> (WarpTLS.runTLS
                (connectClientCertificates hostLookup $ WarpTLS.tlsSettingsChain
                    cert
                    (V.toList chainCerts)
                    key)
                (warp host port), True)

you'd want to be able to set warp's host argument to just 127.0.0.1, but still be able to tell keter "i'm reserving hostname awesomesite.com"

@tolysz
Copy link
Contributor

tolysz commented Feb 19, 2019

A bit confusing there are 2 different answers:

  1. You only would like to access keter via localhost ip:
    edit global keter-config.yaml
root: ..

# Keter can listen on multiple ports for incoming connections. These ports can
# have HTTPS either enabled or disabled.
listeners:
    # HTTP
    - host: "127.0.0.1" # Listen on all IPv4 hosts
      port: 80 # Could be used to modify port
    # HTTPS
    - host: "127.0.0.1"
      port: 443
      key: s.ko.sx/privkey.pem
      certificate: s.ko.sx/cert.pem
      chain-certificates:
        - s.ko.sx/chain.pem
      session: true
  1. You would like to "export" app binding to the loop-back (you need Modernize keter #195) keter.yaml
    Assuming the app on 3000 is http app/
stanzas:
  - type: reverse-proxy
    reversed-host: 127.0.0.1
    reversed-port: 3000
    reversed-ssl: false
    reversing-host: dev.io.sx
    ssl:
        key: /opt/keter/etc/dev.io.sx/privkey.pem
        certificate: /opt/keter/etc/dev.io.sx/cert.pem
        chain-certificates:
        - /opt/keter/etc/dev.io.sx/chain.pem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mwotton @creichert @tolysz