-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make RethinkDB listen on localhost by default and add an option to listen on another network interface. #28
Comments
I agree. It's probably not so much of a problem on a production system, where you can easily setup a firewall. But it is a problem on developer machines. Having to set up and administer a firewall on a personal computer is a pain, and really shouldn't be required. For example I must be careful to not have it running on my private notebook when I'm at university, or using my 3G to connect to the Internet etc. I'm also not sure if this could be a problem for inclusion into e.g. Debian, which have a "secure by default configuration" policy. I haven't checked how strongly this is enforced though. |
Temporarily moving to backlog -- there are more pressing issues to work out first. |
Update (according to @Tryneus) -- "well, issue 28 is code complete and (almost) compiling, testing tomorrow!" |
Also, I'd like to review what configuration looks like, I think good user experience for this is very important. |
Well, the current state is that there is a new network option: [--local-address ('all', 'loopback', )] 'all' - listen on all found local addresses This option can be specified multiple times. If not specified at all, it will default to 'all'. |
Hmm, calling this flag --local-address doesn't tell me much about what it's used for. Could we call it --listen instead? Also isn't one of the points of this issue that it should default to loopback only? |
Agree on defaulting to loopback. I also think We also need to integrate this with frank's startup/config scripts. |
afair Apache calls it |
Hmm, |
Oh, sorry, it actually already is --listen-address, is that ok? Also, I'll change it to default to loopback only. The other option would be to make this a required flag, but I think that would be too cumbersome for the quickstart. |
Yeah I think listen-address is fine. Required flag seems bad to me too. We should definitely print something at startup about only listening on localhost so people don't get confused. |
Right, that's on the TODO list for this issue as well. Basically, we'll just printout which addresses we're going to be listening on, right at startup. |
I'll chime in too. I think "listen" is pretty clear, and "bind" even more so. I strongly suggest that this flag is optional and defaults to localhost, as that's where other services bind (redis, postgres, etc) by default. It would be unexpected to bind to anything other than localhost, at least for me. I hope this helps. |
Sorry, I think |
I agree with the above, mainly because the "address" part is misleading, as someone might think it implies a port. I think listen-interface or bind-interface are clearer. In my opinion, people are accustomed to all of the above and will understand what they mean, though, so I don't feel very strongly about any of the alternatives, they all sound acceptable to me. |
Ok, so here's how it stands at the moment:
The code is done and working in my branch, just awaiting code review now. |
So what happens if I start a machine |
I consider that user error, @jdoliner, and we can't cover every non-sensical setup a user may come up with. In this case, it will likely work, because machine |
Fair enough. |
Before we close this bug, if the user starts with default settings, could we add a log message that says something like "Listening only on localhost for security, use bind=all to access the server on other network interfaces"? The user experience can be very annoying and confusing without it. |
So, I currently have it logging which ip addresses it's listening on at startup: By default:
Or with
I suppose I could have it reference the
As for closing this, I've taken care of all the code review comments, but it isn't in |
I like your proposal to reference |
Ok, this is finally in as of commit 0b584ea, closing. |
Most (all?) server applications listen to localhost only by default, for security. Most people will be expecting that, and will have a security hole when their RethinkDB instance is open to the entire web.
It would be much better to do the expected thing and have it listen to localhost, with an option to change that.
The text was updated successfully, but these errors were encountered: