Skip to content
Permalink
Browse files

Add an explicit security warning about inet_http_server.

References #1245
  • Loading branch information...
mnaberez committed Jun 5, 2019
1 parent 628b6d0 commit 4e334d9cf2a1daff685893e35e72398437df3dcb
Showing with 25 additions and 1 deletion.
  1. +15 −1 docs/configuration.rst
  2. +10 −0 supervisor/skel/sample.conf
@@ -157,6 +157,19 @@ inserted. If the configuration file has no ``[inet_http_server]``
section, an inet HTTP server will not be started. The allowable
configuration values are as follows.

.. warning::

The inet HTTP server is not enabled by default. If you choose to enable it,
please read the following security warning. The inet HTTP server is intended
for use within a trusted environment only. It should only be bound to localhost
or only accessible from within an isolated, trusted network. The inet HTTP server
does not support any form of encryption. The inet HTTP server does not use
authentication by default (see the ``username=`` and ``password=`` options).
The inet HTTP server can be controlled remotely from :program:`supervisorctl`.
It also serves a web interface that allows subprocesses to be started or stopped,
and subprocess logs to be viewed. **Never expose the inet HTTP server to the
public internet.**

``[inet_http_server]`` Section Values
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

@@ -166,7 +179,8 @@ configuration values are as follows.
supervisor will listen for HTTP/XML-RPC requests.
:program:`supervisorctl` will use XML-RPC to communicate with
:program:`supervisord` over this port. To listen on all interfaces
in the machine, use ``:9001`` or ``*:9001``.
in the machine, use ``:9001`` or ``*:9001``. Please read the security
warning above.

*Default*: No default.

@@ -11,6 +11,16 @@
; - Comments must have a leading space: "a=b ;comment" not "a=b;comment".
; - Command will be truncated if it looks like a config file comment, e.g.
; "command=bash -c 'foo ; bar'" will truncate to "command=bash -c 'foo ".
;
; Security Warning:
; The inet HTTP server is not enabled by default. The inet HTTP server is
; enabled by uncommenting the [inet_http_server] section below. The inet
; HTTP server is intended for use within a trusted environment only. It
; should only be bound to localhost or only accessible from within an
; isolated, trusted network. The inet HTTP server does not support any
; form of encryption. The inet HTTP server does not use authentication
; by default (see the username= and password= options to add authentication).
; Never expose the inet HTTP server to the public internet.

[unix_http_server]
file=/tmp/supervisor.sock ; the path to the socket file

0 comments on commit 4e334d9

Please sign in to comment.
You can’t perform that action at this time.