Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent access to Fauxton on node-local port (5986) #1199

Merged
merged 2 commits into from Mar 6, 2018
Merged

Prevent access to Fauxton on node-local port (5986) #1199

merged 2 commits into from Mar 6, 2018

Conversation

wohali
Copy link
Member

@wohali wohali commented Mar 3, 2018
edited

Will help stop people shooting themselves in the foot and/or using
node-local CouchDB as their "main" CouchDB port.

I'll file a separate docs repo PR on this once this merges.

Test results:

$ curl -v http://localhost:15986/_utils
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 15986 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 15986 (#0)
> GET /_utils HTTP/1.1
> Host: localhost:15986
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 410 Gone
< Cache-Control: must-revalidate
< Content-Length: 110
< Content-Type: application/json
< Date: Sat, 03 Mar 2018 00:45:22 GMT
< Server: CouchDB/2.2.0-51cb6aecc (Erlang OTP/19)
<
{"error":"no_node_local_fauxton","reason":"The web interface is no longer available on the node-local port."}

Closes #1198

chewbranca
chewbranca reviewed Mar 3, 2018
View reviewed changes
src/couch/src/couch_httpd_misc_handlers.erl Outdated
handle_utils_dir_req(Req, _) ->
send_method_not_allowed(Req, "GET,HEAD").
throw({forbidden, <<"The Fauxton interface is no longer available on the node-local port.">>}).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be indented one space further in, eg 4 spaces instead of 3.

@chewbranca
Copy link
Contributor

+0.5 from me (after the WS nit). The approach seems fine, but I don't have strong enough opinions on removal of Fauxton from :5986 to give it a full +1, so it would be good to get some more feedback.

janl
janl reviewed Mar 3, 2018
View reviewed changes
Copy link
Member

@janl janl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this. How about printing a link to the cluster port URL? So users who make the mistake are a click away from where they want to be. I'd not suggest to redirect automatically, though, so users see what they got "wrong".

@rnewson
Copy link
Member

rnewson commented Mar 3, 2018

losing the CSP tests seems a bit unfortunate.

@wohali
Copy link
Member Author

wohali commented Mar 3, 2018

These were only testing CSP on the node-local port anyway. I can port them to chttpd, give me a day or two.

@janl janl added this to the 2.2.0 milestone Mar 5, 2018
@wohali wohali mentioned this pull request Mar 5, 2018
Merged
@wohali
Copy link
Member Author

wohali commented Mar 5, 2018

@janl Hm, if we bind chttpd to 0.0.0.0 it could be tricky to determine the right IP address to choose, 127.0.0.1 might not be visible if they are coming from outside (and mistakenly have bound httpd to 0.0.0.0 as well.) It'd sure be a nice to have, though.

@wohali
Copy link
Member Author

wohali commented Mar 5, 2018

@rnewson I've moved the CSP tests over to chttpd, where they should be anyway, and of course they pass with flying colours because we are awesome. :)

@wohali
Prevent access to Fauxton on node-local port (5986)
6e6f152 
Will help stop people shooting themselves in the foot and/or using
node-local CouchDB as their "main" CouchDB port.

Closes #1198
@janl
Copy link
Member

janl commented Mar 6, 2018

@wohali good call, with a load balancer it gets even worse.

@janl janl merged commit 3bd033b into master Mar 6, 2018
@janl janl deleted the 1198-no-5986-fauxton branch March 6, 2018 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chewbranca chewbranca chewbranca left review comments

@janl janl janl left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.2.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wohali @chewbranca @rnewson @janl