Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit ingestion to the specific port doesn't work #1567

Closed
alishchytovych opened this issue May 6, 2022 · 3 comments
Closed

Limit ingestion to the specific port doesn't work #1567

alishchytovych opened this issue May 6, 2022 · 3 comments
Labels
discussion

Comments

@alishchytovych
Copy link

alishchytovych commented May 6, 2022
edited

Using SEQ (seq:latest) in Kubernetes, with the container settings:

env:
            - name: "ACCEPT_EULA"
              value: "Y"
            - name: "SEQ_CACHE_SYSTEMRAMTARGET"
              value: "0.6"
            - name: "SEQ_API_INGESTIONPORTS"
              value: "5341"
            - name: "SEQ_API_LISTENURIS"
              value: "http://0.0.0.0:5000, http://0.0.0.0:5341"

allows events ingestion on 5000 port.

In the diagnostic report I see the following:

====================
10. Server Configuration
--------------------
Instance Name                 : <null>
Base URI                      : http://0.0.0.0:5000
Canonical URI                 : <null>
Listen URIs                   : http://0.0.0.0:5000, http://0.0.0.0:5341
Ingestion Ports               : 5341
Using SQL Metastore           : No
Using PostgreSQL Metastore    : No
Indexer Priority              : 0.0
Query Parallelism             : 4
Disk Reader Limit             : 5
Enabled Features              :

Expected result: port 5000 should not accept any ingestions (provide UI only).
Actual result: serilog successfully posts events to SEQ via 5000 port.
@nblumhardt
Copy link
Member

Hi @alishchytovych - thanks for the note!

This is by design; the ingestion port restriction sets the specified port to ingestion only, e.g. so that it can be exposed to a less-secure environment without also exposing Seq's UI and API.

There's currently no support for preventing ingestion on a port that otherwise exposes the UI/API; let me know if you have a scenario where this would be desirable.

HTH!

@nblumhardt nblumhardt added discussion and removed bug labels May 6, 2022
@alishchytovych
Copy link
Author

@nblumhardt thank you for the explanation. I thought to use it in a opposite manner - make unprotected ingress port available in the protected network, so all the apps can post events without any authorization overhead, and make UI+login available to the public. So public endpoint shouldn't accept any events.

@nblumhardt
Copy link
Member

@alishchytovych to implement that scheme, you can simply remove the Ingest permission from the ones allowed to your limited UI users (Settings > Users > Edit). Let me know if this helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nblumhardt @alishchytovych