New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add notice on server boot if binding to 0.0.0.0 #10755
Conversation
I'm not sure if someone will read this notice. |
I would prefer to actually change it to 127.0.0.1 over printing this kind of warning. |
Absolutely, and @NZKoz would be good as well. |
👍 to changing the default to 127.0.0.1 |
👍 as well. |
In terms of a message, I agree with @rafaelfranca, no one will see that. Security wise I can understand the desire for the defaults, but if you're spending time in coffee shops and don't have your firewall enabled you have much bigger problems. binding to 127.0.0.1 would make some workflows more annoying, though on the whole it would be easy enough to work around. You'd probably want to bind to ::1 for ipv6 nerds too, not sure if that will cause errors. |
Most people who start a basic single instance mongrel, especially for the first time, will see the message, in my opinion. More advanced configurations such as running in the background may hide the message, but it's the basic users who would benefit most from the warning. If you do switch to binding by default, there has to be a switch like |
I remember we tried this once many years ago and it was annoying for some reason. I don't remember what the problem was though. I think a notice is a good place to start. It's highly visible when you start the webrick server as you will see the output straight in that terminal. |
Fine. Lets start with the notice. |
Add notice on server boot if binding to 0.0.0.0
My colleagues and I spend a lot of our dev time in coffee shops and on public wi-fi. Lightly call attention to a fairly obvious security hole per http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/