Default to serving API only on loopback interface #432

Closed
wants to merge 1 commit into
from

Projects

None yet

2 participants

@mhansen
mhansen commented Nov 20, 2016

Before, hledger-api was binding on *4 (any IPv4 address), so anyone on the local network could access the API and the files it was serving.

Switch this to only listening on the loopback interface, so only the local machine can request the data (more secure-by-default). You can still put it behind a reverse proxy if you want to expose it.

We can discuss whether there should be another command line argument for host, if you like? I'm easy - just lean away from command line arguments unless we have a use case for them, and I'm not sure we do here yet?

@mhansen mhansen Default to serving API only on loopback interface
Before, hledger-api was binding on *4 (any IPv4 address), so anyone on the local network could access the API and the files it was serving.

Switch this to only listening on the loopback interface, so only the local machine can request the data (more secure-by-default). You can still put it behind a reverse proxy if you want to expose it.
dc47b92
@simonmichael
Owner

Thanks. Any comments on #429 which goes the other way (to make Docker work) ? I guess -web and -api should be consistent.

@simonmichael
Owner

Adding a --host option would be easy and I think it's probably a good idea.

@simonmichael
Owner

Let's discuss more on #429..

@simonmichael simonmichael added a commit that closed this pull request Nov 21, 2016
@simonmichael api: serve on 127.0.0.1 by default, add --host (fixes #432)
Consistent with hledger-web now: serves only local requests by default,
uses --host to change this.
b8d1698
@simonmichael
Owner

That should take care of it, thanks for the report.

@mhansen
mhansen commented Nov 22, 2016

Thanks very much Simon, I appreciate this (and all your work on hledger!).

On Tue, 22 Nov 2016 at 03:05 Simon Michael notifications@github.com wrote:

That should take care of it, thanks for the report.


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#432 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAGcOU2myaQRtu9G24zns_uyNTX5wVjKks5rAcB3gaJpZM4K3dD7
.

@mstksg mstksg added a commit to mstksg/hledger that referenced this pull request Feb 3, 2017
@simonmichael @mstksg + mstksg api: serve on 127.0.0.1 by default, add --host (fixes #432)
Consistent with hledger-web now: serves only local requests by default,
uses --host to change this.
b3305b1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment