The loopback address is a good idea for allowing communication locally,
with software that can't use Unix sockets, like Java.
------------------------------
✉ Eduard Martinescu <emartinescu@salsalabs.com> | ✆ (585) 708-9685 | [image:
http://www.salsalabs.com] http://www.salsalabs.com/ - ignite action. fuel
change.
On Mon, Sep 21, 2015 at 6:34 PM, Thrawn <shell_layer-github@yahoo.com.au>
wrote:
> > Does this mean that the TCP port is dangerous, or that the multiple
> > instances of the socket is dangerous??
> > What is the danger with it?
>
> I believe the danger is that it may be externally visible, allowing outsiders to start and stop your servers, add new backends and redirect traffic to them, etc...
>
> It should be safe enough if the socket only listens on the loopback address, but in that case, you may as well use Unix sockets. Otherwise, make sure that you have strong authentication on the socket, a good firewall, and a trusted network - and ask yourself whether you really need it.
>
> In some cases, it may be feasible to listen on the loopback address and access it via an SSH tunnel.
>
>
with software that can't use Unix sockets, like Java.
------------------------------
✉ Eduard Martinescu <emartinescu@salsalabs.com> | ✆ (585) 708-9685 | [image:
http://www.salsalabs.com] http://www.salsalabs.com/ - ignite action. fuel
change.
On Mon, Sep 21, 2015 at 6:34 PM, Thrawn <shell_layer-github@yahoo.com.au>
wrote:
> > Does this mean that the TCP port is dangerous, or that the multiple
> > instances of the socket is dangerous??
> > What is the danger with it?
>
> I believe the danger is that it may be externally visible, allowing outsiders to start and stop your servers, add new backends and redirect traffic to them, etc...
>
> It should be safe enough if the socket only listens on the loopback address, but in that case, you may as well use Unix sockets. Otherwise, make sure that you have strong authentication on the socket, a good firewall, and a trusted network - and ask yourself whether you really need it.
>
> In some cases, it may be feasible to listen on the loopback address and access it via an SSH tunnel.
>
>