openems icon indicating copy to clipboard operation
openems copied to clipboard
Published 1 month ago verified publisher icon OpenEMS

feat: add listen ip parameter to components that have socket and set 127.0.0.1 as default

Open miettal opened this issue 1 month ago • 2 comments

Current implementation has no parameter of bind ip address and So openems listen 0.0.0.0 (all interface of the computer). This will be problem in usecase of using in global network that can be acceced by anyone. Because some component doesn't provide authentication/authorization/encryption, So if these component is used without IP Firewall in global network, vulnerable endpoint will be exposed.

Therefore this PR introduce bind ip address parameter to these components and provide option of lisning interface.

Today, HTTP/TLS become very complex protocol, So implementing this by application-side itself is very very difficut. Almost case, HTTP/TLS server in global network is provided by combination application and reverse proxy server(like apache, nginx). This PR is mainly targeting lisning localhost in application and lisning 0.0.0.0 in reverse proxy use.

Co-Author: @cvabc, chagpt codex

miettal avatar Nov 21 '25 01:11 miettal

Codecov Report

:x: Patch coverage is 48.00000% with 13 lines in your changes missing coverage. Please review.

:x: Your patch check has failed because the patch coverage (48.00%) is below the target coverage (75.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files 
@@              Coverage Diff              @@
##             develop    #3431      +/-   ##
=============================================
- Coverage      59.78%   59.75%   -0.03%     
  Complexity       112      112              
=============================================
  Files           2870     2870              
  Lines         124042   124045       +3     
  Branches        9298     9298              
=============================================
- Hits           74152    74113      -39     
- Misses         47097    47151      +54     
+ Partials        2793     2781      -12
:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Nov 21 '25 01:11 codecov[bot]

Hi @miettal, Thanks for your PR.

You are correct that binding to localhost and running behind a reverse proxy with HTTPS is safer. However, defaulting to this setting now will break existing setups.

Using 127.0.0.1 as the default for backend components seems appropriate, but for edge components, I would keep 0.0.0.0 as the default to maintain compatibility with systems that currently run without a reverse proxy.

da-Kai avatar Nov 21 '25 13:11 da-Kai