rails_panel icon indicating copy to clipboard operation
rails_panel copied to clipboard

Published 20 hours ago verified publisher icon dejan

How to integrate the panel with remote server?

Open rezadehganpour opened this issue 8 years ago • 10 comments

Is there a way that i can integrate panel with my server that is running on an ec2 server (RHEL)

rezadehganpour avatar Jan 01 '16 21:01 rezadehganpour

Yes would like to know this also! How does it work/will it work on a remote server?

dgobaud avatar May 12 '16 16:05 dgobaud

to the best of my knowledge it should work fine - what issues are you running into?

modosc avatar May 16 '16 21:05 modosc

Just don't see any data which makes sense. How is data sent to the rails panel?

dgobaud avatar May 16 '16 21:05 dgobaud

the meta_request gem stores traces locally keyed off of the request-id (see here).

when the rails_panel chrome extension sees a x-meta-request-version header in a response it constructs a request to the server to fetch the generated instrumentation (see here) and then renders it.

i don't see any reason this wouldn't work remotely unless your rails setup is behind some sort of complicated proxy/cache setup.

modosc avatar May 16 '16 21:05 modosc

I see - so I'm thinking two issues with this:

  1. No security - how to prevent third-parties from getting this data?
  2. What about multiple servers behind a load balancer?

dgobaud avatar May 16 '16 21:05 dgobaud

  1. You are correct, by default there's no access-control at all. an attacker would have to guess a uuid to find a valid trace so at least there's some security by obscurity. we should probably be more explicit about this (and the performance cost which is more of an issue imho) in the docs. at the very least we could print out warnings in the console when not in :development. rack-mini-profiler does a reasonable job of providing docs and api for these issues.
  2. Multiple servers won't really work correctly unless you either have some sort of connection pinning / sticky session configured or change the backend to write to a shared location (for reference, rack-mini-profiler supports redis and memcache which would solve this problem).

modosc avatar May 16 '16 21:05 modosc

  1. But the attacker can see the UUID on any request they make right? And then get info for that request?
  2. got it

dgobaud avatar May 16 '16 22:05 dgobaud

it would be great to be able to add ?rails-panel=PASSWORD param to any request and if it matches then it is turned on and you can get the data

dgobaud avatar May 16 '16 22:05 dgobaud

i see, an attacker could set that. i think the solution there is to support something like rack-mini-profiler's Rack::MiniProfiler.authorize_request

i'm going to update the docs and add a warning in the console as a first step.

modosc avatar May 16 '16 22:05 modosc

@modosc @dejan Any instructions on how to make it secure? Or ideally, a config option for password/token that the Chrome extension is required to pass to obtain the data?

Nowaker avatar Nov 13 '21 01:11 Nowaker