streama icon indicating copy to clipboard operation
streama copied to clipboard
verified publisher icon streamaserver

change listening address/interface

Open magiruuvelvet opened this issue 7 years ago • 4 comments

Issue description

I came across a problem I couldn't figure out yet (without modifying the source code). Is it not possible to change the listening address or interface of the application? I dislike the idea that Streama is accessible without a proxy from literally any available IP address. My goal is to lock down Streama to 127.0.0.1 and proxy all requests with my web server.

I already managed to change the default port as 8080 is already reserved on my server for something else.

This is my application.yml

environments:
    production:
        server:
            hostname: 127.0.0.1
            host: 127.0.0.1
            port: 7373

Except the port the other options are completely ignored.

Steps to Reproduce

  1. Create this application.yml file.
  2. Start Streama
  3. Look for open ports with either sockstat or netstat.

Expected Behavior

That Strema doesn't take over all interfaces and is accessible from the outside via IP address. Using a proxy is preferred behavior.

Actual Behavior

Streama listens on everything where it can get its greedy hands on.

Environment Information

  • Operating System: FreeBSD 11.2-RELEASE
  • Streama version: 1.6.0-RC7
  • Custom streama build, describe customizations or provide link to fork (If Applicable): No
  • Container Version (If Applicable): No

EDIT!: At the moment I blocked the port using pf (firewall) as workaround. I really don't want any open ports other than the web server and SSH.

magiruuvelvet avatar Jul 21 '18 14:07 magiruuvelvet

I've done some research and its looking like there might be a issue in grails that doesn't let it listen on a specific interface. There are some workarounds that we can implement into Streama but there is also the option of running the WAR on Tomcat and configuring Tomcat to only listen on the interface you want.

Jeronimo95 avatar Jul 23 '18 01:07 Jeronimo95

I dont know if it is the responsibility of the application to deal with this sort of thing - this sounds to me like you want something like nginx to route your requests and something like iptables / firewall to block certain ports / accesses.

I like what you suggest, as it is in line with mysql disallowing non-localhost access or elasticsearch doing the same, but I feel like instead of each service providing that feature, it should be up to the operating system and other tools like iptables to restrict access in a global way.

I am not opposed to the setting if we can find it... We could probably hack it in using an interceptor... But I am not sure that is exactly what you want, either, because with a portscan it can still be found.

Any suggestion would be greatly appreciated tho :)

dularion avatar Sep 10 '18 21:09 dularion

I think this is a grails issue - you should be able to set it to listen on a single interface, at the moment it binds to all of them. For now running in Tomcat is probably a good solution.

Jeronimo95 avatar Sep 11 '18 02:09 Jeronimo95

Moin,

I also wanted to change the listening address. To do this for Streama, you just have to add some lines to the application.yml

environments:
  production:
    server:
      port: 8888
      address: 127.0.0.1

Of cource port and address is up to you ;-)

Greetings Chris

kille avatar May 17 '22 16:05 kille