Allow user to specify listen interface via LISTEN_IP #1190
Conversation
Also explain how to fully lock down the services that Plausible requires (`beam` inter-node communication and `epmd`).
Also explain how to fully lock down the services that Plausible requires (`beam` inter-node communication and `epmd`).
|
For some extra motivation on why restricting listen addresses to localhost is a good default practice, see MongoDB's history, or e.g. NixOS/nixpkgs#130244 for Erlang. This PR only adds the option, it does not change the default away from |
| @@ -7,6 +7,18 @@ end | |||
|
|
|||
| config_dir = System.get_env("CONFIG_DIR", "/run/secrets") | |||
|
|
|||
| # Listen IP supports IPv4 and IPv6 addresses. | |||
| listen_ip = ( | |||
| str = get_var_from_path_or_env(config_dir, "LISTEN_IP") || "0.0.0.0" | |||
There was a problem hiding this comment.
Just a thought, shouldn't the default be 127.0.0.1 ?
https://hexdocs.pm/plug_cowboy/Plug.Cowboy.html#module-loopback-vs-public-ip-addresses
There was a problem hiding this comment.
I personally would be happy if the default was 127.0.0.1, like most software does it, as a safe default.
However, I didn't want to change it here without asking the project first if they want to change the default.
|
An alternative solution to this would be to set RELEASE_DISTRIBUTION to I'm not commited to any particular solution, just mentioning an alternative. https://hexdocs.pm/mix/Mix.Tasks.Release.html#module-environment-variables |
Also explain how to fully lock down the services that Plausible requires (`beam` inter-node communication and `epmd`).
@happysalada However, I've added your recommendation to the docs PR at plausible/docs#112, which talks about both topics. |
|
Reading more about the docs, I see this PR is just to configure the IP the server is listening on and has nothing to do with a security issue, understood, thanks! |
This enables safer deployments to allow localhost-only or VPN-interface-only listening.
|
@ukutaht I have rebased the PR to fix the conflict, could you have a look at it? It's a trivial change, the main question is if you also want to switch to the safer default that is |
BundleMonUnchanged files (7)
No change in files bundle size Final result: ✅ View report in BundleMon website ➡️ |
|
Thanks @nh2 for this. I like having more safe and secure defaults. I believe in order to run Plausible in a docker container, it needs to bind to While erlang is really eager to connect nodes and form a cluster, we don't use any of those features within the Plausible codebase. In fact, Plausible is currently limited to running in a single node because the service itself is stateful with no synchronization between nodes. We will move to a multi-node setup at some point but I think the synchronization will happen at the level of the database, not the app server. App servers will be stateless and independent. Therefore we can add extra safety and set I will merge this for now and test it out with some docker containers. |
|
This seems like a good default to me: 69576aa |
This is a safer default configuration, changing: * the plausible HTTP web server to be listening on localhost only. This makes Plausible have a safe default configuration, like all other networked services in NixOS For background discussion, see: NixOS#130244 As per my upstream Plausible contribution (plausible/analytics#1190) Plausible >= 1.5 also defaults to listening to localhost only; nevertheless a NixOS user must be able to configure the `listenAddress`, as there are valid use cases for that. Also, disable * the Erlang Beam VM inter-node RPC port * the Erlang EPMD port because Plausible does not use them (see added comment). This is done by setting `RELEASE_DISTRIBUTION=none`. Thus, this commit also removes the NixOS setting `releaseCookiePath`, because it now has no effect.
This changes * the plausible HTTP web server to be listening on localhost only, explicitly. This makes Plausible have an explicit safe default configuration, like all other networked services in NixOS. For background discussion, see: NixOS#130244 As per my upstream Plausible contribution (plausible/analytics#1190) Plausible >= 1.5 also defaults to listening to localhost only; nevertheless, this default should be stated explicitly in nixpkgs for easier review and independence from upstream changes, and a NixOS user must be able to configure the `listenAddress`, as there are valid use cases for that. Also, disable * the Erlang Beam VM inter-node RPC port * the Erlang EPMD port because Plausible does not use them (see added comment). This is done by setting `RELEASE_DISTRIBUTION=none`. Thus, this commit also removes the NixOS setting `releaseCookiePath`, because it now has no effect.
This enables safer deployments to allow localhost-only or VPN-interface-only listening.
Changes
Tests
Changelog
Documentation
LISTEN_IPenvironment variable docs#112