Kom listening to loopback interface only

Hi all,

I was going over the bugs for KomHttpServer on bugs.squeak.org and I
am a little undecided about bug #6738
(http://bugs.squeak.org/view.php?id=6738). What do you think about an
option to make Kom listen only to the loopback interface 127.0.0.1?
Would that be useful to you?

The rationale between this option would be to increase the security of
your application, especially in those situations where you have the
Seaside server and the Apache/Lighty/whatever server running on the
same machine. The default behaviour would still be the same though -
if you start the HttpService using the usual #start method, it would
listen on all interfaces.

        Ciao,

                Giovanni
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

On Sun, Aug 24, 2008 at 7:46 AM, Giovanni Corriga <[hidden email]> wrote:
> Hi all,
>
> I was going over the bugs for KomHttpServer on bugs.squeak.org and I
> am a little undecided about bug #6738
> (http://bugs.squeak.org/view.php?id=6738). What do you think about an
> option to make Kom listen only to the loopback interface 127.0.0.1?
> Would that be useful to you?

Yes - it's something we modify Kom to do anyway, so an option would be great.

Avi
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Avi Bryant wrote:

On Sun, Aug 24, 2008 at 7:46 AM, Giovanni Corriga [hidden email] wrote:
  

Hi all,

I was going over the bugs for KomHttpServer on bugs.squeak.org and I
am a little undecided about bug #6738
(http://bugs.squeak.org/view.php?id=6738). What do you think about an
option to make Kom listen only to the loopback interface 127.0.0.1?
Would that be useful to you?
    

Yes - it's something we modify Kom to do anyway, so an option would be great.

Avi
  

Hmm, this is curious.  I've never needed to do it.

In contrast, I have Apache listening to the world on port 80, and Seaside/Comanche listening on a high port, and Apache redirecting to the high port.  And the high port is firewall blocked and thus only local processes (i.e., Apache) can send to it.

Doesn't that achieve the same thing?

Nevin



_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

When listening on localhost only no other network device would be able to access the service, regardless of what happens to your network configuration in the future. It is a key requirement in certain compliance environments.

Cheers!

-Boris (via BlackBerry)

---

From: [hidden email]
To: Seaside - general discussion
Sent: Sun Aug 24 15:16:49 2008
Subject: Re: [Seaside] Kom listening to loopback interface only

Avi Bryant wrote:

On Sun, Aug 24, 2008 at 7:46 AM, Giovanni Corriga [hidden email] wrote:
  

Hi all,

I was going over the bugs for KomHttpServer on bugs.squeak.org and I
am a little undecided about bug #6738
(http://bugs.squeak.org/view.php?id=6738). What do you think about an
option to make Kom listen only to the loopback interface 127.0.0.1?
Would that be useful to you?
    

Yes - it's something we modify Kom to do anyway, so an option would be great.

Avi
  

Hmm, this is curious.  I've never needed to do it.

In contrast, I have Apache listening to the world on port 80, and Seaside/Comanche listening on a high port, and Apache redirecting to the high port.  And the high port is firewall blocked and thus only local processes (i.e., Apache) can send to it.

Doesn't that achieve the same thing?

Nevin



_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

On Aug 24, 2008, at 10:46 AM, Giovanni Corriga wrote:

> I was going over the bugs for KomHttpServer on bugs.squeak.org and I
> am a little undecided about bug #6738
> (http://bugs.squeak.org/view.php?id=6738). What do you think about an
> option to make Kom listen only to the loopback interface 127.0.0.1?
> Would that be useful to you?

Very.

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

>What do you think about an
> option to make Kom listen only to the loopback interface 127.0.0.1?
Shuldn't be argued. All services use to let you bound it to an address even
interfaces. We modified comanche to be able to do that. For me address to bound
it to an address is enough. I think Swazoo should be able to do that too.

> Would that be useful to you?
You can be sure.

Cheers,
Sebastian

>
>                 Giovanni


_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

2008/8/25 Sebastian Sastre <[hidden email]>:
>>What do you think about an
>> option to make Kom listen only to the loopback interface 127.0.0.1?
> Shuldn't be argued. All services use to let you bound it to an address even
> interfaces. We modified comanche to be able to do that. For me address to bound
> it to an address is enough. I think Swazoo should be able to do that too.
>
>> Would that be useful to you?
> You can be sure.
>
I suspected so ;)

Avi, Sebastian, can your changes be released to the public? If so,
would you mind uploading them to the KomHttpServer repository
http://www.squeaksource.com/KomHttpServer?

This way we could possibly avoid reinventing the wheel one more time.

        Ciao,

                Giovanni
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside