Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Unix Sockets #1249

Closed
sloonz opened this issue Apr 20, 2021 · 9 comments
Closed

Support Unix Sockets #1249

sloonz opened this issue Apr 20, 2021 · 9 comments

Comments

@sloonz
Copy link
Contributor

sloonz commented Apr 20, 2021

AFAICT Kratos can only listen on TCP sockets. Unix sockets have a few advantages over TCP sockets.From least important to more important:

  • Minor performance gains
  • Convenience for system administrators in some contexts : using /run/http/kratos.sock rather than localhost:31038 is more expressive and less error-prone (for example, when configuring the reverse-proxy). There's no need to keep track of ports assignments (which ports are assigned to which services, which should be open/closed on the firewall…).
  • Security benefits : Unix sockets are never reachable from an external machine, so a misconfiguration (listening on 0.0.0.0:8080 instead of localhost:31038) has less of an impact. More importantly, Unix socket are subject to normal Unix permissions ; if a non-privileged user is compromised on the machine, he can access without any trouble to localhost:31038, but still be limited by normal filesystem restrictions to access on /srv/http/kratos.sock
@aeneasr
Copy link
Member

aeneasr commented Apr 20, 2021

I think this is a great idea which we already support in Ory Hydra. I don't quite remember the place where it is but I think we can extract the logic to github.com/ory/x or github.com/ory/graceful and make it available for all ory projects - hence also Ory Kratos :)

@sloonz
Copy link
Contributor Author

sloonz commented Apr 20, 2021

It’s here in Hydra: https://github.com/ory/hydra/blob/24f91ab7038e4c612db5af86ff0f3ee5eb03c878/cmd/server/handler.go#L284

I think what could be done is extracting a MakeListener(add string, permission *config.UnixPermission) (l net.Listener, tlsPossible bool, err error) function and put it into github.com/ory/x. It would require to also move hydra's config.UnixPermission into ory/x.

I can try to do a pull request doing this if you’re okay with that approach.

@aeneasr
Copy link
Member

aeneasr commented Apr 20, 2021

SGTM!

@sloonz
Copy link
Contributor Author

sloonz commented Apr 20, 2021
edited
Loading

First attempt :

ory/x@master...sloonz:master
ory/hydra@master...sloonz:master
master...sloonz:master

How do I proceed from here ? Do we keep discussing this here ? Or do I create an issue (pull request ?) on each project ?

@aeneasr
Copy link
Member

aeneasr commented Apr 22, 2021

Oh great! I'll take a look now!

@aeneasr
Copy link
Member

aeneasr commented Apr 22, 2021

Yeah I think you can just create the PRs - looks good to me

This was referenced Apr 22, 2021
Merged
Merged
Merged
@aeneasr
Copy link
Member

aeneasr commented Apr 25, 2021

merged!

@aeneasr aeneasr closed this as completed Apr 25, 2021
@sloonz
Copy link
Contributor Author

sloonz commented Apr 27, 2021
edited
Loading

Thanks for taking the time of reviewing and merging this !

@aeneasr
Copy link
Member

aeneasr commented Apr 27, 2021

Thank you for making it! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sloonz @aeneasr