Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to bind API to localhost? #796

Closed
pavel-odintsov opened this issue Mar 24, 2016 · 7 comments · Fixed by #829
Closed

How to bind API to localhost? #796

pavel-odintsov opened this issue Mar 24, 2016 · 7 comments · Fixed by #829

Comments

@pavel-odintsov
Copy link
Contributor

Hell, folks!

Bu default gobgp API listen on all interfaces (including external) and it's not expected behavior :)

Actually we have option to change default port but we haven't any way to specify custom host:

 /opt/dps/libraries/gobgp_1_4_0_git/gobgpd --help 2>&1|grep grpc
  -g, --grpc-port=        grpc port (default: 50051)

Finally, I have two suggestions:

  1. Let's bind to 127.0.0.1 by default
  2. Offer configurable option to specify custom host for listening

Thanks!
@pavel-odintsov
Copy link
Contributor Author

Hi, folks!

Do you have some updates? :) That's real security issue for production use and I would be very glad if you could fix it.

@fujita
Copy link
Member

fujita commented Apr 9, 2016

why not iptables? If it doesn't work for you, I guess that we could extend '-g' option or something.

@pavel-odintsov
Copy link
Contributor Author

Hello!

Will be fine to have option to tune bind interface. On servers with bunch
of interfaces I want to have multiple GoBGP instances for different
tasks (for example, first gobgp on 192.168.155.1:179, second on
10.10.10.12:179 etc). So we could not handle this configuration with
iptables.

Also iptables configuration adds another level of complexity and very error
prone for new users of gobgp. And open api interface offer very dangerous
level of acces for external malicious user.

So I will be very glad to avoid it.

On Saturday, 9 April 2016, FUJITA Tomonori notifications@github.com wrote:

why not iptables? If it doesn't work for you, I guess that we could extend
'-g' option or something.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#796 (comment)

Sincerely yours, Pavel Odintsov

fujita added a commit to fujita/gobgp that referenced this issue Apr 10, 2016
@fujita
support the feature to specify api hosts that gobgpd listens on
f610d0e 
by default, ":50051" is used as before.

gobgpd accepts grcp connections from localhost with the following example:

$ gobgpd --api-hosts 127.0.0.1:50051

You can specify multiple hosts like:

$ gobgpd --api-hosts 127.0.0.1:50051,10.0.255.254:50051

close osrg#796

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
fujita added a commit to fujita/gobgp that referenced this issue Apr 10, 2016
@fujita
support the feature to specify api hosts that gobgpd listens on
bc28b4f 
by default, ":50051" is used as before.

gobgpd accepts grcp connections from localhost with the following example:

$ gobgpd --api-hosts 127.0.0.1:50051

You can specify multiple hosts like:

$ gobgpd --api-hosts 127.0.0.1:50051,10.0.255.254:50051

close osrg#796

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
@fujita fujita mentioned this issue Apr 10, 2016
Closed
@fujita
Copy link
Member

fujita commented Apr 10, 2016

#828

Works for you?

@pavel-odintsov
Copy link
Contributor Author

Yep, looks awesome! Waiting in master! :)

On Sun, Apr 10, 2016 at 8:53 AM, FUJITA Tomonori notifications@github.com
wrote:

#828 #828

Works for you?


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#796 (comment)

Sincerely yours, Pavel Odintsov

fujita added a commit to fujita/gobgp that referenced this issue Apr 10, 2016
@fujita
specify api hosts that gobgpd listens on
d4a82f7 
by default, ":50051" is used as before.

gobgpd accepts grpc connections from localhost with the following
example:

$ gobgpd --api-hosts 127.0.0.1:50051

You can specify multiple hosts like:

$ gobgpd --api-hosts 127.0.0.1:50051,10.0.255.254:50051

close osrg#796

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
@fujita fujita mentioned this issue Apr 10, 2016
Merged
@fujita
Copy link
Member

fujita commented Apr 11, 2016

Pushed. Please try the latest master.

@pavel-odintsov
Copy link
Contributor Author

Perfect! Working as expected. Thanks!

Sorry for delay. I had short holidays.

@pavel-odintsov pavel-odintsov mentioned this issue Jun 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@fujita @pavel-odintsov