You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2011/05/09 04:02:03 UTC

[jira] [Resolved] (TS-765) Make the backdoor port (8084 by default) only listen on "localhost"

     [ https://issues.apache.org/jira/browse/TS-765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom resolved TS-765.
------------------------------

    Resolution: Fixed

Closing this, if any of the other items in the list needs fixing (other than TS-767), please open other bugs.

> Make the backdoor port (8084 by default) only listen on "localhost"
> -------------------------------------------------------------------
>
>                 Key: TS-765
>                 URL: https://issues.apache.org/jira/browse/TS-765
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: Configuration, Network
>    Affects Versions: 2.1.8
>            Reporter: Arno Toell
>            Assignee: Leif Hedstrom
>            Priority: Minor
>             Fix For: 2.1.9
>
>
> I consider the way how Traffic Server opens listening ports dangerous, or at least more risky than necessary. Currently ATS allows to configure port numbers for the related services, but not the listening interface. Instead it binds to 0.0.0.0. Therefore I'd like to suggest 
> * Allow the user to specify a listening interface, don't assume 0.0.0.0 suits for all setups.
> * Disable the "autoconfiguration port" (i.e. 8083 by default) unless proxy.local.cluster.type is set to enable clustering (!= 3). I think _traffic_shell_ and eventually _traffic_line_ use this port to configure ATS locally. If so it should be bound to the loop back at least or using Unix Domain Sockets or whatever local socket method you prefer.
> * Disable the "reliable service port" (i.e. 8088 by default) unless proxy.local.cluster.type enables clustering. Similar to the "autoconfiguration port". If _traffic_cop_ (or something else on the local machine) is using this port, the same suggestions apply as above. 
> * The "internal communication port" (8084) should not open a public socket at all. Instead use Unix Domain Sockets or something similar. 

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira