[jira] [Commented] (TS-765) Make ATS listening sockets configurable

["Leif Hedstrom (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/TS-765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13030541#comment-13030541 ] 

Leif Hedstrom commented on TS-765:
----------------------------------

1) There is an option to limit the IP to bind:

{code}
LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.17
{code}

It's not as flexible as we'd like, we should redo all IP / port binding options for v3.2.

2) Not binding 8083 is not possible at this point, this port is also used for the synthetic health check. Since it won't do anything but the synthetic.txt page by default, I think this is fairly benign (and we really want it to support the health check, it's one of the "strength" we have, were if traffic_server doesn't proxy the synthetic.txt request propely to traffic_manager, we restart).

What we possibly could do is to only bind 127.0.0.1 in the case where we want to disable autoconf support.


3) Port 8088 should not be bound now, unless you enable clustering. I fixed that a long time ago.

4) I believe port 8084 is protected already, only allowing "forward proxy" request from either localhost, or the IP that the server binds as. The reason for 8084 is to allow the synthetic.txt request from traffic_cop to be proxied in forward proxy to traffic_manager's port 8083. This is needed, so that records.config settings don't get in the way of the health checks (as far as I can tell at least).

I.e. the request from traffic_cop is something on the line of

{code}
curl -x http://localhost:8084   http://127.0.0.1:8083/syntethic.txt
{code}

and this is done to properly exercise the entire HTTP proxy, from end-to-end, to assure everything is working.

> Make ATS listening sockets configurable
> ---------------------------------------
>
>                 Key: TS-765
>                 URL: https://issues.apache.org/jira/browse/TS-765
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: Configuration, Network
>    Affects Versions: 2.1.8
>            Reporter: Arno Toell
>            Priority: Minor
>
> I consider the way how Traffic Server opens listening ports dangerous, or at least more risky than necessary. Currently ATS allows to configure port numbers for the related services, but not the listening interface. Instead it binds to 0.0.0.0. Therefore I'd like to suggest 
> * Allow the user to specify a listening interface, don't assume 0.0.0.0 suits for all setups.
> * Disable the "autoconfiguration port" (i.e. 8083 by default) unless proxy.local.cluster.type is set to enable clustering (!= 3). I think _traffic_shell_ and eventually _traffic_line_ use this port to configure ATS locally. If so it should be bound to the loop back at least or using Unix Domain Sockets or whatever local socket method you prefer.
> * Disable the "reliable service port" (i.e. 8088 by default) unless proxy.local.cluster.type enables clustering. Similar to the "autoconfiguration port". If _traffic_cop_ (or something else on the local machine) is using this port, the same suggestions apply as above. 
> * The "internal communication port" (8084) should not open a public socket at all. Instead use Unix Domain Sockets or something similar. 

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira