"riak only available on localhost and nginx facing the outside world"... that sounds like something worth trying! thanks.
even i still think it could be great to have some options to enable/disable those "?buckets=true" and "?keys=true"
Rohman
On Fri, 27 May 2011 07:40:45 +0100, Russell Brown <russell.br...@mac.com> wrote:
On 27 May 2011, at 07:10, Antonio Rohman Fernandez wrote:
Something linke nginx set up as a reverse proxy with re-write rules/filters for urls you consider a security risk? Instance per riak instance, riak only available on localhost and nginx facing the outside world?"In our case, the only nodes that are allowed to hit the Riak cluster are those of our applications"... what if your app is more complex than that and you have thousands of servers all around the world ( different datacenters, different networks ) with crawlers, scanners, blackboxes, etc... all communicating with Riak and adding/removing new scanners/crawlers/blackboxes/etc... every now and then... quite troublesome to set up and maintain a firewall for that.
"It is not recommended that you deploy Riak on the public internet"... what if apart from webservers with a web-app i want to build iPhone/iPad/Android apps that access Riak directly? one thing i love from Riak is its RESTfull architecture, but if i have to build some API somewhere for the mobile apps to interact with Riak... well... the 'cloud' paradigm just vanished for me... also, i would have a single point of failure on the API implementation.any other suggestions?
Rohman
On Fri, 27 May 2011 01:20:00 -0400, Alexander Sicular <sicul...@gmail.com> wrote:
Hi Rohman,It is not recommended that you deploy Riak on the public internet. Keep all access private and then implement iptables on each individual node securing access to upstream clients.Ports to keep in mind -http(s) port (8098)protocol buffers port (8099)epmd (4369)forcing the range of ports erlang uses to communicate amongst other erlang nodes.The latter is not part of the default configuration but I think it should be. At least commented out in app.config.
Put it right at the top of the config array above the riak_core directives like so:[%% limit dynamic ports erlang uses to communicate%% pick some range that works in your environment%{kernel, [% {inet_dist_listen_min, 21000},% {inet_dist_listen_max, 22000}%]},%% Riak Core config{riak_core, [...Cheers,Alexander Sicular@siculars
On Friday, May 27, 2011 at 12:55 AM, Antonio Rohman Fernandez wrote:
hello all,
http://IP:8098/riak?buckets=true [ will show all available buckets on Riak ]
http://IP:8098/riak/bucketname?keys=true&props=false [ will show all available keys on a bucket ]
to me, this proves a very big security risk, as if somebody discovers your Riak server's IP, is very easy to read all the information from it, even if you try to obfuscate the buckets/keys... everything is highly readable.
there is any way to disable those options? like {riak_kv_stat, false} hides the /stats page
thanks
Rohman
Antonio Rohman Fernandez
CEO, Founder & Lead Engineer
roh...@mahalostudio.comProjects
MaruBatsu.es
PupCloud.com
Wedding Album_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com--_______________________________________________
Antonio Rohman Fernandez
CEO, Founder & Lead Engineer
roh...@mahalostudio.comProjects
MaruBatsu.es
PupCloud.com
Wedding Album
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Antonio Rohman Fernandez
CEO, Founder & Lead Engineer
roh...@mahalostudio.comProjects
MaruBatsu.es
PupCloud.com
Wedding Album
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
