[
https://issues.apache.org/jira/browse/TS-765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13030541#comment-13030541
]
Leif Hedstrom commented on TS-765:
----------------------------------
1) There is an option to limit the IP to bind:
{code}
LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.17
{code}
It's not as flexible as we'd like, we should redo all IP / port binding options
for v3.2.
2) Not binding 8083 is not possible at this point, this port is also used for
the synthetic health check. Since it won't do anything but the synthetic.txt
page by default, I think this is fairly benign (and we really want it to
support the health check, it's one of the "strength" we have, were if
traffic_server doesn't proxy the synthetic.txt request propely to
traffic_manager, we restart).
What we possibly could do is to only bind 127.0.0.1 in the case where we want
to disable autoconf support.
3) Port 8088 should not be bound now, unless you enable clustering. I fixed
that a long time ago.
4) I believe port 8084 is protected already, only allowing "forward proxy"
request from either localhost, or the IP that the server binds as. The reason
for 8084 is to allow the synthetic.txt request from traffic_cop to be proxied
in forward proxy to traffic_manager's port 8083. This is needed, so that
records.config settings don't get in the way of the health checks (as far as I
can tell at least).
I.e. the request from traffic_cop is something on the line of
{code}
curl -x http://localhost:8084 http://127.0.0.1:8083/syntethic.txt
{code}
and this is done to properly exercise the entire HTTP proxy, from end-to-end,
to assure everything is working.
> Make ATS listening sockets configurable
> ---------------------------------------
>
> Key: TS-765
> URL: https://issues.apache.org/jira/browse/TS-765
> Project: Traffic Server
> Issue Type: Improvement
> Components: Configuration, Network
> Affects Versions: 2.1.8
> Reporter: Arno Toell
> Priority: Minor
>
> I consider the way how Traffic Server opens listening ports dangerous, or at
> least more risky than necessary. Currently ATS allows to configure port
> numbers for the related services, but not the listening interface. Instead it
> binds to 0.0.0.0. Therefore I'd like to suggest
> * Allow the user to specify a listening interface, don't assume 0.0.0.0 suits
> for all setups.
> * Disable the "autoconfiguration port" (i.e. 8083 by default) unless
> proxy.local.cluster.type is set to enable clustering (!= 3). I think
> _traffic_shell_ and eventually _traffic_line_ use this port to configure ATS
> locally. If so it should be bound to the loop back at least or using Unix
> Domain Sockets or whatever local socket method you prefer.
> * Disable the "reliable service port" (i.e. 8088 by default) unless
> proxy.local.cluster.type enables clustering. Similar to the
> "autoconfiguration port". If _traffic_cop_ (or something else on the local
> machine) is using this port, the same suggestions apply as above.
> * The "internal communication port" (8084) should not open a public socket at
> all. Instead use Unix Domain Sockets or something similar.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
