Hi guys, Thanks for the info about the "erlang cookie", will take a look at it :)
Yeah, of course that i will have firewalls and restrict access, that's also why i will limit the querying to the localhost and have a middleman API to talk to the node itself, just i was worried in the fact that somebody would just find out an IP or domain and try to hook-up a node itself. Cheers, Alex On Mon, Jun 30, 2014 at 12:08 PM, Sargun Dhillon <[email protected]> wrote: > You really should have some level of IP filtering to prevent people > from connecting directly to your BEAM / EPM instances, but even if > they do have the ability to make a TCP/IP connection, they have to > know the distributed Erlang cookie in order to connect. More on this: > http://www.erlang.org/doc/reference_manual/distributed.html - See, > section 13.7. You can actually use inet_tls for communication between > your VMs to ensure authenticity of clients, as well as > confidentiality. > > On Mon, Jun 30, 2014 at 2:47 AM, Alex De la rosa > <[email protected]> wrote: > > Hi there, > > > > Imaging the following IP configuration for Riak 2.0: > > > > # /etc/riak/riak.conf > > > > nodename = [email protected] > > listener.http.internal = 127.0.0.1:8098 > > listener.protobuf.internal = 127.0.0.1:8087 > > listener.https.internal = 127.0.0.1:8098 > > > > I put the server's real IP in the nodename so they can join/communicate > with > > each other but then I limit any HTTP/PB communication to the localhost so > > nobody can mess with the node from outside (we assume I have an own > Python > > API in each node doing the security and being a middleman between the > > cluster and the webapp). > > > > But how can I avoid 3rd-parties to just build a Riak server themselves > and > > join my cluster without permission... they can freely join like this: > > > > # riak-admin join [email protected] > > > > Of course, they will have to find out the IP address, but if they do, > they > > can simply put a server themselves in the cluster and do whatever they > want > > with it. > > > > Maybe a solution is creating subdomains on my domain just for the > riak-ring > > in a way that is extremely hard to find out to be able to do the JOIN, > > something like: nodename = [email protected] > > > > Is this approach reasonable? Am I doing/thinking something very wrong? > What > > would be the suggested way to prevent undesired JOINs? > > > > Cheers, > > Alex > > > > _______________________________________________ > > riak-users mailing list > > [email protected] > > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com > > >
_______________________________________________ riak-users mailing list [email protected] http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
