Hi, I''m running instiki 0.10.1 on FreeBsd 4.9 with Apache 1.3 utilising mod_proxy. Because of this, I wanted to ensure that instiki was only listening to the local machine. As far as I was aware, I should use the binding parameter to achieve this. However, after changing this to 127.0.0.1 (both on the command line and manually in the server ruby file) I can still connect from remote machines direct to <ip>:2500. I also tried this with the svn version of instiki and the same thing happens. I then tried this on two windows boxes with both the 0.10.1 and svn versions. In both cases the --binding flag worked and limited connections to the local machine. I also tried it on FreeBsd 5.3R with 0.10.1 installed via Gems and the --binding flag also worked as expected. I''m guessing that I''ve done something stupid on the 4.9 box but can''t think of what it may be or of anything else to test at the moment... Any thoughts? Chris
Chris Roos wrote:> I should use the binding parameter to achieve this. However, after > changing this to 127.0.0.1 (both on the command line and manually in > the server ruby file) I can still connect from remote machines direct > to <ip>:2500.The argument of --binding option is eventually passed to the underlying Socket object. If it doesn''t do what it is supposed to do, this must be between your Ruby build and your OS. It does work on FreeBSD 5.3 (running instiki.org and rubyonrails.com). -- Best regards, Alexey Verkhovsky Ruby Forum: http://ruby-forum.org (moderator) RForum: http://rforum.andreas-s.net (co-author) Instiki: http://instiki.org (maintainer)
Alexey Verkhovsky wrote:> Chris Roos wrote: > >> I should use the binding parameter to achieve this. However, after >> changing this to 127.0.0.1 (both on the command line and manually in >> the server ruby file) I can still connect from remote machines direct >> to <ip>:2500. > > > The argument of --binding option is eventually passed to the underlying > Socket object. If it doesn''t do what it is supposed to do, this must be > between your Ruby build and your OS. It does work on FreeBSD 5.3 > (running instiki.org and rubyonrails.com). >Right, I''ve got a bit more info. The problems I am having are because the FreeBsd that I am running is actually an instance in a Jail. In this case, the Jail only knows about the public IP, it doesn''t have access to the Loopback (or any other local) address. As a fix, I have requested that a firewall rule be set-up to block access to port 2500 on this IP. However, it''s been suggested that if I could configure the daemon to use Unix Domain Sockets rather than IP sockets that I could get round the current problem. I realise this becomes more of a general Ruby question but just wonder if you know whether it would be at all possible? I''m guessing that the code I''d be interested in lies in the socket.so library? Thanks for your help, Chris
Chris Roos wrote:> However, it''s been suggested that if I could configure the daemon to > use Unix Domain Sockets rather than IP sockets that I could get round > the current problem.Admittedly, I don''t even know if it''s possible to create Unix domain sockets with Ruby :) Probably it is. Whether it''s possible to make WebRick bind to it, is another interesting question... You should try to ask about it on Ruby-Talk. -- Best regards, Alexey Verkhovsky Ruby Forum: http://ruby-forum.org (moderator) RForum: http://rforum.andreas-s.net (co-author) Instiki: http://instiki.org (maintainer)
Alexey Verkhovsky wrote:> Chris Roos wrote: > >> However, it''s been suggested that if I could configure the daemon to >> use Unix Domain Sockets rather than IP sockets that I could get round >> the current problem. > > > Admittedly, I don''t even know if it''s possible to create Unix domain > sockets with Ruby :) > Probably it is. Whether it''s possible to make WebRick bind to it, is > another interesting question... > > You should try to ask about it on Ruby-Talk. >Thanks for your help Alexey. I''ve just posted a question on ruby-talk now. Chris