Just a ping on this ticket http://dev.rubyonrails.org/ticket/5133 Adds "-a" option to spawner if the installed spawn-fcgi binary allows binding to a custom address. In case it does by default spawner will create fcgi listeners that bind to 127.0.0.1 only instead of the less secure 0.0.0.0. For single machine setups this adds security if possible, for multi host setups startup scripts will need to be changed explicitly (know it hurts and). best, Dee Zsombor -- Company - http://primalgrasp.com Thoughts - http://deezsombor.blogspot.com
I''m a bit hesitant to apply at patch that will break my own deployments. Perhaps it should default to 0.0.0.0 and have the usage mention ''you probably want to use 127.0.0.1? On 5/26/06, Dee Zsombor <dee.zsombor@gmail.com> wrote:> Just a ping on this ticket > > http://dev.rubyonrails.org/ticket/5133 > > Adds "-a" option to spawner if the installed spawn-fcgi binary allows > binding to a custom address. In case it does by default spawner will > create fcgi listeners that bind to 127.0.0.1 only instead of the less > secure 0.0.0.0. > > For single machine setups this adds security if possible, for multi host > setups startup scripts will need to be changed explicitly (know it hurts > and). > > best, > Dee Zsombor > > -- > Company - http://primalgrasp.com > Thoughts - http://deezsombor.blogspot.com > _______________________________________________ > Rails-core mailing list > Rails-core@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails-core >-- Cheers Koz
Yes indeed it breaks non single machine setups, but since they are fewer (and probably better maintained) I''ve considered that opting for the safest choice by default would serve the most. Added a second patch with your observations, that keeps the 0.0.0.0 default and only advises bind to localhost. Who is attentive enough will make the switch, as at least there would be a way to use non public addresses. Michael Koziarski wrote:> I''m a bit hesitant to apply at patch that will break my own deployments. > > Perhaps it should default to 0.0.0.0 and have the usage mention ''you > probably want to use 127.0.0.1? > > On 5/26/06, Dee Zsombor <dee.zsombor@gmail.com> wrote: >> Just a ping on this ticket >> >> http://dev.rubyonrails.org/ticket/5133 >> >> Adds "-a" option to spawner if the installed spawn-fcgi binary allows >> binding to a custom address. In case it does by default spawner will >> create fcgi listeners that bind to 127.0.0.1 only instead of the less >> secure 0.0.0.0. >> >> For single machine setups this adds security if possible, for multi host >> setups startup scripts will need to be changed explicitly (know it hurts >> and). >> >> best, >> Dee Zsombor-- Company - http://primalgrasp.com Thoughts - http://deezsombor.blogspot.com