Circus is built on the top of the ZeroMQ library and comes with no security at all in its protocols. However, you can run a Circus system on a server and set up an SSH tunnel to access it from another machine.

This section explains what Circus does on your system when you run it, and ends up describing how to use an SSH tunnel.

You can also read http://www.zeromq.org/area:faq#toc5

TCP ports

By default, Circus opens the following TCP ports on the local host:

  • 5555 – the port used to control circus via circusctl
  • 5556 – the port used for the Publisher/Subscriber channel.
  • 5557 – the port used for the statistics channel – if activated.
  • 8080 – the port used by the Web UI – if activated.

These ports allow client apps to interact with your Circus system, and depending on how your infrastructure is organized, you may want to protect these ports via firewalls or configure Circus to run using IPC ports.

Here’s an example of running Circus using only IPC entry points:

[circus]

check_delay = 5

endpoint = ipc:///var/circus/endpoint

pubsub_endpoint = ipc:///var/circus/pubsub

stats_endpoint = ipc:///var/circus/stats

When Configured using IPC, the commands must be run from the same box, but no one can access them from outside, unlike using TCP. The commands must also be run as a user that has write access to the ipc socket paths. You can modify the owner of the endpoint using the endpoint_owner config option. This allows you to run circusd as the root user, but allow non-root processes to send commands to circusd. Note that when using endpoint_owner, in order to prevent non-root processes from being able to start arbitrary processes that run with greater privileges, the add command will enforce that new Watchers must run as the endpoint_owner user. Watcher definitions in the local config files will not be restricted this way.

Of course, if you activate the Web UI, the 8080 port will still be open.

circushttpd

When you run circushttpd manually, or when you use the httpd option in the ini file like this:

[circus]

check_delay = 5

endpoint = ipc:///var/circus/endpoint

pubsub_endpoint = ipc:///var/circus/pubsub

stats_endpoint = ipc:///var/circus/stats

httpd = 1

The web application will run on port 8080 and will let anyone accessing the web page manage the circusd daemon.

That includes creating new watchers that can run any command on your system !

Do not make it publicly available

If you want to protect the access to the web panel, you can serve it behind Nginx or Apache or any proxy-capable web server, that can take care of the security.

User and Group Permissions

By default, all processes started with Circus will be running with the same user and group as circusd. Depending on the privileges the user has on the system, you may not have access to all the features Circus provides.

For instance, some statistics features on a running processes require extended privileges. Typically, if the CPU usage numbers you get using the stats command are N/A, it means your user can’t access the proc files. This will be the case by default under Mac OS X.

You may run circusd as root to fix this, and set the uid and gid values for each watcher to get all the features.

But beware that running circusd as root exposes you to potential privilege escalation bugs. While we’re doing our best to avoid any bugs, running as root and facing a bug that performs unwanted actions on your system may be dangerous.

The best way to prevent this is to make sure that the system running Circus is completely isolated (like a VM) or to run the whole system under a controlled user.

SSH tunneling

Clients can connect to a circusd instance by creating an SSH tunnel. To do so, pass the command line option –ssh followed by user@address, where user is the user on the remote server and address is the server’s address as seen by the client. The SSH protocol will require credentials to complete the login.

If circusd as seen by the SSH server is not at the default endpoint address localhost:5555 then specify the circusd address using the option –endpoint

Secured setup example

Setting up a secured Circus server can be done by:

  • Running an SSH Server
  • Running Apache or Nginx on the 80 port, and doing a reverse-proxy on the 8080 port.
  • Blocking the 8080 port from outside access.
  • Running all ZMQ Circusd ports using IPC files instead of TCP ports, and tunneling all calls via SSH.

circus security 来自官方的安全建议的更多相关文章

  1. 关于华为否认HKSP来自官方的一点看法

    今天刷手机,无意看到一则消息: 华为否认提交给 Linux 内核的不安全补丁 HKSP 来自官方 这个消息吸引我的原因有几点: 华为被制裁刚满一年,现在由于新冠疫情影响,感觉又处于很敏感的时期: 华为 ...

  2. edgedb-js 来自官方的js 驱动

    目前对于edgedb 主要还是来自官方的python驱动,目前js 版本的已经快发布了,代码在github 可以看到了 同时官方文档也提供了一个关于edgedb 内部的协议说明,结合js 驱动以及文档 ...

  3. cube.js 学习(十)cube 来自官方的学习网站

    尽管cube.js 包含了一个doc 站点,但是资料不是很全,同时如果查看了cube github 代码中的一些demo的话,发现还是很不错的 但是一些实践没有在文档展现出来,还好我们可以从cube ...

  4. 【Docker】来自官方映像的 6 个 Dockerfile 技巧

    本文将根据我从官方镜像学到的经验,讲解编写Dockerfile的技巧.   1. 选择Debian  官方镜像的大多数Dockerfile,不管是直接还是通过其他镜像,都是基于Debian的.Dock ...

  5. Terracotta设计原理分析--(部分内容来自官方描述)

    因为工作中历史产品采用了terracotta作为分布式缓存线性扩展平台,因此不得不提前对其原理做了相关了解,当然其中很多的设计思想和oracle.memcached的设计相似,但也有自己的亮点,那就是 ...

  6. go-elasticsearch 来自官方的 golang es client

    elasticsearch 终于有了官方的golang sdk 了,地址 https://github.com/elastic/go-elasticsearch 当前还不稳定,同时主要是对于es7 的 ...

  7. 来自官方的一些dbt 最佳实践

    限制对原始数据的依赖性 您的项目将取决于存储在数据库中的原始数据.我们建议制作所谓的“基本模型”,以最大限度地减少对原始数据表的依赖性.在此约定中,基本模型可以具有以下职责: 仅选择与当前分析相关的字 ...

  8. Mysql数据类型 来自官方手册5.6

    整形的取值范围:   定点数值(精确): 在MySQL中,NUMERIC被实现为DECIMAL,所以关于DECIMAL的以下说明同样适用于NUMERIC. MySQL以二进制格式存储DECIMAL值. ...

  9. 用Python操作Excel2007 及以上的版本读写,来自官方的Demo

    大牛请略过,新手可以参考,具体见下面的代码注释, 另外一个问题,想学习这个语言,最好还是英语牛一些,可以去官网多看看有用的类库,汉语的资料不是很全 #运行环境 3.4,下面这个操作Excel的包是针对 ...

随机推荐

  1. HTML5+规范:Geolocation(管理设备位置信息) 定位

    Geolocation模块管理设备位置信息,用于获取地理位置信息,如经度.纬度等.通过plus.geolocation可获取设备位置管理对象.虽然W3C已经提供标准API获取位置信息,但在某些平台存在 ...

  2. 【leetcode-97 动态规划】 交错字符串

    (1过,调试很久) 给定三个字符串 s1, s2, s3, 验证 s3 是否是由 s1 和 s2 交错组成的. 示例 1: 输入: s1 = "aabcc", s2 = " ...

  3. JavaScript变量存储浅析(二)

    Hello,上一篇(http://www.cnblogs.com/souvenir/p/4969399.html)我们简单的分享了JS中的变量存储原理,但是并未结束,我们漏掉了什么. 对了,就是关于对 ...

  4. linux修改当前用户环境变量永久生效

    在linux环境中,修改当前用户环境变量,且永久生效的方法如下. 1,编辑~/.bash_profile文件 1 2 3 # Get the aliases and functions 4 if [ ...

  5. vue中使用echart柱状图

    一: <template> <Layout> <Content> <Card :style="{minHeight:'300px'}"&g ...

  6. JavaScript笔记01_基本操作

    目录 1. JS代码编写的位置 2. 为什么JavaScript中代码要以分号结束 3. 字面量和变量 4. 数据类型 5. 类型装换 6. ++a和a++ 7. 逻辑运算符 8. 相等运算符 9. ...

  7. GNS3、Wireshark、SecureCRT 环境部署

    本次GNS3环境部署教程基于官方推荐的稳定版1.5.4.初次接触此软件,详细的使用方法不是很清楚,所以以此作为学习记录,仅供参考,后期补充. 软件介绍 GNS3 GNS3是一款具有图形化界面可以运行在 ...

  8. 04-JavaScript的操作

    本篇主要介绍获取元素的方法.操作元素.数组和字符串的操作方法.定时器和封闭函数.以及贪吃蛇案例: 一.获取元素的方法 1.document.getElementById:可以使用内置对象documen ...

  9. YES, There is No such thing as a free lunch

    软件行业本身就建立在copy的基础上的,据说视窗both Windows and Mac OS都借鉴了施乐的. 国内的很多的软件质量真的好差呀. https://queue.acm.org/detai ...

  10. moviepy这个版本,除了字幕,基本可用

    只是注意,开头要坚拍,中间要横拍,结尾图左上右下. 哈哈,如果不是这样,那就要调调角度了. from moviepy.editor import * from moviepy.video.tools. ...