Circus is built on the top of the ZeroMQ library and comes with no security at all in its protocols. However, you can run a Circus system on a server and set up an SSH tunnel to access it from another machine.

This section explains what Circus does on your system when you run it, and ends up describing how to use an SSH tunnel.

You can also read http://www.zeromq.org/area:faq#toc5

TCP ports

By default, Circus opens the following TCP ports on the local host:

  • 5555 – the port used to control circus via circusctl
  • 5556 – the port used for the Publisher/Subscriber channel.
  • 5557 – the port used for the statistics channel – if activated.
  • 8080 – the port used by the Web UI – if activated.

These ports allow client apps to interact with your Circus system, and depending on how your infrastructure is organized, you may want to protect these ports via firewalls or configure Circus to run using IPC ports.

Here’s an example of running Circus using only IPC entry points:

[circus]

check_delay = 5

endpoint = ipc:///var/circus/endpoint

pubsub_endpoint = ipc:///var/circus/pubsub

stats_endpoint = ipc:///var/circus/stats

When Configured using IPC, the commands must be run from the same box, but no one can access them from outside, unlike using TCP. The commands must also be run as a user that has write access to the ipc socket paths. You can modify the owner of the endpoint using the endpoint_owner config option. This allows you to run circusd as the root user, but allow non-root processes to send commands to circusd. Note that when using endpoint_owner, in order to prevent non-root processes from being able to start arbitrary processes that run with greater privileges, the add command will enforce that new Watchers must run as the endpoint_owner user. Watcher definitions in the local config files will not be restricted this way.

Of course, if you activate the Web UI, the 8080 port will still be open.

circushttpd

When you run circushttpd manually, or when you use the httpd option in the ini file like this:

[circus]

check_delay = 5

endpoint = ipc:///var/circus/endpoint

pubsub_endpoint = ipc:///var/circus/pubsub

stats_endpoint = ipc:///var/circus/stats

httpd = 1

The web application will run on port 8080 and will let anyone accessing the web page manage the circusd daemon.

That includes creating new watchers that can run any command on your system !

Do not make it publicly available

If you want to protect the access to the web panel, you can serve it behind Nginx or Apache or any proxy-capable web server, that can take care of the security.

User and Group Permissions

By default, all processes started with Circus will be running with the same user and group as circusd. Depending on the privileges the user has on the system, you may not have access to all the features Circus provides.

For instance, some statistics features on a running processes require extended privileges. Typically, if the CPU usage numbers you get using the stats command are N/A, it means your user can’t access the proc files. This will be the case by default under Mac OS X.

You may run circusd as root to fix this, and set the uid and gid values for each watcher to get all the features.

But beware that running circusd as root exposes you to potential privilege escalation bugs. While we’re doing our best to avoid any bugs, running as root and facing a bug that performs unwanted actions on your system may be dangerous.

The best way to prevent this is to make sure that the system running Circus is completely isolated (like a VM) or to run the whole system under a controlled user.

SSH tunneling

Clients can connect to a circusd instance by creating an SSH tunnel. To do so, pass the command line option –ssh followed by user@address, where user is the user on the remote server and address is the server’s address as seen by the client. The SSH protocol will require credentials to complete the login.

If circusd as seen by the SSH server is not at the default endpoint address localhost:5555 then specify the circusd address using the option –endpoint

Secured setup example

Setting up a secured Circus server can be done by:

  • Running an SSH Server
  • Running Apache or Nginx on the 80 port, and doing a reverse-proxy on the 8080 port.
  • Blocking the 8080 port from outside access.
  • Running all ZMQ Circusd ports using IPC files instead of TCP ports, and tunneling all calls via SSH.

circus security 来自官方的安全建议的更多相关文章

  1. 关于华为否认HKSP来自官方的一点看法

    今天刷手机,无意看到一则消息: 华为否认提交给 Linux 内核的不安全补丁 HKSP 来自官方 这个消息吸引我的原因有几点: 华为被制裁刚满一年,现在由于新冠疫情影响,感觉又处于很敏感的时期: 华为 ...

  2. edgedb-js 来自官方的js 驱动

    目前对于edgedb 主要还是来自官方的python驱动,目前js 版本的已经快发布了,代码在github 可以看到了 同时官方文档也提供了一个关于edgedb 内部的协议说明,结合js 驱动以及文档 ...

  3. cube.js 学习(十)cube 来自官方的学习网站

    尽管cube.js 包含了一个doc 站点,但是资料不是很全,同时如果查看了cube github 代码中的一些demo的话,发现还是很不错的 但是一些实践没有在文档展现出来,还好我们可以从cube ...

  4. 【Docker】来自官方映像的 6 个 Dockerfile 技巧

    本文将根据我从官方镜像学到的经验,讲解编写Dockerfile的技巧.   1. 选择Debian  官方镜像的大多数Dockerfile,不管是直接还是通过其他镜像,都是基于Debian的.Dock ...

  5. Terracotta设计原理分析--(部分内容来自官方描述)

    因为工作中历史产品采用了terracotta作为分布式缓存线性扩展平台,因此不得不提前对其原理做了相关了解,当然其中很多的设计思想和oracle.memcached的设计相似,但也有自己的亮点,那就是 ...

  6. go-elasticsearch 来自官方的 golang es client

    elasticsearch 终于有了官方的golang sdk 了,地址 https://github.com/elastic/go-elasticsearch 当前还不稳定,同时主要是对于es7 的 ...

  7. 来自官方的一些dbt 最佳实践

    限制对原始数据的依赖性 您的项目将取决于存储在数据库中的原始数据.我们建议制作所谓的“基本模型”,以最大限度地减少对原始数据表的依赖性.在此约定中,基本模型可以具有以下职责: 仅选择与当前分析相关的字 ...

  8. Mysql数据类型 来自官方手册5.6

    整形的取值范围:   定点数值(精确): 在MySQL中,NUMERIC被实现为DECIMAL,所以关于DECIMAL的以下说明同样适用于NUMERIC. MySQL以二进制格式存储DECIMAL值. ...

  9. 用Python操作Excel2007 及以上的版本读写,来自官方的Demo

    大牛请略过,新手可以参考,具体见下面的代码注释, 另外一个问题,想学习这个语言,最好还是英语牛一些,可以去官网多看看有用的类库,汉语的资料不是很全 #运行环境 3.4,下面这个操作Excel的包是针对 ...

随机推荐

  1. 创建包含CRUD操作的Web API接口4:实现Put方法

    本节教程是前三节的延续,在前面我们创建了Web API和必要的基础设施,也实现了Get和Post方法.接下来,我们将在Web API中实现Put方法. RESTful架构中,HTTP PUT方法用于在 ...

  2. Scala 系列(七)—— 常用集合类型之 Map & Tuple

    一.映射(Map) 1.1 构造Map // 初始化一个空 map val scores01 = new HashMap[String, Int] // 从指定的值初始化 Map(方式一) val s ...

  3. C#字符串基础

    C#字符串基础 1.    字符串的两种创建形式 (1)String A=”cat”; (2)String B=new string{‘a’,4}  .调用类方法,创建一个“aaaa”的字符串 (3) ...

  4. Sqlmap注入工具

    Sqlmap注入工具 http://sqlmap.org/ Sqlmap是国外的一个免费的注入工具,基于python开发,支持现在几乎所有的数据库,支持get.post.cookie注入,可以添加co ...

  5. 【imx6ul应用开发】如何修改串口?

    4.1如何修改串口?答:开发板已经调好了串口驱动,调试串口,只需要修改dts文件即可,客户可以根据实际需要,确定硬件管脚具体用哪一个. 打开内核源代码/arch/arm/boot/dts/myb-y6 ...

  6. 【开发笔记】- 在Windows环境下后台启动redis

    1. 进入 DOS窗口 2. 在进入Redis的安装目录 3. 输入:redis-server --service-install redis.windows.conf --loglevel verb ...

  7. 【转载】华为荣耀V9手机如何设置WiFi热点共享

    有时候我们在电脑的时候发现没有无线网络以及有线网络,如果你的手机有相应网络,并且流量足够(当前很多手机流量套餐都是不限量了),可以开启手机上的Wifi热点进行流量共享使用,开启Wifi流量热点后,电脑 ...

  8. webpack练手项目之easySlide(二):代码分割

    Hello,大家好. 在上一篇 webpack练手项目之easySlide(一):初探webpack  中我们一起为大家介绍了webpack的基本用法,使用webpack对前端代码进行模块化打包. 但 ...

  9. 如何在SAP Cloud Platform上进行第一个integration flow开发

    登录SAP Cloud Platform integration tenant,点击Edit图标: 创建一个新的Content package: 保存content package后,点击artifa ...

  10. mariadb远程授权问题

    安装mariadb后,使用远程连接时 密码没有问题 但是每次打开都报这个错误: 这个错误是在进行远程连接的时候密码正确, 但是,进行远程授权的时候授权密码错误. 在数据库中执行下述代码即可: GRAN ...