Circus is built on the top of the ZeroMQ library and comes with no security at all in its protocols. However, you can run a Circus system on a server and set up an SSH tunnel to access it from another machine.

This section explains what Circus does on your system when you run it, and ends up describing how to use an SSH tunnel.

You can also read http://www.zeromq.org/area:faq#toc5

TCP ports

By default, Circus opens the following TCP ports on the local host:

  • 5555 – the port used to control circus via circusctl
  • 5556 – the port used for the Publisher/Subscriber channel.
  • 5557 – the port used for the statistics channel – if activated.
  • 8080 – the port used by the Web UI – if activated.

These ports allow client apps to interact with your Circus system, and depending on how your infrastructure is organized, you may want to protect these ports via firewalls or configure Circus to run using IPC ports.

Here’s an example of running Circus using only IPC entry points:

[circus]

check_delay = 5

endpoint = ipc:///var/circus/endpoint

pubsub_endpoint = ipc:///var/circus/pubsub

stats_endpoint = ipc:///var/circus/stats

When Configured using IPC, the commands must be run from the same box, but no one can access them from outside, unlike using TCP. The commands must also be run as a user that has write access to the ipc socket paths. You can modify the owner of the endpoint using the endpoint_owner config option. This allows you to run circusd as the root user, but allow non-root processes to send commands to circusd. Note that when using endpoint_owner, in order to prevent non-root processes from being able to start arbitrary processes that run with greater privileges, the add command will enforce that new Watchers must run as the endpoint_owner user. Watcher definitions in the local config files will not be restricted this way.

Of course, if you activate the Web UI, the 8080 port will still be open.

circushttpd

When you run circushttpd manually, or when you use the httpd option in the ini file like this:

[circus]

check_delay = 5

endpoint = ipc:///var/circus/endpoint

pubsub_endpoint = ipc:///var/circus/pubsub

stats_endpoint = ipc:///var/circus/stats

httpd = 1

The web application will run on port 8080 and will let anyone accessing the web page manage the circusd daemon.

That includes creating new watchers that can run any command on your system !

Do not make it publicly available

If you want to protect the access to the web panel, you can serve it behind Nginx or Apache or any proxy-capable web server, that can take care of the security.

User and Group Permissions

By default, all processes started with Circus will be running with the same user and group as circusd. Depending on the privileges the user has on the system, you may not have access to all the features Circus provides.

For instance, some statistics features on a running processes require extended privileges. Typically, if the CPU usage numbers you get using the stats command are N/A, it means your user can’t access the proc files. This will be the case by default under Mac OS X.

You may run circusd as root to fix this, and set the uid and gid values for each watcher to get all the features.

But beware that running circusd as root exposes you to potential privilege escalation bugs. While we’re doing our best to avoid any bugs, running as root and facing a bug that performs unwanted actions on your system may be dangerous.

The best way to prevent this is to make sure that the system running Circus is completely isolated (like a VM) or to run the whole system under a controlled user.

SSH tunneling

Clients can connect to a circusd instance by creating an SSH tunnel. To do so, pass the command line option –ssh followed by user@address, where user is the user on the remote server and address is the server’s address as seen by the client. The SSH protocol will require credentials to complete the login.

If circusd as seen by the SSH server is not at the default endpoint address localhost:5555 then specify the circusd address using the option –endpoint

Secured setup example

Setting up a secured Circus server can be done by:

  • Running an SSH Server
  • Running Apache or Nginx on the 80 port, and doing a reverse-proxy on the 8080 port.
  • Blocking the 8080 port from outside access.
  • Running all ZMQ Circusd ports using IPC files instead of TCP ports, and tunneling all calls via SSH.

circus security 来自官方的安全建议的更多相关文章

  1. 关于华为否认HKSP来自官方的一点看法

    今天刷手机,无意看到一则消息: 华为否认提交给 Linux 内核的不安全补丁 HKSP 来自官方 这个消息吸引我的原因有几点: 华为被制裁刚满一年,现在由于新冠疫情影响,感觉又处于很敏感的时期: 华为 ...

  2. edgedb-js 来自官方的js 驱动

    目前对于edgedb 主要还是来自官方的python驱动,目前js 版本的已经快发布了,代码在github 可以看到了 同时官方文档也提供了一个关于edgedb 内部的协议说明,结合js 驱动以及文档 ...

  3. cube.js 学习(十)cube 来自官方的学习网站

    尽管cube.js 包含了一个doc 站点,但是资料不是很全,同时如果查看了cube github 代码中的一些demo的话,发现还是很不错的 但是一些实践没有在文档展现出来,还好我们可以从cube ...

  4. 【Docker】来自官方映像的 6 个 Dockerfile 技巧

    本文将根据我从官方镜像学到的经验,讲解编写Dockerfile的技巧.   1. 选择Debian  官方镜像的大多数Dockerfile,不管是直接还是通过其他镜像,都是基于Debian的.Dock ...

  5. Terracotta设计原理分析--(部分内容来自官方描述)

    因为工作中历史产品采用了terracotta作为分布式缓存线性扩展平台,因此不得不提前对其原理做了相关了解,当然其中很多的设计思想和oracle.memcached的设计相似,但也有自己的亮点,那就是 ...

  6. go-elasticsearch 来自官方的 golang es client

    elasticsearch 终于有了官方的golang sdk 了,地址 https://github.com/elastic/go-elasticsearch 当前还不稳定,同时主要是对于es7 的 ...

  7. 来自官方的一些dbt 最佳实践

    限制对原始数据的依赖性 您的项目将取决于存储在数据库中的原始数据.我们建议制作所谓的“基本模型”,以最大限度地减少对原始数据表的依赖性.在此约定中,基本模型可以具有以下职责: 仅选择与当前分析相关的字 ...

  8. Mysql数据类型 来自官方手册5.6

    整形的取值范围:   定点数值(精确): 在MySQL中,NUMERIC被实现为DECIMAL,所以关于DECIMAL的以下说明同样适用于NUMERIC. MySQL以二进制格式存储DECIMAL值. ...

  9. 用Python操作Excel2007 及以上的版本读写,来自官方的Demo

    大牛请略过,新手可以参考,具体见下面的代码注释, 另外一个问题,想学习这个语言,最好还是英语牛一些,可以去官网多看看有用的类库,汉语的资料不是很全 #运行环境 3.4,下面这个操作Excel的包是针对 ...

随机推荐

  1. 用python读取word文件里的表格信息【华为云技术分享】

    在企查查查询企业信息的时候,得到了一些word文件,里面有些控股企业的数据放在表格里,需要我们将其提取出来. word文件看起来很复杂,不方便进行结构化.实际上,一个word文档中大概有这么几种类型的 ...

  2. hystrix简介

    hystrix,框架,提供了高可用相关的各种各样的功能,然后确保说在hystrix的保护下,整个系统可以长期处于高可用的状态,100%. 高可用系统架构: 资源隔离.限流.熔断.降级.运维监控 资源隔 ...

  3. Teamviewer显示“未就绪,请检查您的连接”解决办法

    打开TeamViewer一直提示“未就绪,请检查您的连接”,一直会弹出一个框提示检查网路设置什么. 解决办法:修改DNS为114.114.114.114,然后TeamViewer就显示网络正常. 为什 ...

  4. Redis笔记01——win10 64位系统安装Redis 3.2.100

    前言 由于项目中需要用到Redis,所以先在自己的win10上安装来体验一下. 安装步骤 一.下载地址 Redis下载地址 我选择的是3.2.100 的 64位 zip版本 二.安装位置以及文件简介 ...

  5. 【开发笔记】- 在MySQL中 root账户被锁定怎么办

    MySQL的账户被锁定怎么办? 用Navicat连接数据库报错如下: Access denied for user 'root'@'localhost' (using password:YES) 原因 ...

  6. JavaWeb 之 MVC 开发模式

    MVC 开发模式 一.JSP 演变历史 1. 早期只有servlet,只能使用response输出标签数据,非常麻烦 2. 后来又jsp,简化了Servlet的开发,如果过度使用jsp,在jsp中即写 ...

  7. ORACLE ASMLIB

    ORACLE ASMLIB   This blog post is more of a note for myself on configuring ASMLib. ASMLib is an opti ...

  8. day 21 作业

    定义MySQL类 对象有id.host.port三个属性 定义工具create_id,在实例化时为每个对象随机生成id,保证id唯一 提供两种实例化方式,方式一:用户传入host和port 方式二:从 ...

  9. win10 提示该文件没有与之关联的应用来执行该操作

    将下面代码复制进一个文本文档,然后将文本文档的txt后缀改成bat.双击运行,可以解决问题. 问题发生原因是之前通过注册表去除了桌面图标的快捷方式的小标志. /-------------------- ...

  10. 【Docker】docker的安装和常用命令

    一.docker安装和启动 1.yum 命令 yum install docker 2.docker启动命令 sudo systemctl start docker 二.docker常用命令 dock ...