Circus is built on the top of the ZeroMQ library and comes with no security at all in its protocols. However, you can run a Circus system on a server and set up an SSH tunnel to access it from another machine.

This section explains what Circus does on your system when you run it, and ends up describing how to use an SSH tunnel.

You can also read http://www.zeromq.org/area:faq#toc5

TCP ports

By default, Circus opens the following TCP ports on the local host:

  • 5555 – the port used to control circus via circusctl
  • 5556 – the port used for the Publisher/Subscriber channel.
  • 5557 – the port used for the statistics channel – if activated.
  • 8080 – the port used by the Web UI – if activated.

These ports allow client apps to interact with your Circus system, and depending on how your infrastructure is organized, you may want to protect these ports via firewalls or configure Circus to run using IPC ports.

Here’s an example of running Circus using only IPC entry points:

[circus]

check_delay = 5

endpoint = ipc:///var/circus/endpoint

pubsub_endpoint = ipc:///var/circus/pubsub

stats_endpoint = ipc:///var/circus/stats

When Configured using IPC, the commands must be run from the same box, but no one can access them from outside, unlike using TCP. The commands must also be run as a user that has write access to the ipc socket paths. You can modify the owner of the endpoint using the endpoint_owner config option. This allows you to run circusd as the root user, but allow non-root processes to send commands to circusd. Note that when using endpoint_owner, in order to prevent non-root processes from being able to start arbitrary processes that run with greater privileges, the add command will enforce that new Watchers must run as the endpoint_owner user. Watcher definitions in the local config files will not be restricted this way.

Of course, if you activate the Web UI, the 8080 port will still be open.

circushttpd

When you run circushttpd manually, or when you use the httpd option in the ini file like this:

[circus]

check_delay = 5

endpoint = ipc:///var/circus/endpoint

pubsub_endpoint = ipc:///var/circus/pubsub

stats_endpoint = ipc:///var/circus/stats

httpd = 1

The web application will run on port 8080 and will let anyone accessing the web page manage the circusd daemon.

That includes creating new watchers that can run any command on your system !

Do not make it publicly available

If you want to protect the access to the web panel, you can serve it behind Nginx or Apache or any proxy-capable web server, that can take care of the security.

User and Group Permissions

By default, all processes started with Circus will be running with the same user and group as circusd. Depending on the privileges the user has on the system, you may not have access to all the features Circus provides.

For instance, some statistics features on a running processes require extended privileges. Typically, if the CPU usage numbers you get using the stats command are N/A, it means your user can’t access the proc files. This will be the case by default under Mac OS X.

You may run circusd as root to fix this, and set the uid and gid values for each watcher to get all the features.

But beware that running circusd as root exposes you to potential privilege escalation bugs. While we’re doing our best to avoid any bugs, running as root and facing a bug that performs unwanted actions on your system may be dangerous.

The best way to prevent this is to make sure that the system running Circus is completely isolated (like a VM) or to run the whole system under a controlled user.

SSH tunneling

Clients can connect to a circusd instance by creating an SSH tunnel. To do so, pass the command line option –ssh followed by user@address, where user is the user on the remote server and address is the server’s address as seen by the client. The SSH protocol will require credentials to complete the login.

If circusd as seen by the SSH server is not at the default endpoint address localhost:5555 then specify the circusd address using the option –endpoint

Secured setup example

Setting up a secured Circus server can be done by:

  • Running an SSH Server
  • Running Apache or Nginx on the 80 port, and doing a reverse-proxy on the 8080 port.
  • Blocking the 8080 port from outside access.
  • Running all ZMQ Circusd ports using IPC files instead of TCP ports, and tunneling all calls via SSH.

circus security 来自官方的安全建议的更多相关文章

  1. 关于华为否认HKSP来自官方的一点看法

    今天刷手机,无意看到一则消息: 华为否认提交给 Linux 内核的不安全补丁 HKSP 来自官方 这个消息吸引我的原因有几点: 华为被制裁刚满一年,现在由于新冠疫情影响,感觉又处于很敏感的时期: 华为 ...

  2. edgedb-js 来自官方的js 驱动

    目前对于edgedb 主要还是来自官方的python驱动,目前js 版本的已经快发布了,代码在github 可以看到了 同时官方文档也提供了一个关于edgedb 内部的协议说明,结合js 驱动以及文档 ...

  3. cube.js 学习(十)cube 来自官方的学习网站

    尽管cube.js 包含了一个doc 站点,但是资料不是很全,同时如果查看了cube github 代码中的一些demo的话,发现还是很不错的 但是一些实践没有在文档展现出来,还好我们可以从cube ...

  4. 【Docker】来自官方映像的 6 个 Dockerfile 技巧

    本文将根据我从官方镜像学到的经验,讲解编写Dockerfile的技巧.   1. 选择Debian  官方镜像的大多数Dockerfile,不管是直接还是通过其他镜像,都是基于Debian的.Dock ...

  5. Terracotta设计原理分析--(部分内容来自官方描述)

    因为工作中历史产品采用了terracotta作为分布式缓存线性扩展平台,因此不得不提前对其原理做了相关了解,当然其中很多的设计思想和oracle.memcached的设计相似,但也有自己的亮点,那就是 ...

  6. go-elasticsearch 来自官方的 golang es client

    elasticsearch 终于有了官方的golang sdk 了,地址 https://github.com/elastic/go-elasticsearch 当前还不稳定,同时主要是对于es7 的 ...

  7. 来自官方的一些dbt 最佳实践

    限制对原始数据的依赖性 您的项目将取决于存储在数据库中的原始数据.我们建议制作所谓的“基本模型”,以最大限度地减少对原始数据表的依赖性.在此约定中,基本模型可以具有以下职责: 仅选择与当前分析相关的字 ...

  8. Mysql数据类型 来自官方手册5.6

    整形的取值范围:   定点数值(精确): 在MySQL中,NUMERIC被实现为DECIMAL,所以关于DECIMAL的以下说明同样适用于NUMERIC. MySQL以二进制格式存储DECIMAL值. ...

  9. 用Python操作Excel2007 及以上的版本读写,来自官方的Demo

    大牛请略过,新手可以参考,具体见下面的代码注释, 另外一个问题,想学习这个语言,最好还是英语牛一些,可以去官网多看看有用的类库,汉语的资料不是很全 #运行环境 3.4,下面这个操作Excel的包是针对 ...

随机推荐

  1. 一个Java程序员该有的良好品质

    一.前言 多年来,在IT领域,从一个普通的程序员到一个技术主管,再到一个技术经理,再到一个技术主管,他们践踏了许多坑,劳累了许多课程,还背着许多罐子.在提高他们的技术和管理能力的同时,他们一直在考虑如 ...

  2. SSM前后端分离 ssm+html+js(ajax) 这种controll层的返回值是结合或者网址

    提示: 1.单表查询多条数据用 list<实体类名字> mapper层 1.1单表查询单条数据用  对象 2.两表关联查多条 list<map<String,Object> ...

  3. Java中强大的format

    Java中强大的format Java中允许我们对指定的对象进行某种格式化,从而得到我们想要的格式化样式. Format 首先介绍java.text包中的Format Foramt是一个抽象基类,其具 ...

  4. Java 读取控制台输入

    方式1:InputStreamReader+BufferedReader package my_package; import java.io.BufferedReader; import java. ...

  5. 【RAC】 RAC For W2K8R2 安装--共享磁盘的配置(三)

    [RAC] RAC For W2K8R2 安装--共享磁盘的配置(三) 一.1  BLOG文档结构图 一.2  前言部分 一.2.1  导读 各位技术爱好者,看完本文后,你可以掌握如下的技能,也可以学 ...

  6. H3C 802.11 MAC层工作原理

  7. 如何使用Mojave将APFS卷上的MacOS Catalina Beta安装到双引导

    如果你想与macOS Mojave或macOS High Sierra一起运行MacOS Catalina Beta,你可以通过向Mac添加一个新的APFS卷来实现这一点,如果该Macs硬盘被格式化为 ...

  8. Pods

    Pods Pod概念 Pod是kubernetes集群应用中的创建和部署的最小.最简单的kubernetes对象模型单元的基本执行单元.Pod表示在集群中运行的进程. Pod 封装了应用程序的容器(一 ...

  9. wget详解

    wget命令用来从指定的URL下载文件.wget非常稳定,它在带宽很窄的情况下和不稳定网络中有很强的适应性,如果是由于网络的原因下载失败,wget会不断的尝试,直到整个文件下载完毕.如果是服务器打断下 ...

  10. saltstack安装使用

    官网地址:https://docs.saltstack.com/en/latest/ 安装 saltstack 1. ​ sudo yum install https://repo.saltstack ...