pedestal 2022-05-22 | Slack Archive

simongray11:05:41

I run a Pedestal+Jetty service on a production Linux server with a reverse proxy in front of it (Caddy) exposing the service on the Internet through ports 80/443. When I create the service, I can either use the value “0.0.0.0” or “127.0.0.1" for the ::http/host key in the service map. Using “0.0.0.0” provides some advantages during development on my Mac (no reverse proxy involved), since I can then access the website served by the Pedestal service using my phone to test out how it looks on a phone. This is not possible if I use “127.0.0.1", so I definitely want to use “0.0.0.0” during dev. However, I am unsure whether this is a bad idea for the production server? I have tried reading up on this, but networking is to me a domain that is incredibly jargon-heavy while also being fairly orthogonal to what I spend the rest of my time on, that I really can’t make heads or tails of what I am reading.

jkxyz14:05:40

You generally want to limit the number of processes which are listening for connections from the public internet. So if you have Caddy in front of your service then the service only needs to listen on 127.0.0.1, and it therefore can't receive malicious connection attempts which circumvent Caddy. The localhost interface is not exposed to the public internet at all. This is more about security in depth though since you probably have a firewall which is whitelisting ports 80/443

🙏 2

simongray15:05:57

Ok, thanks a lot. 🙂

tomekw09:05:26

I think the best idea is to either set :http/host based on some config variable (`ENV=prod` vs ENV=dev) or always use 127.0.0.1 and use something like ngrok to expose your local env when needed. I guess the latter is a better idea

simongray12:05:29

Definitely

2022-05-22

Channels