[SERVER-9137] Disable web interface by default Created: 26/Mar/13  Updated: 02/Jan/14  Resolved: 03/Jun/13

Status: Closed
Project: Core Server
Component/s: HTTP Console, Security
Affects Version/s: None
Fix Version/s: 2.5.1

Type: Task Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Andreas Nilsson
Resolution: Done Votes: 2
Labels: buildbot
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Participants:

 Description   

In our security documentation we recommend running with --nohttpinterface for any users who are concerned with security. We should do that by default whenever the server is running with --auth or --keyFile (or just change the default globally).



 Comments   
Comment by auto [ 27/Jun/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-9137 Test of new httpinterface parameter
Branch: master
https://github.com/mongodb/mongo/commit/eed9f7d6bfe906f906df39765550a103c3764fd6

Comment by auto [ 31/May/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-9137 Added --httpinterface flag to mongod smoke tests
Branch: master
https://github.com/mongodb/mongo/commit/f844ed02b1df1b54ea96b6e902cb7ab0663612d8

Comment by Eliot Horowitz (Inactive) [ 31/May/13 ]

There are a lot of tools that rely on it, so removing it isn't really an option.

Comment by Dwight Merriman [ 31/May/13 ]

default to disabled seems reasonable to me. this feels pretty safe as it's administrative so if you upgrade and find it off, well, you'll figure it out.

that said, the original intent was that the data in the http display was fundamentally read-only, and not incredibly indicative of content, and thus while presumably that port is blocked to the world, if it weren't, the consequences would be medium at most. that was the intent. and that's why --rest defaults to off.

so this sounds ok to me but, should we just get rid of it? is everything it shows available in other tooling? seems simpler long term.

i suppose if it defaults to off, it sort of is gone...non-defaults aren't going to be useed all that often unless really important.

Comment by Andreas Nilsson [ 30/May/13 ]

tad all the test currently seem to run with the same mongod instance. I think it require some refactoring of smoke.py to run httpClientTest with a specific config.

Comment by Tad Marshall [ 30/May/13 ]

milkie I don't think changing smoke.py to cover up the change in default is a good idea. That would be a fast way to get things running again, but it would make future dependencies on httpinterface "work by accident" which I don't think we want.

Comment by Andreas Nilsson [ 30/May/13 ]

Fixed the broken build and added another test for the new --httpinterface option. Codereview http://codereview.10gen.com/10818017/ updated.

Comment by Eric Milkie [ 30/May/13 ]

This broke the build.
http://buildbot.mongodb.org/builders/Linux%2064-bit/builds/5438/steps/test_7/logs/stdio

We have a test that tests the http interface – looks like you need to change buildscripts/smoke.py to start mongod with the new flag.

Comment by Andreas Nilsson [ 29/May/13 ]

Interface change so this needs QA

Comment by auto [ 29/May/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-9137 Disable internal web interface by default
Branch: master
https://github.com/mongodb/mongo/commit/4e53ef60ef44a74114f7d5acc0b15f2ff9d477cf

Generated at Thu Feb 08 03:19:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.