vouch-proxy icon indicating copy to clipboard operation
vouch-proxy copied to clipboard
verified publisher icon vouch

Add support for listening on unix domain sockets

Open squalus opened this issue 3 years ago • 6 comments

Added unix domain socket support for the listen setting.

Added socket_mode setting to change socket permissions.

Example configuration:

listen: /run/vouch-proxy/socket
socket_mode: 0600

squalus avatar Jul 31 '22 00:07 squalus

@squalus thanks for your contributions. Both of these PRs are of interest.

That said, could you please read the README. I see some items worthy of discussion here.

bnfinet avatar Jul 31 '22 00:07 bnfinet

Added an issue, changelog entry, and unit test

squalus avatar Jul 31 '22 04:07 squalus

@squalus thanks for the fine addition to VP

I've left a few comments inline to the code.

Please do also ensure that the unix socket can be configured via environmental variables and adjust this test accordingly.. https://github.com/vouch/vouch-proxy/blob/master/pkg/cfg/cfg_test.go#L129

Cheers!

bnfinet avatar Aug 12 '22 21:08 bnfinet

One other good addition would be to add a check to the basicTest() to make sure that if cfg.Listen starts with unix: then socket_mode is required and set properly. https://github.com/vouch/vouch-proxy/blob/master/pkg/cfg/cfg.go#L398

Perhaps SocketMode should default to 0600?

In general, VP tries to catch configuration errors and offer clear logging in hopes of helping fellow admins find their way quickly, and avoid support tickets showing up here.

bnfinet avatar Aug 12 '22 21:08 bnfinet

One other good addition would be to add a check to the basicTest() to make sure that if cfg.Listen starts with unix: then socket_mode is required and set properly. https://github.com/vouch/vouch-proxy/blob/master/pkg/cfg/cfg.go#L398

Perhaps SocketMode should default to 0600?

In general, VP tries to catch configuration errors and offer clear logging in hopes of helping fellow admins find their way quickly, and avoid support tickets showing up here.

Updated listen() to default SocketMode to 0777. (I'm copying PostgreSQL's defaults)

squalus avatar Aug 13 '22 19:08 squalus

  • Added new settings to the envconfig tests
  • Added socket_group setting for setting group ownership. This is similar to the socket settings PostgreSQL exposes. https://www.postgresql.org/docs/14/runtime-config-connection.html

squalus avatar Aug 13 '22 19:08 squalus

@squalus sorry for the delay in reviewing this PR

I've set a default of socket perms to 0660 somewhat based off of what nginx is doing

https://serverfault.com/questions/437077/what-should-be-proper-permission-of-unix-socket

Thanks again for the fine PR, I'm going to merge and ship

bnfinet avatar Jan 21 '23 21:01 bnfinet