Binding IP for nodejs

[scoopex]

This snap package provides the possibility to bind mongodb to a specific ip address using the parameter "mongodb-bind-ip. It would be great to bind also "nodejs" to a specific ip.

From a security point of view it would be good to have "127.0.0.1" as default in both cases.

[xet7]

@scoopex

Is this something different than URL settings or other settings keys ?

[scoopex]

I reviewed the sources of the package, but the only parameter i discovered "wekan root-url" which might be suitable was not able to limit the listen port to 127.0.0.01.

# snap install wekan
wekan 0.30 from 'xet7' installed
# netstat -nlp|grep node
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      50371/node      
# snap set wekan root-url=http://127.0.0.1
# systemctl restart snap.wekan.wekan
# netstat -nlp|grep node
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      50483/node     

[xet7]

@scoopex

For localhost it should be http://localhost .

For running on port 80 you would need to to give permission to bind to lower ports:
https://github.com/wekan/wekan-maintainer/blob/master/virtualbox/node-allow-port-80.sh

I don't know is it possible to bind to port 80 inside snap. It does work in source installs like with VirtualBox at https://wekan.xet7.org .

Usually root-url is setup to IP address like http://192.168.10.100 or domain name like http://example.com .

Another way is to have Caddy or Nginx proxy in front of Wekan, there is examples at Wekan GitHub wiki.

[xet7]

@scoopex

In settings keys there is port option to change port.

[scoopex]

But setting "port" to "127.0.0.1:8080" haven't resulted in a listen on loopback.

It should look like this :-)

$ netstat -nlp
tcp        0      0 127.0.0.1:8080           0.0.0.0:*               LISTEN      50483/node 

[kubiko]

I believe this is controlled by MONGO_URL env value on nodejs side.

In case of wekan snap, when you set "MONGODB_BIND_IP" this will result in two actions:

• modifies way mongo is started, if you use external IP mongo should not start at all, if you use socket, it will tell mongo to also expose socket
• it will export this value as MONGODB_URL so nodejs knows where to look for mongo

This might look complicated but logic behind was that you can freely configure wekan snap for your setup. Then mongo can be shared with different snap(s) (e.g. rocket chat). In this case it's better to run one instance, rather each snap having own independent mongo. If I remember right, there might be way for wekan and rocket share users like this….
Also it allows using unix socket which is created in writable path of wekan's sandbox. This option is then lot safer and if you can tell mongo not to listen on loopback at all, it will be even more safe. Either way if you set MONGODB_URL to unix socket I think nodejs will use it and ignore everything else….
Using unix socket is BTW default behaviour for wekan snap

[scoopex]

MongoDB is not in the focus of what i am requesting.
I just want to bind nodejs on 127.0.0.1:8080 to prevent access from the network of the wekan host.

If nodejs is bound to 127.0.0.1:8080 i can use caddy, apache or nginx to provide secure access to wekan. This prevents bypass access i.e. without ssl encryption to wekan.

[scoopex]

It is still not possible to limit the listen ip to 127.0.0.1:5000 to prevent direct connections to nodejs from network without using iptables.

[kubiko]

I have test build with caddy support build inside. I'm still waiting for snapd to land some extra changes
You can test snap from here:
https://launchpad.net/~ondrak/+snap/wekan-ondra-devel/+build/102386
once download install as:
$ snap install wekan_xxxxxx.snap —dangerous

[huornlmj]

+1 on rebinding node to 127.0.0.1. It's normally how you shunt nginx / apache reverse proxy over to it - locally only, and the reverse proxy is only what's reachable from the network. I'm using iptables to prevent visitors accessing the port 8080 node instance until this is a configurable item

[kubiko]

@huornlmj @scoopex I'm not familiar with node how to make it bind only on localhost.
I have now changes ready for landing which will simply modify port on which node is exposed and on which caddy will pick it up. Caddy will then bind on port node was originally to be...
Of course this still wont stop access to wekan on port where caddy is binding to node ( default is 3001).
Is there any setting to make node, restricted only to local host?
Or even better can node <> caddy bind on unix socket?

[kubiko]

Looks like this is simple config for server.listen(,);
where hostname would be "localhost"
If you give me env variable can set, then this would be 5min job. Same way we alter port, which is 'PORT' env variable.
@xet7 any idea who could make change in wekan itself?

[xet7]

@kubiko

Anyone can add changes to Wekan as pull requests to devel branch. I have not yet looked where that server.listen is defined, but it could be set in environment variable when correct place in code is found. I check those pull requests from wekan/wekan repo and merge them to Wekan. I could also add the change if I find the correct place to add it.

Generally all settings need to be able to be set as environment variables for future integrations to other platforms.

[fettfoen]

I just want to ask or try to understand why the main application wekan (or the nodejs webserver) cant bind on 127.0.0.1. I installed wekan via snap and and changed the bind port, but cant change the bind-IP. Wekan/Node is still listening on 0.0.0.0:3001 and not 127.0.0.1:3001.

The problem now, my wekan is reachable via 80, 443 and 3001. Port 80 ist redirected to 443 via nginx, that works fine. But wekan is also reachable via wekan.example.com:3001 (no https!). So you can bypass the encryption.

Any idea how to bind-ip on 127.0.0.1?

[xet7]

@fettfoen

Wekan could bind to localhost, if someone looks at code, figures out how, and submits pull request.

I'm just thinking, don't you use any firewall on your server? So only http/https/ssh would be exposed? Like for example:

sudo apt-get install ufw
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh
sudo ufw enable

[huornlmj]

It would be safer to leave it bound to localhost on a high order port (denoting that it's not running as a privileged user) and using a reverse proxy instead like apache or nginx which would take care of TLS also.

[fettfoen]

Thanks for your answer! Sorry i forgot to write that i handle this "behavior" with a firewall. Im just opening 80 and 443. But it would be nice to bind-IP on localhost.

Thanks for your work!

[xet7]

@huornlmj

Wekan runs in strict sandboxing of Snap, code directories are read-only, and only modifiable directory is /var/snap/wekan/common where is Caddyfile and database files. Wekan Snap includes Caddy that provides easy Let's Encrypt and other cert SSL.

For running Wekan without sandboxing of Snap/Docker/Sandstorm, node only needs this bind capability, not full root:
https://github.com/wekan/wekan/blob/master/releases/virtualbox/node-allow-port-80.sh#L1

@fettfoen

For "nice to have" issues like binding on localhost, those are usually fixed by anyone in Wekan Community, like a good first issue for beginner programmer, using code search like this:

git clone https://github.com/wekan/wekan
cd wekan
./find.sh port

For snap, files are at snapcraft.yaml and directory snap-src.

[anlx-sw]

i just installed wekan snap after a reverse proxy.
i noticed it is running on 0.0.0.0 instead of 127.0.0.1 as I'm used to and it is security best practice (there might be issues with the firewall so a localhost bind is the safer way).

so i googled and found this github issue. +1 from me for it ;-)

It would be nice and good security hygiene to be able to set the bind ip to 127.0.0.1 via a snap set .

[noor-alghamdi]

It would be safer to leave it bound to localhost on a high order port (denoting that it's not running as a privileged user) and using a reverse proxy instead like apache or nginx which would take care of TLS also.

hello @huornlmj
I'm trying to help ,
for you application to be binded on port 8080 you can set the url and the port like:
snap set wekan root-url='https://example.com'
snap set wekan port='8080'
I'm running my aplpication like this,

in a separte layer I'm adding nginx service that pointed on the app server which will contain wekan with above configuration. :)

I hope it's useful for you,

[Lucky-Shi]

hello@xet7,
can wekan connect mongodb installed via snap by user and password?
best wishes.

[xet7]

@Lycky-Shi

I don't know, just a moment I test.

[xet7]

@Lucky-Shi

Do you mean in general connecting to Wekan Snap MongoDB database?
https://github.com/wekan/wekan/wiki/Backup#dbgate-open-source-mongodb-gui

Or do you mean connecting Wekan Snap to some other than snap-included MongoDB database, like MongoDB database that is hosted at some other server IP address, username and password?

[Lucky-Shi]

@xet7

Thanks for your response.

In general the bind ip address of Wekan Snap MongoDB database is 127.0.0.1, i want to change it to 0.0.0.0 and make Wekan connecting to Wekan Snap MongoDB database by authenticated.

i set the bind ip:
snap set wekan mongodb-bind-ip="0.0.0.0"

but i don't know how to set that:
snap set wekan mongodb-auth="true"

i also don't know how to make Wekan Snap connect some other than snap-included MongoDB database, like MongoDB database that is hosted at some other server IP address, username and password.

Looking forward to your answer ， thinks.

[Lucky-Shi]

@xet7

Or how Wekan Snap connect MongoDB that isn't from other snaps?

Thanks.