Skip to content

Commit 4e334d9

Browse files
mnaberezmnaberez
committed
Add an explicit security warning about inet_http_server.
References #1245
1 parent 628b6d0 commit 4e334d9

File tree

2 files changed

+25
-1
lines changed

2 files changed

+25
-1
lines changed

docs/configuration.rst

+15-1
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,19 @@ inserted. If the configuration file has no ``[inet_http_server]``
157157
section, an inet HTTP server will not be started. The allowable
158158
configuration values are as follows.
159159

160+
.. warning::
161+
162+
The inet HTTP server is not enabled by default. If you choose to enable it,
163+
please read the following security warning. The inet HTTP server is intended
164+
for use within a trusted environment only. It should only be bound to localhost
165+
or only accessible from within an isolated, trusted network. The inet HTTP server
166+
does not support any form of encryption. The inet HTTP server does not use
167+
authentication by default (see the ``username=`` and ``password=`` options).
168+
The inet HTTP server can be controlled remotely from :program:`supervisorctl`.
169+
It also serves a web interface that allows subprocesses to be started or stopped,
170+
and subprocess logs to be viewed. **Never expose the inet HTTP server to the
171+
public internet.**
172+
160173
``[inet_http_server]`` Section Values
161174
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
162175

@@ -166,7 +179,8 @@ configuration values are as follows.
166179
supervisor will listen for HTTP/XML-RPC requests.
167180
:program:`supervisorctl` will use XML-RPC to communicate with
168181
:program:`supervisord` over this port. To listen on all interfaces
169-
in the machine, use ``:9001`` or ``*:9001``.
182+
in the machine, use ``:9001`` or ``*:9001``. Please read the security
183+
warning above.
170184

171185
*Default*: No default.
172186

supervisor/skel/sample.conf

+10
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,16 @@
1111
; - Comments must have a leading space: "a=b ;comment" not "a=b;comment".
1212
; - Command will be truncated if it looks like a config file comment, e.g.
1313
; "command=bash -c 'foo ; bar'" will truncate to "command=bash -c 'foo ".
14+
;
15+
; Security Warning:
16+
; The inet HTTP server is not enabled by default. The inet HTTP server is
17+
; enabled by uncommenting the [inet_http_server] section below. The inet
18+
; HTTP server is intended for use within a trusted environment only. It
19+
; should only be bound to localhost or only accessible from within an
20+
; isolated, trusted network. The inet HTTP server does not support any
21+
; form of encryption. The inet HTTP server does not use authentication
22+
; by default (see the username= and password= options to add authentication).
23+
; Never expose the inet HTTP server to the public internet.
1424

1525
[unix_http_server]
1626
file=/tmp/supervisor.sock ; the path to the socket file

0 commit comments

Comments
 (0)