Reverse Proxy with Unix Domain Socket
Aaron Gifford
3 October 2017, 20:53
Will Hiwatha ever support configuring a reverse proxy on a unix domain socket instead of only on TCP sockets?
Wondering,
-Aaron Gifford
Hugo Leisink
4 October 2017, 00:42
I think not. What application uses a unix socket for incoming HTTP requests??
Aaron Gifford
4 October 2017, 01:46
Lots of web apps can listen on a loopback IP (127.x.x.x/8) and port OR a unix domains socket. When a FreeBSD server may host different sites on different IPs, it is more secure and easier to configure things securely when the front-end web server communicates with the back-end application server over a unix domain socket than over an IP address, even the loopback IP. Directory permissions can limit access to the socket to just the web server and the application server, whereas it's more difficult to get fine grained permission per-process TCP firewalling of a loopback IP to prevent other processes from getting access to the application server listening on the loopback IP.
-Aaron Gifford
Aaron Gifford
4 October 2017, 01:50
I installed Hiawatha in high hopes I could use it instead of Nginx--but sadly discovered that it currently doesn't support talking to a web server on a Unix domain socket with the reverse proxy feature. I'd love to move from Nginx to Hiawatha as Hiawatha matches my own personal security preference of do-the-minimum-required-securely-and-well without additional unneeded features that only expand the security surface I have to worry about.
-Aaron Gifford
Hugo Leisink
4 October 2017, 10:30
So, Hiawatha should be able to connect to a backend webserver via Unix socket. Correct? So, the ReverseProxy configuration option should be able to accept the path to a file (the Unix socket). Correct?
Hugo Leisink
10 October 2017, 16:10
I have a version ready that supports Unix sockets via the reverse proxy. If you send me an e-mail, I'll reply with a version you can test.
Aaron Gifford
13 October 2017, 04:50
Thank you!
Aaron Gifford
astounding@gmail.com
This topic has been closed.