Comments (4)
Thank you @burner-
We might consider adding an ACME client in EMQX to make things easier.
Out of curiosity many choose to terminate TLS at LB though, that's not the case for you ?
from emqx.
I can do it with BL but its not a point. Point is to try engourage devs to do product what engourage users to not shoot to their own leg with security.
But honestly deeper I dive more worried I come security culture of EMQX. I am sorry to say that looks that lack of fast way to get TLS is just tip of iceberg at bad choises. If you want I can open different ticket from each one but at this point "basic things what should be clear without saying that not to do with this way" what I hit in first hour of use:
a) 0.0.0.0 binded admin console port by default. Admin console should bind only localhost by default because it have default password set.
b) no ssl by default at admin console. Even self signed cert would be better than http as default.
c) all listeners are enabled and bind to 0.0.0.0 by default without any authentication.
d) authentication allow policy by default. All listeners are open if no authentication is set. Good practise is that by default those are closed and admin can set anonymous authentication method what opens them for all if really wanted.
e) default password at admin console. Yes this is not so bad if admin console is binded to localhost. Anyway default password usually just brings false sense of security. That why usually it is keeped as bad design and recommended way is just remove login screen when no password is set. This is more like tweak compared to a-d
At that point I just shutted down that server and continue my holiday. I did not want to do full security review for that in my holiday what it clearly needs before it is safe to connect it back to internet. I think I return to this later but clearly there is place that your dev team do internal review for best practices. I dont want to be mean or anything but it is just big surprise to find so many "student solution" in same product what is so popular and targeted to be enterprise.
Do you want that I open tickets of each or is it better that your team first do review and make own action points? I think this is is great product but OOTB security had not been at priority list.
from emqx.
We have to continue providing easy to start defaults.
- For security concerns of the default values, we will provide a security checklist (or alerts) (For internal ref: ER-246 )
- To simplify SSL listener configuration, we will implement ACME client (For internal ref: ER-247 )
from emqx.
I understand that there is always little balancing with easy deploy vs security. Anyway most of times it is also balancing so that it is better that product deploy take 10min instead of 5min if user prevent 5hour manual hardening work with it.
So it is much better to put admin/cluster listen ports to localhost by default and then document well how to open those. It is common practice in software industry by reason.
And for open listeners just enable password authentication by default and software wont get "my first student project" wibe at start.
Those are just bare minimum things to do if you have any kind security culture and wont make deployment any harder.
from emqx.
Related Issues (20)
- Auto subscribe based on client id pattern HOT 4
- 管理端访问 主题 带 / 的功能时报错 HOT 2
- Emqx manual clustering fail when windows emqx broker attempting to join the linux broker HOT 4
- AWK not found in docker HOT 3
- cannot pass parameters in connector with url or path HOT 5
- closed HOT 1
- Add option to configure pod labels via Helm Chart HOT 3
- The is_superuser field set by the JWT authenticator is invalid. HOT 2
- emqx crashing on startup after upgrade to 5.8.0 HOT 12
- websocket terminated due to fail in matching function HOT 7
- Node Crash Continuously in a Cluster of 3 Nodes Due to emqx_dashboard_listener Failure HOT 2
- The 5.8.0 version of emqx crashes upon startup HOT 2
- The webhook page doesn't work when accessing emqx's web panel through a reverse proxy HOT 19
- Confusing response message when publishing message to a denied topic HOT 3
- use image emqx:5 in20240909 HOT 1
- Can not parse float data with 13 digits after the decimal point like: 31.3338467752013 in rule sql expression HOT 3
- v5.8.0 WS connect kepp disconnect Befroe v5.7.2 is good. HOT 4
- All connections of emqx single point are frequently interrupted and reconnected HOT 2
- shared_subscription_strategy: local 共享策略问题 HOT 2
- Http 连接器创建页面,TLS 显示是关闭,但实际 是开启的,导致为配置证书的情况下,连通性测试一直不过 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from emqx.