Portunus doesn't just listen on localhost in NixOS

[acarrico]

The option services.portunus.port is described as:

Description: Port where the Portunus webserver should listen on. This must be put behind a
  TLS-capable reverse proxy because Portunus only listens on localhost.

Declared in: nixos/modules/services/misc/portunus.nix

But this is inaccurate, it listens on *:8080, which is a potential security issue.

$ sudo ss --listening  -t --processes
State    Recv-Q   Send-Q       Local Address:Port              Peer Address:Port   Process
LISTEN   0        2048               0.0.0.0:ldap                   0.0.0.0:*       users:(("slapd",pid=621556,fd=7))
LISTEN   0        4096                     *:http-alt                     *:*       users:(("portunus-server",pid=621554,fd=11))
LISTEN   0        2048                  [::]:ldap                      [::]:*       users:(("slapd",pid=621556,fd=8))

NOTE: I haven't looked at the ldap sockets in this issue, but there they are too.

I've patched the module to try [::]:8080, [::1]:8080, localhost:8080, and 127.0.0.1:8080 for the value of PORTUNUS_SERVER_HTTP_LISTEN. Here are the results tested with an http client and with ss:

PORTUNUS_SERVER_HTTP_LISTEN	[::]:8080	[::1]:8080	localhost:8080	127.0.0.1:8080
http://127.0.0.1:8080/	Portunus	connection refused	malformed env. var.	Portunus
http://localhost:8080/	Portunus	Portunus		Portunus
http://192.168.1.27:8080	Portunus	connection refused		connection refused
http://[::1]:8080	Portunus	Portunus		connection refused
ipv6 link local address	not supported by browsers
ss --listening -t --numeric	*:8080	[::1]:8080		127.0.0.1:8080

My /etc/hosts maps both127.0.0.1 and ::1 to localhost, so the documented behavior seems impossible. Unless there is a valid notation which captures both loopbacks (please advise), I'll use ::1 in the PR, which is the unique IPv6 loopback, and change the documentation to suit.

Notify maintainers

@majewsky, @SuperSandro2000, take a look. I'll close the issue on the Portunus site, since the problem is here in nixpkgs.

[acarrico]

Here is the proposed new documentation for that change:

[nix-shell:/etc/nixos]# nixos-option services.portunus.port
Value:
8080

Default:
8080

Type:
"16 bit unsigned integer; between 0 and 65535 (both inclusive)"

Description:
{
  text = ''
    Port where the Portunus webserver should listen on.

    This must be put behind a TLS-capable reverse proxy because Portunus is only configured to listen on ::1, the I\
Pv6 loopback address.
  '';
}

[SuperSandro2000]

But this is inaccurate, it listens on *:8080, which is a potential security issue.

Not in the NixOS default configuration where the firewall closes the port. Nevertheless we should change it to localohost as done in #221684

NOTE: I haven't looked at the ldap sockets in this issue, but there they are too.

and afaik they need to listen on everything because we don't proxy them.

[abueide]

is it bad practice to have a central nginx server that handles tls traffic? Right now it seems I need to have nginx listening on the local portunus machine and forward the traffic from my central tls termination proxy. Is double layer nginx the best way to go here? is there a way to allow portunus to listen on its LAN interface instead of just localhost?

[acarrico]

I guess it would depend on how well you trusted that LAN. I'm no longer trying to use Portunus, but I believe you will need to adjust:

systemd.service.portunus.environment.PORTUNUS_SERVER_HTTP_LISTEN

to setup the environment to launch Portunus as you see fit for your architecture. It is currently hardcoded as:

PORTUNUS_SERVER_HTTP_LISTEN = "127.0.0.1:${toString cfg.port}";

See portunus.nix.

We had different PRs on how to fix this issue, and there wasn't really any discussion on the fix, so I don't know if anyone objects to exposing the option. Perhaps you should lobby for exposing a configuration option or create a PR.