Enable HTTP to bind to a unix socket.

[kevincox]

With security coming to nomad for RPC and Serf (#469, #1615) it would be nice to finish the job by allowing the HTTP UI to be protected.

While this could also be done with SSL I think it would be easier for Nomad to support binding to a unix socket (and it doesn't preclude adding SSL support later). Unix sockets provide the following advantages.

• Access can be restricted using standard posix filesystem permissions.
• Reverse proxies often provide flexible authentication options, these can be used without the need to reimplement everything in Nomad.
• Many people run reverse proxies on their servers anyways.

The only downside is that the client would need to support these authentication schemes. But starting slowly (HTTP basic auth over SSL) seems like it would be a good idea.

(Other suggestions for securing the HTTP interface also welcome)

[dadgar]

I think we can also just use TLS for this

[kevincox]

TLS would also work. Especially since basic auth is already supported

That being said I think that a unix socket would still be easy and really useful (I can do a lot of fun things with nginx or another reverse proxy).

[dadgar]

Yeah I think we just treat them tangentially and do both

[kevincox]

Actually thinking about it. You can sort of hack up security by using basic auth on localhost and then putting an SSL proxy in front of it. Kinda clunky but not too ugly.

[mlafeldt]

We're currently running our Nomad server cluster behind an ELB with SSL termination enabled. On each server node, we have an auth proxy container based on Nginx, which adds basic auth for us. That's actually the reason why I added basic auth support to the Nomad client in the first place. 😄

[blalor]

When adding this feature, please allow for binding to multiple endpoints. Consul has this only half-implemented right now: unix socket or tcp port. It would be useful to be able to specify both.