Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config file for more flexible http server setup #133

Open
scottlamb opened this issue Jul 21, 2021 · 2 comments
Open

config file for more flexible http server setup #133

scottlamb opened this issue Jul 21, 2021 · 2 comments
Labels
enhancement rust Rust backend work required

Comments

@scottlamb
Copy link
Owner

scottlamb commented Jul 21, 2021
edited
Loading

Context: this comment on #132, #35 , #27, #31 .

It'd be nice to have more than a single --http-addr=ipaddr:port and allow them to differ in configuration (different --allow-unauthenticated-permissions, --trust-forward-hdrs, etc). I think it's cheap to have several hyper::Servers in the process. Eg, I'd like to run my server in the following configuration:

  1. an http server to go behind my Internet-facing https proxy server. It requires authentication and trusts the X-Real-IP and X-Forwarded-For headers. (I probably should also a header from the proxy with a shared secret to avoid being insecure on accidental misconfiguration.)
  2. http over a trusted Unix-domain socket for conveniently adding users/sessions from the CLI without having to shut down the server (as moonfire-nvr login expects now) or to have already created and stored session cookie.
  3. a http server for use by Prometheus monitoring. I'd like it to be on a separate binding to avoid confusing it with the stuff that should be exposed to the Internet.

Another use: Bobberty just mentioned wanting an IPv4 binding + a IPv6 binding.

Per-bind address knobs might grow to include:

  • bind address: IPv4, IPv6, or Unix domain
  • systemd socket activation flag: expect the parent process to have already done the binding rather than doing it ourselves. Use the bind address (if any) to distinguish between multiple fds rather than for binding. [edit: better yet: use the socket name; see FileDescriptorName= and sd_listen_fds_with_names.]
  • for Unix domain, a flag to allow SO_PEERCRED-based uid authentication rather just trusting the peer. (The user table has long had a unix_uid for this but it's unimplemented.)
  • equivalent of --allow-unauthenticated-permissions
  • equivalent of --trust-forward-hdrs, with the additional ability to configure a shared secret as mentioned above
  • what to serve: just the normal interface (static files + API), just Prometheus metrics, or both.
  • for https: letsencrypt challenge config or supplied certificate file paths.

Seems way too awkward to specify all the stuff above on the commandline, and I don't think it belongs well in the database (I don't want to add a configuration tool for it and folks are used to configuration files for stuff like this), so I think we should introduce a config file. toml, text proto, json, yaml, something like that.
@scottlamb scottlamb added enhancement rust Rust backend work required labels Jul 21, 2021
@scottlamb scottlamb mentioned this issue Jul 21, 2021
Closed
@scottlamb scottlamb mentioned this issue Sep 30, 2021
Open
@scottlamb scottlamb mentioned this issue Oct 27, 2021
Open
7 tasks
scottlamb added a commit that referenced this issue Mar 10, 2022
@scottlamb
introduce /etc/moonfire-nvr.json (#133)
ceaef46
scottlamb added a commit that referenced this issue Mar 10, 2022
@scottlamb
support Unix sockets (#133)
4ce3e51
scottlamb added a commit that referenced this issue Mar 16, 2022
@scottlamb
tweak config format (#133)
8924275 
* switch from json to toml.
  I think this will be more user-friendly. It allows comments and has
  less punctuation. Fewer surprises than yaml (which has e.g. the
  "Norway problem"). I might have stayed with JSON if I could see a
  good serde json library that allows comments, but hson is unmaintained
  and serde-json strictly follows the spec.

* switch from camelCase to snake_case. Seems more idiomatic for TOML
  and matches the Rust source.

* forbid unknown keys. Better to spot errors sooner.

* rename "trust_forward_hdrs" to "trust_forward_headers". Nothing else
  is abbreviated.
scottlamb added a commit that referenced this issue Mar 16, 2022
@scottlamb
fix config file syntax in guide (#133)
f4d5784
@IronOxidizer IronOxidizer mentioned this issue Dec 6, 2022
Open
@ruzko ruzko mentioned this issue Feb 23, 2024
Open
@scottlamb
Copy link
Owner Author

The crux of this issue is done: there is a config file format with a [[binds]] section now that supports customizing some things. Not all the specific ideas mentioned here are implemented but I think the missing things are covered by other issues.

scottlamb added a commit that referenced this issue Aug 22, 2024
@scottlamb
make iphone live view play in line
04b49f0 
Fixes #133
@scottlamb
Copy link
Owner Author

Oops, mentioned the wrong issue in that commit. Reopening this one.

@scottlamb scottlamb reopened this Aug 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement rust Rust backend work required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scottlamb