Disabling default HTML page

#1

Good day,

I’ve configured crossbar with the following transport:

transports:

  • type: websocket

endpoint:

type: tcp

port: 8080

Now whenever I visit localhost:8080 with a browser, I see the following status page:

Selection_999(058).png

The problem is that it exposes too much details (the fact that it’s WAMP/crossbar, its version, etc.) and I don’t to expose it over the internet like this. Is there a proper way to disable it? (I can mount empty dir in docker onto /usr/local/site-packages/crossbar/webservice/templates, but it’s hacky, fragile and produces confusing empty responses)

Thanks,

Zaar

0 Likes

#2

Another hack to hide is it to put crossbar behind reverse proxy and force Websocket upgrade, e.g. for nginx:

location ~ ^/ws$ {

proxy_pass http://localhost:8080;

proxy_http_version 1.1;

# Forcing upgrade to disable crossbar status page

# which provides too many details

proxy_set_header Upgrade websocket;

proxy_set_header Connection upgrade;

}

···

On Tuesday, 16 October 2018 12:34:35 UTC+11, Zaar Hai wrote:

Good day,

I’ve configured crossbar with the following transport:

transports:

  • type: websocket

endpoint:

type: tcp

port: 8080

Now whenever I visit localhost:8080 with a browser, I see the following status page:

Selection_999(058).png

The problem is that it exposes too much details (the fact that it’s WAMP/crossbar, its version, etc.) and I don’t to expose it over the internet like this. Is there a proper way to disable it? (I can mount empty dir in docker onto /usr/local/site-packages/crossbar/webservice/templates, but it’s hacky, fragile and produces confusing empty responses)

Thanks,

Zaar

0 Likes

#3

Hi Zaar!

This can be configured via the WebSocket transport options - see https://crossbar.io/docs/WebSocket-Options/ - “enable_webstatus”

Regards,

Alex

···

Am Dienstag, 16. Oktober 2018 03:34:35 UTC+2 schrieb Zaar Hai:

Good day,

I’ve configured crossbar with the following transport:

transports:

  • type: websocket

endpoint:

type: tcp

port: 8080

Now whenever I visit localhost:8080 with a browser, I see the following status page:

Selection_999(058).png

The problem is that it exposes too much details (the fact that it’s WAMP/crossbar, its version, etc.) and I don’t to expose it over the internet like this. Is there a proper way to disable it? (I can mount empty dir in docker onto /usr/local/site-packages/crossbar/webservice/templates, but it’s hacky, fragile and produces confusing empty responses)

Thanks,

Zaar

0 Likes

#4

Thank you! I missed that.

Disabling web status breaks HTTP healthchecks though, since crossbar also responds with 426.

So what is did in the end is:

a). Disabled web status (generating templated html every 10 seconds just for healthchecks seems like a waste)

b). Requiring websocket upgrade in the reverse-proxy as per my above example to block any “outgoing” html

c). Switched to web transport with a separate path for healthchecks. Along the way I hit the issue that crossbar leaks sever version in web transport. Not a biggie, since it’s just for internal K8s healthcheck

  # Main transport - requires authentication

  - type: web

    endpoint:

      type: tcp

      port: 5555

    paths:

      healthz:

        type: static

        directory: /var/lib/crossbar/health

        options:

          show_server_version: false

      ws:

        type: websocket

        ...

(I then mount an OK index.html file from K8s configmap under /var/lib/crossbar/health)

···

On Tuesday, 16 October 2018 20:32:08 UTC+11, Alexander Gödde wrote:

Hi Zaar!

This can be configured via the WebSocket transport options - see https://crossbar.io/docs/WebSocket-Options/ - “enable_webstatus”

Regards,

Alex

Am Dienstag, 16. Oktober 2018 03:34:35 UTC+2 schrieb Zaar Hai:

Good day,

I’ve configured crossbar with the following transport:

transports:

  • type: websocket

endpoint:

type: tcp

port: 8080

Now whenever I visit localhost:8080 with a browser, I see the following status page:

Selection_999(058).png

The problem is that it exposes too much details (the fact that it’s WAMP/crossbar, its version, etc.) and I don’t to expose it over the internet like this. Is there a proper way to disable it? (I can mount empty dir in docker onto /usr/local/site-packages/crossbar/webservice/templates, but it’s hacky, fragile and produces confusing empty responses)

Thanks,

Zaar

0 Likes