Supervisor: CRIT Server 'unix_http_server' running without any HTTP authentication checking

Created on 18 Nov 2015  ·  4Comments  ·  Source: Supervisor/supervisor

This shouldn't be a CRIT level message, it's WARN at most.

As per the documentation:

username
The username required for authentication to this HTTP server.

Default: No username required.

Required: No.

Introduced: 3.0

If username is not a requirement, a CRIT message should not be generated.

logging question
Source
picture ngton

All 4 comments

This is logged at the highest level because it's a critical security concern. We allow supervisord to be run without authentication checking for things like local development, but we don't want it run without authentication in any kind of production environment. If you choose to run it that way, you'll still be able to do that, but by design you're going to have to endure this log message. I won't give you a way to turn this off, sorry.

mnaberez picture mnaberez on 18 Nov 2015
👍1

@mnaberez If only a [unix_http_server] block is configured, (meaning no [inet_http_server] block) no outside access to the HTTP server would be allowed. In that scenario, running without HTTP authentication seems reasonable. Would you explain why you disagree?

kellytk picture kellytk on 23 Aug 2016

See comments attached to #717.

mnaberez picture mnaberez on 23 Aug 2016
👍1

due to security issue, if there has any password/user in configuration is also not allowed, but w/o user/passowrd configuration, it will show warning message. any good solution for it?

yixuan178 picture yixuan178 on 3 May 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alexmnv picture alexmnv  ·  3Comments
abevoelker picture abevoelker  ·  3Comments
madmuffin1 picture madmuffin1  ·  4Comments
vBlackOut picture vBlackOut  ·  5Comments
detailyang picture detailyang  ·  4Comments