How to Secure Unix_http_server in SupervisorD with HTTP Authentication


4 views

When you see the critical log message "Server 'unix_http_server' running without any HTTP authentication checking" in SupervisorD, it indicates a significant security gap. Unlike the default HTTP server (port 9001), the Unix domain socket server doesn't enforce authentication by default.

The unix_http_server operates through a socket file (/var/run/supervisor.sock in your case), which is more secure than TCP ports as it's filesystem-based. However, when no authentication is configured:

  • Any local user with filesystem access can interact with Supervisor
  • Process management becomes vulnerable to unauthorized access
  • Compliance requirements may be violated

Here's how to properly secure your unix_http_server configuration:

[unix_http_server]
file=/var/run/supervisor.sock
chmod=0770
chown=root:supervisor
username=yourusername      ; Add this line
password=yourstrongpassword ; Add this line

Combine authentication with proper filesystem permissions:

# Set restrictive permissions
sudo chmod 770 /var/run/supervisor.sock
sudo chown root:supervisor /var/run/supervisor.sock

# Add users to the supervisor group
sudo usermod -a -G supervisor yourusername

After making changes, reload Supervisor:

sudo supervisorctl reread
sudo supervisorctl update

Check the logs to confirm authentication is working:

tail -f /var/log/supervisor/supervisord.log

If you encounter permission problems:

# Check socket permissions
ls -l /var/run/supervisor.sock

# Verify group membership
groups yourusername

# Test authentication
curl --unix-socket /var/run/supervisor.sock http://localhost/RPC2 -d '...'

If you don't need the Unix socket interface, you can disable it completely:

[unix_http_server]
;file=/var/run/supervisor.sock ; Comment out or remove this section

Then configure the inet_http_server section properly:

[inet_http_server]
port=127.0.0.1:9001
username=yourusername
password=yourstrongpassword

When you see the message Server 'unix_http_server' running without any HTTP authentication checking in your Supervisord logs, it indicates a significant security concern. The Unix HTTP server interface is exposed without any authentication mechanism, potentially allowing unauthorized access to your process management system.

Your current configuration shows:

[unix_http_server]
file=/var/run/supervisor.sock
chmod=0770
chown=root:supervisor

While the socket permissions are properly restricted (0770 to root:supervisor), the lack of HTTP authentication means any process with access to the socket could potentially control your supervised processes.

To secure your Supervisord installation, you need to modify your configuration to include authentication credentials:

[unix_http_server]
file=/var/run/supervisor.sock
chmod=0770
chown=root:supervisor
username=admin
password=your_secure_password

To expose the HTTP interface on port 9001 with authentication, add or modify the inet_http_server section:

[inet_http_server]
port = 127.0.0.1:9001
username = admin
password = your_secure_password
  • Always use strong, complex passwords
  • Consider binding to 127.0.0.1 instead of 0.0.0.0 to restrict access
  • Regularly rotate credentials
  • Monitor access logs for suspicious activity

After making changes, reload Supervisord:

sudo supervisorctl reread
sudo supervisorctl update

Test the authentication by accessing the web interface or using curl:

curl --user admin:your_secure_password http://localhost:9001