Secure log shipper docs: no public services or IPs#2420
Conversation
The log shipper guide told users to keep a [[services]] section on port 8686, which exposed Vector's unauthenticated GraphQL API publicly (reported at community.fly.io/t/14836). Vector pulls logs from the internal stream and needs no inbound access, so remove the service section and deploy with --no-public-ips. Also note how to release IPs on already-exposed deployments. Supersedes #930.
|
Tested this end to end against a real deployment (throwaway app in my personal org, destroyed after):
Two things surfaced during testing and were folded into the PR: |
|
DONE: #1828 raises a related need (the shipper can wedge silently, and a health check was recommended by support). Since this PR removes the public service, the right approach is a top-level |
|
Health check section added, using a top-level |
The Log Shipper guide told users to edit
fly.tomland keep a[[services]]section oninternal_port = 8686. That port serves Vector's GraphQL API (including an unauthenticated/playground), so following the docs exposed it publicly. This was reported on the community forum, where Fly staff recommended deploying with--no-public-ips.Vector pulls logs from Fly.io's internal log stream and doesn't need to accept inbound connections, so this:
[[services]]/ port 8686 block from the setup stepsfly deploy --no-public-ipsfly ips list/fly ips release)[checks]block against Vector's/healthon 8686, which works without a public service or IP (the shipper can stop shipping logs without exiting, see fix: add health check to exporting logs documentation #1828)All of the above was verified on a live deploy; see the testing comments below.
Supersedes #930 (same fix, but that PR targeted a since-moved file and had gone stale) and #1828 (same health check goal, but via a public
[http_service], which this PR removes).