New option to bind http to localhost on AWS

deploy-cluster-aws/awsdeploy.sh

@@ -48,6 +48,7 @@ if [ "$USING_EBS" = True ]; then
     echo "EBS_VOLUME_SIZE = "$EBS_VOLUME_SIZE
     echo "EBS_OPTIMIZED = "$EBS_OPTIMIZED
 fi
+echo "BIND_HTTP_TO_LOCALHOST = "$BIND_HTTP_TO_LOCALHOST
 
 # Check for the SSH private key file
 if [ ! -f "$HOME/.ssh/$SSH_KEY_NAME" ]; then
@@ -116,7 +117,7 @@ fab upgrade_setuptools
 
 if [ "$WHAT_TO_DEPLOY" == "servers" ]; then
     # (Re)create the RethinkDB configuration file conf/rethinkdb.conf
-    python create_rethinkdb_conf.py
+    python create_rethinkdb_conf.py --bind-http-to-localhost $BIND_HTTP_TO_LOCALHOST
     # Rollout RethinkDB and start it
     fab prep_rethinkdb_storage:$USING_EBS
     fab install_rethinkdb

deploy-cluster-aws/create_rethinkdb_conf.py

@@ -8,8 +8,19 @@ from __future__ import unicode_literals
 import os
 import os.path
 import shutil
+import argparse
 from hostlist import public_dns_names
 
+# Parse the command-line arguments
+parser = argparse.ArgumentParser()
+parser.add_argument("--bind-http-to-localhost",
+                    help="should RethinkDB web interface be bound to localhost?",
+                    required=True)
+args = parser.parse_args()
+bind_http_to_localhost = args.bind_http_to_localhost
+
+print('bind_http_to_localhost = {}'.format(bind_http_to_localhost))
+
 # cwd = current working directory
 old_cwd = os.getcwd()
 os.chdir('conf')
@@ -24,6 +35,10 @@ with open('rethinkdb.conf', 'a') as f:
     f.write('## The host:port of a node that RethinkDB will connect to\n')
     for public_dns_name in public_dns_names:
         f.write('join=' + public_dns_name + ':29015\n')
+    if bind_http_to_localhost:
+        f.write('## Bind the web interface port to localhost\n')
+        # 127.0.0.1 is the usual IP address for localhost
+        f.write('bind-http=127.0.0.1\n')
 
 os.chdir(old_cwd)
 

deploy-cluster-aws/example_deploy_conf.py

@@ -74,3 +74,8 @@ EBS_VOLUME_SIZE=30
 # Setting EBS_OPTIMIZED=True may cost more, but not always.
 # If USING_EBS=False, EBS_OPTIMIZED is irrelevant and not used
 EBS_OPTIMIZED=False
+
+# BIND_HTTP_TO_LOCALHOST is True or False, depending on whether
+# you want the RethinkDB web interface port to be bound to localhost
+# (which is more secure). See https://www.rethinkdb.com/docs/security/
+BIND_HTTP_TO_LOCALHOST=False

deploy-cluster-aws/launch_ec2_nodes.py

@@ -28,7 +28,7 @@ from awscommon import get_naeips
 
 SETTINGS = ['NUM_NODES', 'BRANCH', 'WHAT_TO_DEPLOY', 'SSH_KEY_NAME',
             'USE_KEYPAIRS_FILE', 'IMAGE_ID', 'INSTANCE_TYPE', 'SECURITY_GROUP',
-            'USING_EBS', 'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED']
+            'USING_EBS', 'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED', 'BIND_HTTP_TO_LOCALHOST']
 
 
 class SettingsTypeError(TypeError):
@@ -104,6 +104,10 @@ if not isinstance(EBS_VOLUME_SIZE, int):
 if not isinstance(EBS_OPTIMIZED, bool):
     raise SettingsTypeError('EBS_OPTIMIZED should be a boolean (True or False)')
 
+if not isinstance(BIND_HTTP_TO_LOCALHOST, bool):
+    raise SettingsTypeError('BIND_HTTP_TO_LOCALHOST should be a boolean '
+                            '(True or False)')
+
 if NUM_NODES > 64:
     raise ValueError('NUM_NODES should be less than or equal to 64. '
                      'The AWS deployment configuration file sets it to {}'.

docs/source/clusters-feds/aws-testing-cluster.md

@@ -132,6 +132,7 @@ SECURITY_GROUP="bigchaindb"
 USING_EBS=True
 EBS_VOLUME_SIZE=30
 EBS_OPTIMIZED=False
+BIND_HTTP_TO_LOCALHOST=False
 ```
 
 Make a copy of that file and call it whatever you like (e.g. `cp example_deploy_conf.py my_deploy_conf.py`). You can leave most of the settings at their default values, but you must change the value of `SSH_KEY_NAME` to the name of your private SSH key. You can do that with a text editor. Set `SSH_KEY_NAME` to the name you used for `<key-name>` when you generated an RSA key pair for SSH (in basic AWS setup).