Skip to content

Update log shipper docs to ensure that no public access is granted#930

Closed
jsierles wants to merge 2 commits into
mainfrom
js-no-ips-log-shipper
Closed

Update log shipper docs to ensure that no public access is granted#930
jsierles wants to merge 2 commits into
mainfrom
js-no-ips-log-shipper

Conversation

@jsierles

@jsierles jsierles commented Aug 16, 2023

Copy link
Copy Markdown
Contributor

A customer pointed out that our log shipper could expose its GraphQL API. We want standard shipper deployments to have no services nor IPs.

Note: --no-public-ips fails when an HTTP service is setup by default by fly launch.

@andie787

Copy link
Copy Markdown
Contributor

Should we mention that if they want only 1 machines, then use the --ha=false flag on fly deploy?

Related: this user PR for apps that do have 2 machines #820

@jsierles

Copy link
Copy Markdown
Contributor Author

Yes, actually this may be a related issue. The shipper can operate in HA mode by setting a QUEUE env var, but that doesn't happen by default. I've been working on automating the shipper, but parked that for now.

@andie787

Copy link
Copy Markdown
Contributor

#820 mentioned above was merged. this added info about QUEUE env var to the docs

@andie787

Copy link
Copy Markdown
Contributor

@jsierles Should we still ship this docs change or did it get fixed in flyctl?

@kcmartin

kcmartin commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Thanks for this, and sorry it sat so long! The file moved since, so I've re-applied the fix (remove the public services section, deploy with --no-public-ips, plus notes for releasing existing IPs) in #2420. Closing in favor of that.

@kcmartin kcmartin closed this Jul 1, 2026
kcmartin added a commit that referenced this pull request Jul 7, 2026
* Secure log shipper docs: no public services or IPs

The log shipper guide told users to keep a [[services]] section on
port 8686, which exposed Vector's unauthenticated GraphQL API publicly
(reported at community.fly.io/t/14836). Vector pulls logs from the
internal stream and needs no inbound access, so remove the service
section and deploy with --no-public-ips. Also note how to release IPs
on already-exposed deployments.

Supersedes #930.

* Match http_service section name to what fly launch generates

* Add Datadog to Vale vocabulary

* Add health check section for the Log Shipper
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants