I'm having some security issues regarding my uWSGI configuration.
Here's the current issue:
I have a front server, called api.domain.tld, that have NGinx installed with proxy_pass that points to the uWSGI instance using a .sock file.
This uWSGI instance on the frontend server is configured that way:
uwsgi -M --fastrouter /tmp/project.sock --fastrouter-subscription-server public_ip:port
And, as you might expect, I have a fleet of servers that contains the actual code and runs uWSGI that subscribe to this fastrouter, like this:
uwsgi --socket public_ip_of_sub_server:port -M --subscribe-to ip_front_lb:port:api.domain.tld
(with other params).
Here's my problem:
All the server are publicly available, not a part of a private network (The servers I took comes from different offers and doesn't offer this possibility, unfortunately).
For the frontend, that means YOU can plug your uWSGI instance to it ... not great. I've found out that I can secure the subscription system, so this should be ok (can you confirm or infirm it?).
But now, the socket parameter on the sub_servers is public, which is discouraged by uWSGI (first point).
So my question:
How can I take advantage of fastrouter/subscription from uWSGI on servers that are facing public access while keeping things secure?
Thank you for your help!
