简体繁体 English

我可以确定我的星巴克客户看不到我在localhost：8080上运行的Java Web应用程序吗？

[英]Can I be sure my Java web app running on localhost:8080 is invisible from my fellow Starbucks customers?

原文 2011-02-25 00:52:26 1 5 java/ security/ spring/ windows-7

I'm developing a Spring application on my Windows 7 machine and running it on localhost:8080. 我正在我的Windows 7机器上开发一个Spring应用程序并在localhost：8080上运行它。

Is there any chance that if I do this in a public location like Starbucks that it is possible for my app to be visible to others? 如果我在像星巴克这样的公共场所这样做，有可能我的应用程序可以被其他人看到吗？

(I'm using Windows Firewall and Microsoft Security Essentials) （我正在使用Windows防火墙和Microsoft Security Essentials）

5 个解决方案

Be sure that it is binding to localhost:8080 (ie, 127.0.0.1 ), not all interfaces (which is probably the default). 确保它绑定到localhost:8080 （即127.0.0.1 ），而不是所有接口（可能是默认接口）。 Server programs usually have an option to say which IP addresses to bind. 服务器程序通常可以选择绑定哪些IP地址。 For example, in Apache, you can provide an IP address to the Listen directive in addition to a port number. 例如，在Apache中，除了端口号之外，还可Listen指令提供IP地址。 If you only bind to 127.0.0.1 , the port will not be open for people scanning your external IP address. 如果仅绑定到127.0.0.1 ，则不会为扫描外部IP地址的人员打开端口。

Short answer: No. 简答：不。

Long answer: Someone might access your app like this: 答案很长：有人可能会像这样访问您的应用：

If you visit a malicious website (if anyone at Starbucks is poisoning the DNS cache or spoofing DNS responses then you may visit a malicious website at www.google.com not knowing about it) then the attacker may send you to his domain with a DNS server (which may in fact be on his laptop) replying to the same query with very short TTL once with his IP, then with 127.0.0.1, then his IP again, etc. That way when you are sent to (http://www.example.com:8080) it is resolved as the attacker's IP and you get the website which starts an AJAX request to the same domain and the same port (so the same origin policy is satisfied in every browser) but thanks to the short TTL you don't have the domain entry in your cache any more, so you ask again and this time you get the answer 127.0.0.1 which incidentally is your own loopback interface which you assume to be invisible from the outside - and it is in fact invisible from the outside but perfectly visible from your browser. 如果您访问恶意网站（如果星巴克的任何人中毒DNS缓存或欺骗DNS响应，那么您可能会访问www.google.com上的恶意网站而不知道它），那么攻击者可能会通过DNS将您发送到他的域名服务器（实际上可能在他的笔记本电脑上）用非常短的TTL用他的IP回复相同的查询，然后用127.0.0.1回复，然后再回复他的IP等等。当你被发送到（http：// www.example.com:8080）它被解析为攻击者的IP并且您获得了向同一域和相同端口启动AJAX请求的网站（因此在每个浏览器中都满足相同的源策略）但是由于简短TTL你的缓存中没有域名条目了，所以你再问一遍，这次你得到的答案是127.0.0.1，顺便说一句你自己的环回接口你认为从外面是不可见的 - 它在从外部看不见但从浏览器中可以看到的事实。 Your browser will happily connect to your app at 127.0.0.1:8080 and proxy the request to the attacker with another AJAX connection or any other side channel. 您的浏览器将很乐意在127.0.0.1:8080连接到您的应用程序，并使用另一个AJAX连接或任何其他辅助渠道将请求代理给攻击者。 Voilà, your app is now connected to the world! Voilà，您的应用程序现已连接到世界！

Things like this happen in the wild so be careful. 像这样的事情发生在野外，所以要小心。 Sometimes people even access admin interfaces in routers behind NAT and firewalls that way. 有时人们甚至可以通过NAT和防火墙这样的路由器访问管理界面。 Quite frankly I'm pretty scared by all of the responses telling you that it is impossible to access anything running on localhost. 坦率地说，我很害怕所有回复告诉你无法访问在localhost上运行的任何东西。 Be careful what you do. 你要小心你做什么。

Is there any chance that if I do this in a public location like Starbucks that it is possible for my app to be visible to others? 如果我在像星巴克这样的公共场所这样做，有可能我的应用程序可以被其他人看到吗？

Of course! 当然！ People can look over your shoulder. 人们可以看着你的肩膀。

what Jeremiah said. 耶利米说的是什么。 use netstat -an to check what addresses it bound to. 使用netstat -an检查它绑定的地址。

and never trust Windows firewall, or any other software to which you don't have the source. 并且永远不要相信Windows防火墙或您没有源的任何其他软件。

If the port is open it can be. 如果端口是打开的，它可以。 If you program it to only accept connections from localhost while developing then even if they can see it, they wont be able to connect to it. 如果您将其编程为仅在开发时接受来自localhost的连接，那么即使他们可以看到它，它们也无法连接到它。