🐛 BUG: Wrangler is still listening on the wildcard address even with --ip localhost #4430
Description
Which Cloudflare product(s) does this pertain to?
Wrangler core
What version(s) of the tool(s) are you using?
3.15.0
What version of Node are you using?
21.1.0
What operating system are you using?
Mac
Describe the Bug
When running wrangler dev, a lot of services are listening on the wildcard address. On machines without a firewall that could cause unnecessarily exposure.
Ports in question:
- node: port 9229 and 6284 and a random port (56547),
- workerd: port 8787
$ lsof -nPiTCP -sTCP:LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 51399 pwu 33u IPv6 0xe8478a1f17ba37f 0t0 TCP *:9229 (LISTEN)
node 51399 pwu 37u IPv4 0xe8478b51682305f 0t0 TCP *:56781 (LISTEN)
node 51399 pwu 38u IPv6 0xe8478a1f17bab7f 0t0 TCP *:6284 (LISTEN)
workerd 51401 pwu 11u IPv4 0xe8478b515f2f98f 0t0 TCP 127.0.0.1:56779 (LISTEN)
workerd 51401 pwu 12u IPv6 0xe8478a1f17bb37f 0t0 TCP [::1]:56779 (LISTEN)
workerd 51401 pwu 14u IPv4 0xe8478b5166e64ff 0t0 TCP *:8787 (LISTEN)
With wrangler dev --ip localhost, this improves such that workerd is no longer listening on the wildcard address:
$ lsof -nPiTCP -sTCP:LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 51416 pwu 36u IPv6 0xe8478a1e7bdd37f 0t0 TCP *:9229 (LISTEN)
node 51416 pwu 37u IPv6 0xe8478a1f161c37f 0t0 TCP [::1]:56788 (LISTEN)
node 51416 pwu 38u IPv6 0xe8478a1e7bddb7f 0t0 TCP *:6284 (LISTEN)
workerd 51418 pwu 11u IPv4 0xe8478b515f2f98f 0t0 TCP 127.0.0.1:56786 (LISTEN)
workerd 51418 pwu 12u IPv6 0xe8478a1f17f5b7f 0t0 TCP [::1]:56786 (LISTEN)
workerd 51418 pwu 14u IPv4 0xe8478b51682305f 0t0 TCP 127.0.0.1:8787 (LISTEN)
workerd 51418 pwu 15u IPv6 0xe8478a1f17f537f 0t0 TCP [::1]:8787 (LISTEN)
Ports are defined here:
workers-sdk/packages/wrangler/src/index.ts
Lines 62 to 63 in 3637d97
Port 9229 is used for the inspector here:
workers-sdk/packages/wrangler/src/dev/inspect.ts
Lines 859 to 865 in 3637d97
As you can see there is no reason it should listen on the wildcard given that it is only used locally. Let's change that to listen on localhost, https://nodejs.org/api/net.html#serverlisten
- server.listen(props.port);
+ server.listen(props.port, 'localhost');Port 6284 appears to be used for a "service registry":
workers-sdk/packages/wrangler/src/dev-registry.ts
Lines 13 to 14 in 3637d97
workers-sdk/packages/wrangler/src/dev-registry.ts
Lines 83 to 85 in 3637d97
Again, it only appears to be used on localhost, so we should be able to change that as well?
Note that for those running wrangler in Docker with port-forwarding, it should probably still listen on the wildcard in that special case. Maybe the --ip option can be used to influence the above listen options?
Historical note: the dev server used to listen on localhost, but this was changed to listen on wildcard in #1605 which also added the --ip option.
Also related: security concerns about listening on external interfaces, #2036 (closed in favor of #4239).
Please provide a link to a minimal reproduction
No response
Please provide any relevant error logs
No response