How to integrate the panel with remote server?

[rezadehganpour]

Is there a way that i can integrate panel with my server that is running on an ec2 server (RHEL)

[dgobaud]

Yes would like to know this also! How does it work/will it work on a remote server?

[modosc]

to the best of my knowledge it should work fine - what issues are you running into?

[dgobaud]

Just don't see any data which makes sense. How is data sent to the rails panel?

[modosc]

the meta_request gem stores traces locally keyed off of the request-id (see here).

when the rails_panel chrome extension sees a x-meta-request-version header in a response it constructs a request to the server to fetch the generated instrumentation (see here) and then renders it.

i don't see any reason this wouldn't work remotely unless your rails setup is behind some sort of complicated proxy/cache setup.

[dgobaud]

I see - so I'm thinking two issues with this:

1. No security - how to prevent third-parties from getting this data?
2. What about multiple servers behind a load balancer?

[modosc]

1. You are correct, by default there's no access-control at all. an attacker would have to guess a uuid to find a valid trace so at least there's some security by obscurity. we should probably be more explicit about this (and the performance cost which is more of an issue imho) in the docs. at the very least we could print out warnings in the console when not in :development. rack-mini-profiler does a reasonable job of providing docs and api for these issues.
2. Multiple servers won't really work correctly unless you either have some sort of connection pinning / sticky session configured or change the backend to write to a shared location (for reference, rack-mini-profiler supports redis and memcache which would solve this problem).

[dgobaud]

1. But the attacker can see the UUID on any request they make right? And then get info for that request?
2. got it

[dgobaud]

it would be great to be able to add ?rails-panel=PASSWORD param to any request and if it matches then it is turned on and you can get the data

[modosc]

i see, an attacker could set that. i think the solution there is to support something like rack-mini-profiler's Rack::MiniProfiler.authorize_request

i'm going to update the docs and add a warning in the console as a first step.

[Nowaker]

@modosc @dejan Any instructions on how to make it secure? Or ideally, a config option for password/token that the Chrome extension is required to pass to obtain the data?