Skip to content

Commit 1b0b898

Browse files
nisolanki1209nisolanki1209
andauthored
Change server bindings to localhost (#1)
* fix(security): change server bindings from 0.0.0.0 to 127.0.0.1 * feat(security): implement SSL/TLS certificate support --------- Co-authored-by: nisolanki1209 <nisolanki@gmail.com>
1 parent a2dc062 commit 1b0b898

8 files changed

Lines changed: 832 additions & 94 deletions

File tree

comfyui/README.md

Lines changed: 37 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,10 @@ Powerful node-based interface for Stable Diffusion image generation.
66

77
- **ComfyUI** - Node-based UI for Stable Diffusion
88
- **ComfyUI-Manager** - Model manager & custom node installer (⭐ **NEW**)
9+
- **OpenSSL** - For SSL certificate generation
910
- **PyTorch** - With CUDA GPU support
1011
- **Stable Diffusion 1.5** - Starter model (pre-downloaded)
12+
- **SSL/TLS certificates** - Self-signed certificates for HTTPS access
1113
- **Systemd service** - Auto-starts with system
1214
- **Python virtual environment** - Clean isolation
1315

@@ -19,11 +21,14 @@ Powerful node-based interface for Stable Diffusion image generation.
1921
- **Custom nodes** - Extensible with community plugins
2022
- **Multiple models** - Support for SD 1.5, SDXL, LoRAs, etc.
2123
- **Batch processing** - Generate multiple images
24+
- **Secure by default** - Bound to localhost for security
2225

23-
## ⚠️ Required Port
26+
## 🔒 Security
2427

25-
To access from outside Brev, open:
26-
- **8188/tcp** (ComfyUI web interface)
28+
- **HTTPS/SSL encryption** - All traffic encrypted with TLS/SSL
29+
- **Localhost binding** - Service is bound to `127.0.0.1` only (not exposed to network)
30+
- **Self-signed certificates** - Automatically generated SSL certificates (valid for 1 year)
31+
- **Secure remote access** - Use SSH port forwarding for remote access
2732

2833
## Requirements
2934

@@ -41,17 +46,41 @@ Takes ~5-10 minutes (downloads model).
4146

4247
## What you get
4348

44-
- **Web UI:** `http://localhost:8188`
49+
- **Web UI:** `https://localhost:8188`
4550
- **Installation:** `~/ComfyUI`
4651
- **Models:** `~/ComfyUI/models/checkpoints`
52+
- **SSL certificates:** `~/ComfyUI/certs/`
4753
- **Service:** Auto-starts on boot
4854

55+
## Access & Remote Access
56+
57+
### Local Access
58+
59+
The service is bound to `localhost` (127.0.0.1) for security. Access it locally via HTTPS:
60+
61+
```bash
62+
# Open in browser on the server
63+
https://localhost:8188
64+
```
65+
66+
### Remote Access via SSH Port Forwarding
67+
68+
For secure remote access, use SSH port forwarding:
69+
70+
```bash
71+
# From your local machine
72+
ssh -L 8188:localhost:8188 user@your-server
73+
74+
# Then access in your local browser
75+
https://localhost:8188
76+
```
77+
4978
## Quick Start
5079

5180
**Access the UI:**
5281
```bash
53-
# Open in browser (or via your Brev URL with port 8188)
54-
http://localhost:8188
82+
# Open in browser (local or via SSH port forwarding)
83+
https://localhost:8188
5584
```
5685

5786
**⭐ Download Models (using ComfyUI-Manager):**
@@ -268,7 +297,7 @@ sudo journalctl -u comfyui -n 50
268297

269298
**Can't access UI:**
270299
- Check service: `sudo systemctl status comfyui`
271-
- Check port: `lsof -i :8188`
300+
- For remote access, use SSH port forwarding (see above)
272301
- View logs: `sudo journalctl -u comfyui -f`
273302

274303
## Python API
@@ -285,7 +314,7 @@ workflow = {
285314
}
286315

287316
response = requests.post(
288-
"http://localhost:8188/prompt",
317+
"https://localhost:8188/prompt",
289318
json={"prompt": workflow}
290319
)
291320

comfyui/setup.sh

Lines changed: 56 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ fi
4646
# Install dependencies
4747
echo "Installing system dependencies..."
4848
sudo apt-get update -qq
49-
sudo apt-get install -y -qq git python3-pip python3-venv
49+
sudo apt-get install -y -qq git python3-pip python3-venv openssl
5050

5151
# Clone ComfyUI
5252
if [ -d "$HOME/ComfyUI" ]; then
@@ -122,16 +122,57 @@ else
122122
echo "Model already exists, skipping download"
123123
fi
124124

125-
# Create start script
126-
cat > "$HOME/ComfyUI/start.sh" << 'EOF'
125+
# Generate SSL/TLS certificate and key
126+
echo "Generating SSL/TLS certificate and key..."
127+
CERT_DIR="$HOME/ComfyUI/certs"
128+
mkdir -p "$CERT_DIR"
129+
cd "$CERT_DIR"
130+
131+
# Get hostname or IP for certificate
132+
HOSTNAME=$(hostname -f 2>/dev/null || hostname 2>/dev/null || echo "localhost")
133+
IP_ADDRESS=$(hostname -I | awk '{print $1}' 2>/dev/null || echo "127.0.0.1")
134+
135+
if [ ! -f "$CERT_DIR/key.pem" ] || [ ! -f "$CERT_DIR/cert.pem" ]; then
136+
echo "Creating self-signed certificate (valid for 1 years)..."
137+
if [ "$(id -u)" -eq 0 ]; then
138+
sudo -H -u $USER openssl req -x509 -newkey rsa:4096 \
139+
-keyout "$CERT_DIR/key.pem" \
140+
-out "$CERT_DIR/cert.pem" \
141+
-sha256 -days 365 -nodes \
142+
-subj "/O=ComfyUI/OU=IT/CN=$HOSTNAME"
143+
else
144+
openssl req -x509 -newkey rsa:4096 \
145+
-keyout "$CERT_DIR/key.pem" \
146+
-out "$CERT_DIR/cert.pem" \
147+
-sha256 -days 365 -nodes \
148+
-subj "/O=ComfyUI/OU=IT/CN=$HOSTNAME"
149+
fi
150+
151+
# Set secure permissions
152+
chmod 600 "$CERT_DIR/key.pem"
153+
chmod 644 "$CERT_DIR/cert.pem"
154+
155+
if [ "$(id -u)" -eq 0 ]; then
156+
chown $USER:$USER "$CERT_DIR/key.pem" "$CERT_DIR/cert.pem"
157+
fi
158+
159+
echo "✓ SSL certificate and key generated"
160+
echo " Certificate: $CERT_DIR/cert.pem"
161+
echo " Private Key: $CERT_DIR/key.pem"
162+
else
163+
echo "SSL certificate and key already exist, skipping generation"
164+
fi
165+
166+
# Create start script with HTTPS support
167+
cat > "$HOME/ComfyUI/start.sh" << EOF
127168
#!/bin/bash
128169
cd ~/ComfyUI
129170
source venv/bin/activate
130-
python main.py --listen 0.0.0.0 --port 8188
171+
python main.py --listen localhost --port 8188 --tls-keyfile $CERT_DIR/key.pem --tls-certfile $CERT_DIR/cert.pem
131172
EOF
132173
chmod +x "$HOME/ComfyUI/start.sh"
133174

134-
# Create systemd service
175+
# Create systemd service with HTTPS support
135176
sudo tee /etc/systemd/system/comfyui.service > /dev/null << EOF
136177
[Unit]
137178
Description=ComfyUI
@@ -141,7 +182,7 @@ After=network.target
141182
Type=simple
142183
User=$USER
143184
WorkingDirectory=$HOME/ComfyUI
144-
ExecStart=$HOME/ComfyUI/venv/bin/python main.py --listen 0.0.0.0 --port 8188
185+
ExecStart=$HOME/ComfyUI/venv/bin/python main.py --listen localhost --port 8188 --tls-keyfile $CERT_DIR/key.pem --tls-certfile $CERT_DIR/cert.pem
145186
Restart=on-failure
146187
147188
[Install]
@@ -174,13 +215,15 @@ else
174215
fi
175216

176217
echo ""
177-
echo "✅ ComfyUI ready!"
218+
echo "✅ ComfyUI ready with HTTPS enabled!"
219+
echo ""
220+
echo "🔒 HTTPS Access: https://localhost:8188"
178221
echo ""
179-
echo "Access: http://localhost:8188"
180222
echo "⚠️ Open port 8188/tcp to access from outside Brev"
181223
echo ""
182224
echo "Location: $HOME/ComfyUI"
183225
echo "Models: $HOME/ComfyUI/models/checkpoints"
226+
echo "SSL Certificates: $CERT_DIR"
184227
echo ""
185228
echo "✨ ComfyUI-Manager installed!"
186229
echo " Click the 'Manager' button in the UI to:"
@@ -192,4 +235,8 @@ echo "Manage service:"
192235
echo " sudo systemctl status comfyui"
193236
echo " sudo journalctl -u comfyui -f"
194237
echo " cd ~/ComfyUI && ./start.sh # Manual start"
195-
238+
echo ""
239+
echo "SSL Certificate Info:"
240+
echo " Certificate: $CERT_DIR/cert.pem"
241+
echo " Private Key: $CERT_DIR/key.pem"
242+
echo " Valid for: 1 year"

databases/README.md

Lines changed: 87 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -21,50 +21,128 @@ Takes ~1-2 minutes (downloads Docker images).
2121
**PostgreSQL:**
2222
- Host: `localhost:5432`
2323
- User: `postgres`
24-
- Password: `postgres`
24+
- Password: Auto-generated (stored in `~/.db_passwords.env`)
2525
- Database: `postgres`
26-
- **Port to open:** `5432/tcp`
26+
- SSL certificates: `~/database_certs/postgres/`
2727

2828
**Redis:**
2929
- Host: `localhost:6379`
30-
- No password
31-
- **Port to open:** `6379/tcp`
30+
- Password: Auto-generated (stored in `~/.db_passwords.env`)
31+
- TLS certificates: `~/database_certs/redis/`
3232

33-
## ⚠️ Required Ports
33+
## Access & Remote Access
3434

35-
To access from outside Brev, open these ports:
36-
- **5432/tcp** - PostgreSQL
37-
- **6379/tcp** - Redis
35+
### Local Access
36+
37+
Both services are bound to `localhost` (127.0.0.1) for security and use SSL/TLS encryption:
38+
39+
```bash
40+
# PostgreSQL
41+
psql -h localhost -U postgres
42+
43+
# Redis
44+
redis-cli -h localhost
45+
```
46+
47+
### Remote Access via SSH Port Forwarding
48+
49+
For secure remote access, use SSH port forwarding:
50+
51+
```bash
52+
# From your local machine - PostgreSQL
53+
ssh -L 5432:localhost:5432 user@your-server
54+
55+
# From your local machine - Redis
56+
ssh -L 6379:localhost:6379 user@your-server
57+
58+
# Then connect from your local machine
59+
psql -h localhost -U postgres
60+
redis-cli -h localhost
61+
```
62+
63+
## Retrieve Passwords
64+
65+
Passwords are stored securely in `~/.db_passwords.env`:
66+
67+
```bash
68+
# View PostgreSQL password
69+
grep POSTGRES_PASSWORD ~/.db_passwords.env
70+
71+
# View Redis password
72+
grep REDIS_PASSWORD ~/.db_passwords.env
73+
74+
# Or view the entire file
75+
cat ~/.db_passwords.env
76+
```
3877

3978
## Connect to PostgreSQL
4079

4180
```bash
4281
# Using psql
82+
psql -h localhost -U postgres
83+
# Enter password when prompted (retrieve from ~/.db_passwords.env)
84+
85+
# Or using Docker exec (no password needed)
4386
docker exec -it postgres psql -U postgres
4487

4588
# Or install client
4689
sudo apt install postgresql-client
4790
psql -h localhost -U postgres
4891
```
4992

93+
**Using password from environment:**
94+
```bash
95+
source ~/.db_passwords.env
96+
psql -h localhost -U postgres -W
97+
# Enter password: $POSTGRES_PASSWORD
98+
```
99+
50100
## Connect to Redis
51101

52102
```bash
53103
# Using redis-cli
104+
redis-cli -h localhost
105+
# Enter password: AUTH <password> (retrieve from ~/.db_passwords.env)
106+
107+
# Or using Docker exec (no password needed)
54108
docker exec -it redis redis-cli
55109

56110
# Or install client
57111
sudo apt install redis-tools
58-
redis-cli
112+
redis-cli -h localhost
59113
```
60114

115+
**Using password from environment:**
116+
```bash
117+
source ~/.db_passwords.env
118+
redis-cli -h localhost -a "$REDIS_PASSWORD"
119+
```
120+
121+
## Connection Strings
122+
123+
**PostgreSQL:**
124+
```bash
125+
# From environment file
126+
source ~/.db_passwords.env
127+
export PGPASSWORD="$POSTGRES_PASSWORD"
128+
psql -h localhost -U postgres -d postgres
129+
```
130+
131+
**Redis:**
132+
```bash
133+
# From environment file
134+
source ~/.db_passwords.env
135+
redis-cli -h localhost -a "$REDIS_PASSWORD"
136+
61137
## Manage containers
62138

63139
```bash
64140
docker ps # See running containers
65141
docker stop postgres redis # Stop databases
66142
docker start postgres redis # Start databases
67143
docker logs postgres # View logs
144+
docker logs redis # View Redis logs
68145
docker exec -it postgres bash # Get shell in container
146+
docker exec -it redis redis-cli # Redis CLI
69147
```
70148

0 commit comments

Comments
 (0)