Web and API Security
Librux can expose a browser console, REST APIs, and WebSocket endpoints from the host control backend. Treat those endpoints as an operations surface, not as an open development dashboard.
The security model has two gates.
- network admission decides where requests may come from
- authentication decides who may call the API
Use both when the API binds to anything broader than loopback.
Configuration
Security is one area of the host configuration described in
Runtime Configuration. It is configured in
runtime/config.yaml.
security:
enabled: true
network:
allow_cidrs:
- "127.0.0.1/32"
- "192.168.60.0/24"
allowed_origins:
- "http://192.168.60.20:8001"
trust_forwarded_for: false
api:
require_auth: true
token_env: "LIBRUX_API_TOKEN"
tokens_file: "/opt/librux/var/lib/security/api_tokens.yaml"
web:
login_required: true
admin_password_env: "LIBRUX_WEB_ADMIN_PASSWORD"
admin_password_file: "/opt/librux/var/lib/security/admin_password"
session_timeout_sec: 3600
session_cookie_name: "librux_session"
health:
unauthenticated: true
allow_cidrs should include only the management network and loopback. A browser
Origin allowlist is optional, but recommended when a fixed management URL is
used.
API Keys
REST and WebSocket APIs accept either header form.
Authorization: Bearer <api-key>
X-Librux-API-Key: <api-key>
Use the Web Console Settings page to create and revoke normal API keys. API keys are displayed once at creation time and are hidden afterwards. If a key is lost or suspected to be exposed, revoke it and create a new one.
API keys are intended for external clients, automation, monitoring, and federation/bootstrap clients. The browser Web Console should not store a long-lived API key. It uses the Web login session described below.
The API key storage file is YAML. The configuration field names use token
internally because the stored secret value is an authentication token.
tokens:
- name: operator-laptop
role: operator
token: replace-with-long-random-token
- name: monitoring
role: viewer
token: replace-with-long-random-token
Roles are enforced by protected Host Control routes when security is enabled.
| Role | Access |
|---|---|
viewer |
read runtime state, specs, health, and Event streams |
operator |
viewer access plus Control WebSocket and managed package instance lifecycle operations |
admin |
operator access plus configuration writes, package install/removal, security management, and runtime apply/restart |
Unknown roles authenticate but do not satisfy protected mutating operations.
Web Login
The browser console uses session cookies. Configure the admin password through a root-owned file or environment variable. Avoid putting real passwords directly in the main runtime YAML.
Example.
sudo install -d -m 0700 /opt/librux/var/lib/security
printf '%s\n' '<admin-password>' | sudo tee /opt/librux/var/lib/security/admin_password >/dev/null
sudo chmod 0600 /opt/librux/var/lib/security/admin_password
After login, the browser receives an HttpOnly SameSite=Lax session cookie.
The frontend uses that cookie for same-origin REST calls and WebSocket
handshakes. This is the supported authentication path for the browser Console
when security.api.require_auth=true.
Do not disable Web login on a host where the browser Console is expected to operate with API authentication enabled.
security:
enabled: true
api:
require_auth: true
web:
login_required: true
The combination api.require_auth=true and web.login_required=false is an
external API-client mode. It is useful for headless hosts or custom product UIs
where automation sends Authorization: Bearer <api-key> or
X-Librux-API-Key, but the bundled browser Console cannot create an
authenticated session in that mode.
Use the Web Console Settings page to change the admin password when
security.web.admin_password_file points to a managed password file. If the
password is supplied by environment variable, the runtime reports it as
externally controlled and the Web Console will not rewrite it.
Gate Combinations
The security options are intentionally separated so development, API-only, and browser-console deployments can use different policies.
security.enabled |
api.require_auth |
web.login_required |
Result |
|---|---|---|---|
false |
any | any | Security gates are disabled. Use only for local or trusted development. |
true |
false |
false |
Network admission applies, but API calls do not require identity. |
true |
true |
true |
Recommended browser Console mode. External clients use API keys; browser users log in and receive a session cookie. |
true |
true |
false |
External API-client mode. Browser Console login is unavailable, so clients must send an API key header. |
security.network.allow_cidrs belongs to the network-admission gate. It decides
which source IP/CIDR ranges may reach REST, WebSocket, package frontend, and Web
Console routes. security.api.require_auth and security.web.login_required
belong to the identity gate.
Federation Security
Web/API security does not encrypt the cross-host federation data plane. It protects browser and Host Control API access only.
Use federation.security when raw TCP federation traffic must be protected from
sniffing, peer impersonation, frame tampering, or replay.
federation:
security:
mode: "required" # disabled, optional, required
key_id: "robot-cell-a"
key_file: "/opt/librux/var/lib/security/federation.key"
disabled keeps the lowest-overhead plaintext path. required is the
recommended appliance/product setting for a trusted closed federation group.
optional is useful during migration because it can accept plaintext inbound
peers while using secure outbound connections when key material is configured.
When federation security is required, configure federation peers with
api_port and keep Host API security enabled. The plaintext TCP
federation-status fallback is intentionally skipped in that mode.
The common federation security fields are editable from Web Console Settings
and from librux config.
librux config set federation.security.mode required
librux config set federation.security.key_id robot-cell-a
librux config set federation.security.key_env LIBRUX_FEDERATION_KEY
librux config set federation.security.key_file /opt/librux/var/lib/security/federation.key
Inline federation.security.key is accepted for lab smoke tests, but it is not
shown in the normal settings form. Prefer key_file or key_env for product
deployments.
Public Health Endpoints
/api/v1/health and /api/v1/ready may remain unauthenticated for local service probes when
security.health.unauthenticated=true. Network admission still applies. Disable
that option if the deployment requires every HTTP endpoint to authenticate.
Binding Policy
For local development, prefer.
control:
api_host: "127.0.0.1"
security:
enabled: false
For an appliance or managed robot host, prefer.
control:
api_host: "0.0.0.0"
security:
enabled: true
Then restrict security.network.allow_cidrs, configure at least one API key,
and configure a web admin password before exposing the UI on the management
network.