Hi, We are currently reevaluating the security settings on our environments and noted that we have the Runtime server port of the Mendix Service Console set to 8080 and Listen address to Public. At this moment we are using http to access our environments. In a new test environment we have implemented https and IT department indicates they want to set the listen address to localhost only (or Custom*). When doing tests we encounter issues using the Mendix debugger on this new environment (which is normal since we are not using the debugger from the server, but instead from a client pc dev machine). The runtime server port setting Custom might be an option, however it is not 100% clear how we can use this (what is the specification of the value(s) that can be entered in the field? Summarized: IT wants to prevent users connecting to the Mendix application server directly. However it should still be possible for Client PC's to use the Mendix debugger on a server based deployment. EDIT resolution We resolved our issue by adding a rule to the rewriter configuration, routing the /debugger to localhost:8080. This enables us to keep the runtime server port set to localhost. Thanks for your answers!
The best practice for installing your application on a server is to set the listen address to localhost on 8080. Your webserver will listen to port 80/443 and reverse them to localhost:8080 your application, so all incoming request must come through the webserver.
With the firewall you prevent that user can access your application directly on port 8080, because that one is blocked and only port 80/443 is available. So there are 2 security rules that prevent that user directly access your application: the firewall and the Mendix app: listen address to localhost.
With that context the debugger must also going through your webserver on port 80/443 and the webserver reverse it to localhost:8080.
Joël vd Graaf
If you're security minded you probably don't want to/shouldn't want to use the debugger in production anyway. It disturbs the flows of production users and allows a lot of access that you shouldn't normally have: ie a security risk :)