You can edit the scrapyd settings and put the following configuration in the ~/.scrapyd.conf file:
bind_address = 127.0.0.1
This will make the server only usable by processes running on itself.
If you want password protection, you can also use apache server as proxy and add a basic authentication. Abaxio follows an example of virtual host:
<VirtualHost *:80>
ServerName yourserver
DocumentRoot /var/www/service-status
<Directory /var/www/service-status/>
Require valid-user
Order allow,deny
Allow from all
AuthType Basic
AuthName "Protected"
AuthUserFile /var/www/service-status/.htpasswd
</Directory>
<Location /api/>
ProxyPass http://127.0.0.1:40500/
ProxyPassReverse http://127.0.0.1:40500/
</Location>
<Proxy *>
Require valid-user
AuthType Basic
AuthName "Protected"
AuthUserFile /var/www/service-status/.htpasswd
</Proxy>
RewriteEngine on
RewriteRule ^/?api$ /api/ [QSA,L,R]
RewriteRule ^/?jobs(.*) /api/jobs$1 [QSA,L,R]
RewriteRule ^/?logs(.*) /api/logs$1 [QSA,L,R]
RewriteRule ^/?items(.*) /api/items$1 [QSA,L,R]
</VirtualHost>
In the above example, the API commands would be available in http://your domain/api/command.json
The . htpasswd file will need to be created for virtualserver to work.