data.coop/ansible
8
3
Fork 7
Code Issues 49 Pull requests 9 Projects 1 Releases Wiki Activity

Port 8080 shouldn't be exposed publicly #117

New issue
Closed
opened 2022-11-16 13:19:12 +00:00 by samsapti · 10 comments
samsapti commented 2022-11-16 13:19:12 +00:00
Owner
Copy link

a03263b1f5

nginx-proxy should be able to communicate with riot through the external_services Docker network. If that's not the case, the port exposure should be specified as

ports:
  - "127.0.0.1:8080:8080"

such that it can't be accessed from outside the server.

Ping: @reynir

https://git.data.coop/data.coop/ansible/commit/a03263b1f5e06aa56f9f68db6695efd58f02481c nginx-proxy should be able to communicate with riot through the `external_services` Docker network. If that's not the case, the port exposure should be specified as ```yaml ports: - "127.0.0.1:8080:8080" ``` such that it can't be accessed from outside the server. Ping: @reynir
samsapti added the
Infrastructure Issue
 label 2022-11-16 13:26:16 +00:00
samsapti added
Security Hardening
 and removed
Infrastructure Issue
 labels 2022-11-16 13:32:56 +00:00
reynir commented 2022-11-16 13:35:03 +00:00
Owner
Copy link

expose doesn't expose the port publicly. It's like writing EXPOSE 8080 in the Dockerfile. It is not the same as ports which publicly exposes the port(s) on the host.

[`expose`](https://docs.ansible.com/ansible/latest/collections/community/docker/docker_container_module.html#parameter-exposed_ports) doesn't expose the port publicly. It's like writing `EXPOSE 8080` in the Dockerfile. It is not the same as [`ports`](https://docs.ansible.com/ansible/latest/collections/community/docker/docker_container_module.html#parameter-published_ports) which publicly exposes the port(s) on the host.
👍 1
reynir commented 2022-11-16 13:35:50 +00:00
Owner
Copy link

It can also be confirmed on our host:

reynir@hevonen:~$ sudo netstat -tlnp | grep 8080
reynir@hevonen:~$
It can also be confirmed on our host: ```shell reynir@hevonen:~$ sudo netstat -tlnp | grep 8080 reynir@hevonen:~$ ```
👍 1
samsapti commented 2022-11-16 13:36:07 +00:00
Author
Owner
Copy link

Ah, in that case I learned something new today :D

Ah, in that case I learned something new today :D
samsapti removed the
Security Hardening
 label 2022-11-16 13:37:05 +00:00
samsapti commented 2022-11-16 13:37:32 +00:00
Author
Owner
Copy link

But how come nginx can't infer that from VIRTUAL_PORT? Seems a bit weird.

But how come nginx can't infer that from `VIRTUAL_PORT`? Seems a bit weird.
reynir commented 2022-11-16 13:37:34 +00:00
Owner
Copy link

The EXPOSE is necessary because it tells docker (and thus nginx-proxy) what ports the container is listening on. Nginx-proxy will otherwise treat the container as being down resulting in annoying 503s :(

See also https://github.com/nginx-proxy/nginx-proxy/issues/1132

The EXPOSE is necessary because it tells docker (and thus nginx-proxy) what ports the container is listening on. Nginx-proxy will otherwise treat the container as being down resulting in annoying 503s :( See also https://github.com/nginx-proxy/nginx-proxy/issues/1132
samsapti commented 2022-11-16 13:39:30 +00:00
Author
Owner
Copy link

See also https://github.com/nginx-proxy/nginx-proxy/issues/1132

It looks like it should have been fixed by https://github.com/nginx-proxy/nginx-proxy/pull/1609, no?

> See also https://github.com/nginx-proxy/nginx-proxy/issues/1132 It looks like it should have been fixed by https://github.com/nginx-proxy/nginx-proxy/pull/1609, no?
reynir commented 2022-11-16 13:41:45 +00:00
Owner
Copy link

Maybe. That issue was not exactly about this, but it's there I learned about nginx-proxy and its expectations about EXPOSE.

Maybe. That issue was not exactly about this, but it's there I learned about nginx-proxy and its expectations about `EXPOSE`.
👍 1
reynir commented 2022-11-16 13:42:25 +00:00
Owner
Copy link

And besides, adding expose: 8080 made element.data.coop work again...

And besides, adding `expose: 8080` made element.data.coop work again...
👍 1
samsapti commented 2022-11-16 13:43:22 +00:00
Author
Owner
Copy link

If it works, it works.

If it works, it works.
reynir commented 2022-11-16 13:53:39 +00:00
Owner
Copy link

Ah, our nginx-proxy image is old. We probably don't have that change, then.

Ah, our nginx-proxy image is old. We probably don't have that change, then.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
reynir-patch-1
proxmox
diun
use_sudo
woodpeckerci
linting
mailman
listmonk
sshd-password
No results found.
Labels
Clear labels   
Blocked

Something is blocking progress

  
Existing Service

Issues/improvements regarding existing services

  
Infrastructure Issue

Infrastructure issue that needs investigation or time to fix

  
Refactor

Refactoring of files / file structure or other improvements

  
Security Hardening

Non-verified / non-critical security improvements

  
Security Issue

Urgent security issue that needs to be fixed ASAP

  
Service Idea

Ideas for new services

  
Service Removal

Removal of services for one reason or another

  
Upgrade service
No labels
Blocked
Existing Service
Infrastructure Issue
Refactor
Security Hardening
Security Issue
Service Idea
Service Removal
Upgrade service
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: data.coop/ansible#117
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?