- WHAT TO DO WITH DOCKER IP ADDRESS HOW TO
- WHAT TO DO WITH DOCKER IP ADDRESS FULL
- WHAT TO DO WITH DOCKER IP ADDRESS SOFTWARE
That would explain why the packages seem to come from inside.
Literally like an implementation of “socat” itself, reading packages on one side and sending them in the other. Nothing that I could tell.Īnd then I realize that lsof displays a process “docker-proxy” that seems to be a middleman between the host and the container, routing packages manually. What is Docker doing with the iptables? Had to review what a “masquerade” was again and inspect carefully iptables to see if there was anything out of place. This is done by any domestic router and our computers can see who is connecting from the other side of the network. That should be 1-4 iptables rules more or less. Everything it needs to do is a stupid NAT from the host IP address to the container IP address. Went to iptables to continue debugging with lsof/ncat and try to understand what the hell Docker is doing. So here is where I started to get really salty. If in my quest for more security I have to open the network in most containers I’m doing something really wrong. Will I put the FTP containers in the host network? Hell, no! Not a chance. In this moment I realized that my FTP containers will suffer from the same.
WHAT TO DO WITH DOCKER IP ADDRESS SOFTWARE
Every solution is either really convoluted or with software that needs to be installed in the host, outside of Docker. So again, back to Google to research about creating some sort of DNS for that. It turns out that in this mode Docker does not create the hostnames of the containers in /etc/hosts so I can’t resolve container addresses. But, wait, anyway if the Nginx container is in “host” mode, then it must have access to any other container, right? Well, yes, but no. As I have several containers I was expecting to only expose one and leave everything else as “bridge”. This has to work, surely, but puts the container on the same network as the host, which I don’t like.īut when I start my containers I noticed that Docker Compose does not allow that a container is in both, the host network and bridge network at the same time. It turns out it has to be done for Docker itself and not by container, so I went back to try to change the network to “host”. Changing the network doesn’t seem a good idea, so I researched more on the userland-proxy.
More searches led me to know that I can either move Nginx to a network of “host” type instead of “bridge”, or disable something called “userland-proxy”. And sure, lsof command actually reports the gateway as source address instead of the actual host that performed the call. So I started using “lsof” and “nc” to verify it. Docker uses to do this on its containers. Googled why nginx doesn’t see the source address in containers and there’s lots of Docker users with same problem. Then I saw the Nginx logs with the same gateway address!
Thought about if Nginx is not providing the address properly, so I tested another bunch of other stuff. I went to the documentation, StackOverflow and Google, and I get only one solution. When I checked out I saw that Flask (python web framework) does not return the IP address of my container but the gateway address from Docker. Just finished adding my session cookie with a variety of information to verify the user authenticity, as the login date, user agent and IP address used for login. I was working on a Docker article about filtering IP addresses that can access to the container and I ended really salty about NAT, networks, iptables and with myself. …fear leads to anger, anger leads to hate, hate leads to suffering. Unless you don’t care about whom is connecting to your containers, this is something that needs to be solved. Most important thing to be aware about: by default, containers don’t see which source IP address is connecting when they have a listening port, so every logging, banning, filters and firewalls are just pointless.
WHAT TO DO WITH DOCKER IP ADDRESS HOW TO
If you just want to know how to solve it, just scroll down bellow to the “TL DR” chapter I’ll explain there how to fix the issue, and you’ll avoid the 3 hours of suffering and pain that I had.
WHAT TO DO WITH DOCKER IP ADDRESS FULL
I’m sorry as I’m about to tell you the full story and all my sufferings getting this to work, but I need to do it.
0 kommentar(er)
