denisit
(denisit)
September 29, 2020, 1:00pm
1
Hello,
I set a proxy device for a container which forward the port 443 host to port 443 container and it is working correctly. Now I try to set a proxy device with the port 8443 to another container but it doesn’t work. When I telnet the port from outside I see the traffic on the host interface but there is nothing on the container interface(with a tcpdump). When I telnet the port 8443 from the host to the ip of the container I see traffic. below the configuration :
Container KO with port 8443:
devices:
myport8443:*
connect: tcp:127.0.0.1:8443*
listen: tcp:0.0.0.0:8443*
proxy_protocol: “true”*
type: proxy*
Container OK with port 443:
myport443:
connect: tcp:127.0.0.1:443*
listen: tcp:0.0.0.0:443*
proxy_protocol: “true”*
type: proxy*
command used : lxc config device add WordpressContainer myport8443 proxy listen=tcp:0.0.0.0:8443 connect=tcp:127.0.0.1:8443 proxy_protocol=true
thank you.
turtle0x1
(Turtle0x1)
September 29, 2020, 1:11pm
2
Sounds silly but;
Are you aware LXD listens on 8443 by default if enabled to listen on the network, is LXD listening on the network?
I.E on mine
me@me:/ lxc config show
config:
core.https_address: '[::]:8443'
core.trust_password: true
1 Like
tomp
(Thomas Parrott)
September 29, 2020, 1:22pm
3
As @turtle0x1 suggested, its worth checking if anything is listening on that port.
Running would show this:
sudo ss -tlpn
denisit
(denisit)
September 29, 2020, 1:22pm
4
below the output of the command :
lxc config show
config: {}
I try with port 7443 but it is the same result.
tomp
(Thomas Parrott)
September 29, 2020, 1:23pm
5
Also can you check your firewall is allowing the ports, iptables-save
should show you the rules active.
denisit
(denisit)
September 29, 2020, 2:08pm
6
I use nftables. The port 7443 is open. Maybe I can use port redirection via nftables.
tomp
(Thomas Parrott)
September 29, 2020, 2:11pm
7
Can you show the output of ss -tlpn
and sudo nft list ruleset
Also can you show the output of lxc config show <instance> --expanded
for the problem container.
Finally, please show the output of ip a
inside the container.
Thanks
tomp
(Thomas Parrott)
September 29, 2020, 2:12pm
8
Also, you would not expect to see any traffic on the container’s network interface (eth0) when using the proxy connecting to 127.0.0.1, so please also show the tcpdump command you run inside the container.
denisit
(denisit)
September 29, 2020, 2:13pm
9
tomp:
ss -tlpn
ss -tlpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 10 127.0.0.1:587 0.0.0.0:*
LISTEN 0 32 10.49.6.1:53 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 10 127.0.0.1:25 0.0.0.0:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 4096 *:8443 *:*
LISTEN 0 4096 *:443 *:*
LISTEN 0 4096 *:80 *:*
LISTEN 0 4096 *:7443 *:*
architecture: x86_64
config:
image.architecture: amd64
image.description: ubuntu 20.04 LTS amd64 (release) (20200504)
image.label: release
image.os: ubuntu
image.release: focal
image.serial: "20200504"
image.type: squashfs
image.version: "20.04"
volatile.base_image: 647a85725003d873f8bb9a5bd1a09bdc7fd4bcb393b2cf629f7e0edaa58f5637
volatile.eth0.host_name: vethe4301269
volatile.eth0.hwaddr: 00:16:3e:39:55:b8
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.power: RUNNING
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
myport7443:
connect: tcp:127.0.0.1:7443
listen: tcp:0.0.0.0:7443
proxy_protocol: "true"
type: proxy
myport8443:
connect: tcp:127.0.0.1:8443
listen: tcp:0.0.0.0:8443
proxy_protocol: "true"
type: proxy
root:
path: /
pool: default
type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
I use tcpdump -i eth0 port 7443 or tcpdump -i eth0
tomp
(Thomas Parrott)
September 29, 2020, 2:15pm
10
Please can you run it as sudo ss -tlpn
as I originally asked for, so I can see the process names. Thanks
denisit
(denisit)
September 29, 2020, 2:16pm
11
tomp:
sudo ss -tlpn
sudo ss -tlpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=2139910,fd=11))
LISTEN 0 10 127.0.0.1:587 0.0.0.0:* users:(("sendmail-mta",pid=1016213,fd=5))
LISTEN 0 32 10.49.6.1:53 0.0.0.0:* users:(("dnsmasq",pid=2004294,fd=9))
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=610,fd=13))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=738,fd=3))
LISTEN 0 10 127.0.0.1:25 0.0.0.0:* users:(("sendmail-mta",pid=1016213,fd=4))
LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=2139910,fd=10))
LISTEN 0 4096 *:8443 *:* users:(("lxd",pid=2147531,fd=8),("lxd",pid=2147531,fd=3))
LISTEN 0 4096 *:443 *:* users:(("lxd",pid=542001,fd=8),("lxd",pid=542001,fd=4))
LISTEN 0 4096 *:80 *:* users:(("lxd",pid=542092,fd=8),("lxd",pid=542092,fd=4))
LISTEN 0 4096 *:7443 *:* users:(("lxd",pid=2148474,fd=8),("lxd",pid=2148474,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=738,fd=4))
1 Like
tomp
(Thomas Parrott)
September 29, 2020, 2:19pm
12
Thanks, ive reformatted them using three backticks so they are more readable.
So LXD proxy is listening on the port.
You won’t see traffic on the container’s eth0 as the proxy device switches into the container’s network namespace and then establishes a connection to 127.0.0.1, so at most you may see traffic on the lo interface inside the container.
So we just need to see your firewall rules to check its not being blocked on the LXD host (you may still see traffic hitting the LXD host’s external interface using tcpdump and it could still be blocked by the firewall).
Also check that the service you are using inside your container is listening on 127.0.0.1 (using sudo ss -tlpn
inside the container).
denisit
(denisit)
September 30, 2020, 10:32am
13
Hello,
Finally I remove the port 443 from the other container and add it the container and it works. I did that to fix a problem which has been resolved. The server is in production now and I cannot make changes to test. Thank you tomp for your help.