Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Host OS exposes Redis to world over port 6379 #125

Open
gugray opened this issue Jan 30, 2025 · 4 comments
Open

Host OS exposes Redis to world over port 6379 #125

gugray opened this issue Jan 30, 2025 · 4 comments
Labels
enhancement New feature or request

Comments

@gugray
Copy link

gugray commented Jan 30, 2025

Thank you for the work creating this Docker wrapper!

I followed the guide to deploy Pixelfed using my own NGINX in the host system as a reverse proxy. All ports are set to deny using ufw except 22, 80 and 443.

Unfortunately when docker exposes ports, it does so by circumventing the firewall. As a result, Redis is exposed directly to the internet via the host system. That is a significant security issue and it may unintentionally expose data or allow access to bad actors.

The line responsible for this is in compose.yaml:

    ports:
      - "${DOCKER_REDIS_HOST_PORT}:6379"

This is an unfortunate behavior by Docker. It can be fixed if instead of this:

ports:
  - "6379:6379"

the port is exposed like this:

ports:
  - "127.0.0.1:6379:6379"

This way other services on the host will have access to it, but it will not be exposed to the internet behind the firewall's back. An even better solution would be to create a Docker network and not expose the port to the host at all.
@jippi
Copy link
Owner

jippi commented Jan 30, 2025

I plan to rework this in #103 - but you might be able to set DOCKER_REDIS_HOST_PORT to 127.0.0.1:6379 to get the outcome you want :)

@jippi jippi added the enhancement New feature or request label Feb 7, 2025
@manuviens
Copy link

manuviens commented Feb 11, 2025
edited
Loading

Just found that ufw (firewall) have no effect on docker containers. So, redis and the db are wide open.
I tried this and it works, but the healtcheck of the proxy container do not work anymore, which does not seem to affect pixelfed's operation. EDIT : Bad idea.

EDIT :
Image

@manuviens
Copy link

I created this compose.override.yaml which seems to work.

networks:
  internal:
    driver: bridge
  external:
    driver: bridge

services:
  proxy:
    networks:
      - external

  web:
    networks:
      - external
      - internal

  db:
    networks:
      - internal

  redis:
    networks:
      - internal

  worker:
    networks:
      - internal

  cron:
    networks:
      - internal

@jippi
Copy link
Owner

jippi commented Feb 21, 2025

If y'all could try out #103 and see if it work for y'all that would be great

I think it's feature complete, but lacks testing and feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jippi @gugray @manuviens