Docker portainer unreachable

dz00te · January 23, 2021, 4:40pm

clean install of ns7.9, install nethserver-docker and enabling portainer, The URL of portainer (https://:980/portainer/ ) is not reachable.

installing nethserver-httpd-admin-service seems to solve the problem, i suppose we could add it as required packages in nethserver-docker (as issue 6344) or write some note on docs for people who enable portainer… don’t know which is the best solution

stephdl · January 23, 2021, 4:43pm

move portainer on 443, we did the same for rspamd admin webUI

stephdl · January 23, 2021, 5:54pm

we could move this file

github.com

NethServer/nethserver-docker/blob/master/root/etc/httpd/admin-conf.d/portainer.conf

<IfModule rewrite_module>
    RewriteEngine on
    RewriteRule ^/portainer$ /portainer/ [R]
</IfModule>

<Location /portainer/>
    ProxyPass  http://172.28.255.254:9000/
    ProxyPassReverse http://172.28.255.254:9000/
</Location>

<Location /portainer/api/websocket/> 
    ProxyPass ws://172.28.255.254:9000/api/websocket/
</Location>

to the default folder configuration

/etc/httpd/conf.d/portainer.conf

we need a redirection too

stephdl · January 24, 2021, 11:38am

Only local network is able to use portainer, if you go to http, you are redirected to https, please test and break it

Could you test something for me @dz00te, on your fresh installation of 7.9, you have manually installed http-admin, what is displayed if you do

http://<IP>:980

do you have a page saying that it is a bad request and you have to go https://<IP>:980

dz00te · January 24, 2021, 3:38pm

there is almost always a solution that you have not thought of … and often it is also the best tnx!

firs test, and it seems to works great and HTTP is correctly redirected, I’ll do some other tests

mhhh with or without nethserve-docker, on a clean install + update + nethserver-httpd-admin there is no redirection on https, I got an “ERR_EMPTY_RESPONSE” I’ll play with it a little longer

mark_nl · January 24, 2021, 3:50pm

AFAIK this was reverted

The httpd-admin package is split up in two packages, where the new nethserver-httpd-admin-service configures access on port 980. This to enable users to redirect / forward port 443 to elsewhere

Also see:

github.com/NethServer/dev

Access web applications from port 980

opened 10:44AM - 24 Nov 20 UTC

closed 05:19PM - 25 Nov 20 UTC

gsanchietti

verified

The aim of implementation on #6320 was to drop the 980 in favour of 443 to acces…s some web applications like CGP, rspamd, etc. While this is a good solution on most scenarios, it doesn't fill well on firewall where the port 443 is forwarded to other servers. If such port forward is active, the above we applications ill not be accessible from WAN, or even from LAN if hairpinning is enabled. **Proposed solution** - [x] Implement a nethserver-httpd-admin common package which can serve the above web applications on port 980 - [x] Revert modifications for the following apps: - [x] nethserver-evebox - [x] nethserver-suricata - [x] nethserver-cgp - [x] nethserver-mail-filter - [x] nethserver-fail2ban - [x] All packages with a proxypass on port 980 should now require `nethserver-httpd-admin-service` package - [x] nethserver-evebox - [x] nethserver-cgp - [x] nethserver-mail-filter - [x] nethserver-ligthsquid - [x] nethserver-ntopng - [x] Update release notes --- Thanks to @cotosso

stephdl · January 24, 2021, 4:09pm

Thank a lot

stephdl · January 24, 2021, 4:31pm

on a server 7.9, nethgui is not installed, so

yum install nethserver-httpd-admin

then I would like you test the output

curl http://localhost:980

normally you should have

[root@NS7 ~]# curl http://localhost:980
<!DOCTYPE html>
<html lang="en">
<head>
<title>Bad request</title>
</head>
<body>
<h1>Bad request</h1>
<p>Use the HTTPS scheme to access this URL!<p>
<script type="text/javascript">
window.onload = function() {
    window.location = window.location.href.replace("http://", "https://");
}
</script>
</body>
</html>

what do you get ?

dz00te · January 24, 2021, 5:06pm

yes that’s what I did and this is what I get:

# curl http://localhost:980
curl: (52) Empty reply from server

maybe it is a problem with the vm that I use for testing? i will try to reinstall ns7.9 from scratch and let you know.

stephdl · January 24, 2021, 5:20pm

dz00te:

yes that’s what I did and this is what I get:
# curl http://localhost:980
curl: (52) Empty reply from server
maybe it is a problem with the vm that I use for testing? i will try to reinstall ns7.9 from scratch and let you know.

cc @davidep @giacomo

I have the same issue than you on a KVM virtualization, not tested on proxmox

dz00te · January 24, 2021, 6:03pm

no, same problem installing ns7.9 from scratch (on proxmox)

giacomo · January 25, 2021, 8:11am

I didn’t try portainer, but for me port 980 works.
On a clean machine:

yum install nethserver-httpd-admin-service

Then

[root@localhost ~]# curl http://localhost:980
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
 Instead use the HTTPS scheme to access this URL, please.<br />
</p>
</body></html>

And, with the correct protocol:

[root@localhost ~]# curl -k https://localhost:980
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>

stephdl · January 25, 2021, 2:52pm

I agree however on my ns7.9 just installed, once I install nethserver-http-admin, curl does not work as you

Reproducible by @dz00te on proxmox
Reproducible by me on kvm with virt-manager

It is strange. Obviously if you use https instead of http it workable, I simply miss the message arguing to use https

mark_nl · January 25, 2021, 4:22pm

on a (ovh) vps:

# rpm -qa| grep  nethserver-httpd-admin
nethserver-httpd-admin-service-2.7.0-1.ns7.noarch

# curl http://localhost:980
curl: (52) Empty reply from server

#  curl -k https://localhost:980
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>

hope it helps…

stephdl · January 25, 2021, 4:55pm

same behaviour

giacomo · January 25, 2021, 5:06pm

I can’t find why on my machine the response is different.
Still, this is not a real problem since there is no service listening in plain HTTP on that port.

If port 980 is correctly speaking HTTPS, you should be able to access services running on it.

mark_nl · January 25, 2021, 5:21pm

~~the machine which gives a response with httpd-admin installed has in /etc/httpd/conf.d/default-virtualhost.inc~~

~~# # 10server-manager permanent redirect # RewriteEngine On RewriteRule ^/server-manager(/.*)?$ https://%{HTTP_HOST}:980$1 [L,R=301]~~
~~Om the vps I mentioned cannot find a RewriteRule to https for port 980~~ # cat /etc/httpd/conf.d/default-virtualhost.inc # ================= DO NOT MODIFY THIS FILE ================= # # Manual changes will be lost when this file is regenerated. # # Please read the developer's guide, which is available # at NethServer official site: https://www.nethserver.org # # # # 15 user_settings #
# # 80vhost_default -- include template httpd/vhost-default # for backward compatibility #

EDIT that is b?ll*t still…

Or where should i find it?

giacomo · January 26, 2021, 8:53am

I’ve reproduced on a VPS, but I do not have the same behavior on a local virtual machine.
Both installations have the same packages installed.

I didn’t spend too much time, but I noticed that connections in the VPS stalled in a TIME_WAIT status, like:

tcp6       0      0 127.0.0.1:980           127.0.0.1:52330         TIME_WAIT   - `

It happens the sames if with shorewall cleared.

For me, it’s not a problem, but it’s a curious behavior

stephdl · January 28, 2021, 3:08pm

released, thank mates