2

I am trying to run apache2 inside docker however when I expose the ports, the service is only accessible from the host and not from the outside.

I have executed the container by:

docker run -d -t -p 8080:80 --name ctf ubuntu

After that, I have installed apache2 inside:

apt-get update && apt-get install apache2 -y && service apache2 start

When I run docker ps I will get:

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                  NAMES 
c90b8ed41436        ubuntu              "/bin/bash"         3 minutes ago       Up 3 minutes        0.0.0.0:8080->80/tcp   ctf

I can reach the service by wget <public ip>:8080 from that host. But if I try if from another device on the same network it does not work. The service is not reachable.

Also command iptables --list will produce:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Do you know where the issue can be?

EDIT: Connectivity test

EDIT2: Result from netstat -ntlp, seems that docker does not bind socket to the IPv4:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     
tcp        0      0 0.0.0.0:10022           0.0.0.0:*               LISTEN      423/./ts3server
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      13863/mysqld
tcp        0      0 127.0.0.1:37995         0.0.0.0:*               LISTEN      15022/containerd
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1577/apache2
tcp        0      0 0.0.0.0:30033           0.0.0.0:*               LISTEN      423/./ts3server
tcp        0      0 0.0.0.0:8084            0.0.0.0:*               LISTEN      1552/mono
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      19145/systemd-resol
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1561/sshd
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1577/apache2
tcp        0      0 0.0.0.0:10011           0.0.0.0:*               LISTEN      423/./ts3server      
tcp6       0      0 :::10022                :::*                    LISTEN      423/./ts3server
tcp6       0      0 :::8080                 :::*                    LISTEN      16111/docker-proxy
tcp6       0      0 :::30033                :::*                    LISTEN      423/./ts3server
tcp6       0      0 :::22                   :::*                    LISTEN      1561/sshd
tcp6       0      0 :::10011                :::*                    LISTEN      423/./ts3server

But it should not be issue, since:

root@ubuntu:~/docker# sysctl net.ipv6.bindv6only 
net.ipv6.bindv6only = 0
root@ubuntu:~/docker# sysctl net.ipv6.conf.all.forwarding 
net.ipv6.conf.all.forwarding = 1
user1696947
  • 159
  • 1
  • 2
  • 12
  • Can temporarily disable the hosts firewall then try the connection from a remote host (e.g. `sudo service ufw stop`)? – masseyb Oct 25 '19 at 14:49
  • Hi, I disabled firewall but still same issue: https://imgur.com/a/BAiNiWq – user1696947 Oct 25 '19 at 14:55
  • Have you tried adding the `Listen 0.0.0.0:80` directive to /etc/apache2/ports.conf ? I had the same problem with ng serve and got my answer from this question : https://stackoverflow.com/questions/46778868/ng-serve-not-working-in-docker-container – magM Oct 25 '19 at 14:59
  • Ref. your image, are trying to access the host using it's public IP? e.g. can connect using the hosts private IP from a machine in the same subnet? – masseyb Oct 25 '19 at 15:02
  • Yep, I change `Listen 80` to `Listen 0.0.0.0:80`... restarted service `service apache2 restart`, but no luck :( – user1696947 Oct 25 '19 at 15:02
  • masseyb: It is VPS, so I have just public IP. – user1696947 Oct 25 '19 at 15:03
  • Does your hosting service have provider specific configuration that needs to be updated (i.e. AWS implements Security Groups which act as virtual firewall's, disabling the hosts firewall doesn't matter if the Security Group is still blocking the traffic)? If you have `python3` installed on the host you can run i.e. a `python3 -m http.server --bind 0.0.0.0 80` and test the connection to that (e.g. to verify if the issue has anything to do with the `docker` process or if it's more likely that this is a networking issue). – masseyb Oct 25 '19 at 15:08
  • thanks for tip. I do not think so, I did not have issue to run teamspeak, minecraft server, kerbal server and factorio server. Whatever service I install, it is automatically accessible from internet. There should not be any limitation regarding network. I think the issue can be connected to the docker... it is not binding that port to the IPv4. I will edit question and add that there. – user1696947 Oct 25 '19 at 15:13
  • According to this answer: https://stackoverflow.com/questions/29957143/make-docker-use-ipv4-for-port-binding it should not be the issue. It should still be accessible from ipv4. – user1696947 Oct 25 '19 at 15:19

1 Answers1

0

The issue was that on current wifi the port 8080 was filtered :( sorry

user1696947
  • 159
  • 1
  • 2
  • 12
  • Hehe, networking issue, figured the traffic was being filtered somewhere along the line. Should of course re-enable the hosts firewall, opening only the ports that you need, if not already done. – masseyb Oct 25 '19 at 15:40