CODE security with multiple nextcloud servers

Hey all, i have multiple nextcloud server in my network and CODE-server.

How can I make it so that I can only connect to CODE only from one nextcloud server?
F.e. i set eviroment variable in my compose file

version: '3'
services:
  code:
    image: collabora/code:latest
    restart: always
    container_name: CODE-server
    volumes: 
     - ./code:/code
    environment:
      - username=admin
      - password=p@ssword
      - domain=cloud1\\.example\\.com
      - server_name=myservername
      - extra_params=--o:ssl.enable=true
    cap_add:
      - MKNOD

  nginx:
    image : nginx:stable
    restart: always
    container_name: nginx_code
    volumes:
      - ./nginx/vhost.conf:/etc/nginx/conf.d/default.conf:ro
      - ./mycerts:/mycerts 
    ports:
      - 443:443
      - 80:80
    depends_on:
     - code

But still i can connect to CODE server from cloud2.example.com, cloud3, cloud4, etc. This is a huge security risk.

Same with

docker run -t -d -p 9980:9980 -e "domain=cloud\\.myserver\\.com" -e "username=admin" -e "password=S3cRet" --restart always --cap-add MKNOD collabora/code

I still can connet from nextcloud.example.com

The problem was that my servers has ip - 192.168… And that addresses allowed by default.

Facing with another problem: if i try to use not allowed server f.e. with ip 145.45.45.1 container restarted, all sessions brokens,

Log:

[25/Jan/2022:14:48:10.841] Ready to accept connections on port 9980.
[25/Jan/2022:14:48:10.841] kit-00053-00051 2022-01-25 11:48:10.836845 +0000 [ kit_spare_001 ] TRC  #0 wrote 458 bytes of 458| net/Socket.hpp:1088
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.836889 +0000 [ kit_spare_001 ] TRC  #22 Connected to WS Handler 0x5625b59df300| ./net/WebSocketHandler.hpp:166
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.836920 +0000 [ kit_spare_001 ] DBG  Inserting socket #22 into kit| ./net/Socket.hpp:738
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.836946 +0000 [ kit_spare_001 ] DBG  #22 resetting thread affinity while in transit (was 0x7f52bd490780)| ./net/Socket.hpp:329
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.836996 +0000 [ kit_spare_001 ] TRC  #22: Set socket buffer size to 262144| ./net/Socket.hpp:239
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.837021 +0000 [ kit_spare_001 ] INF  New kit client websocket inserted.| kit/Kit.cpp:2815
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.837046 +0000 [ kit_spare_001 ] INF  Kit initialization complete: setting log-level to [warning] as configured.| kit/Kit.cpp:2820
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.897889 +0000 [ docbroker_001 ] ERR  No acceptable WOPI hosts found matching the target host [cl3.myserv.com] in config.| wsd/Storage.cpp:276
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.898043 +0000 [ docbroker_001 ] ERR  loading document exception: No acceptable WOPI hosts found matching the target host [cl3.myserv.com] in config.| wsd/DocumentBroker.cpp:2008
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.898097 +0000 [ docbroker_001 ] ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/14835794_ocoqj6f0cfmv] with URI [https://cl3.myserv.com/index.php/apps/richdocuments/wopi/files/14835794_ocoqj6f0cfmv?access_token=uk9xpzqMJwTIvhrx0lojCgKS5obw6REP&access_token_ttl=0]: No acceptable WOPI hosts found matching the target host [cl3.myserv.com] in config.| wsd/DocumentBroker.cpp:1970
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.898145 +0000 [ docbroker_001 ] ERR  Unauthorized Request while starting session on /index.php/apps/richdocuments/wopi/files/14835794_ocoqj6f0cfmv for socket #23. Terminating connection. Error: No acceptable WOPI hosts found matching the target host [cl3myserv.com] in config.| wsd/COOLWSD.cpp:3684
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.898341 +0000 [ docbroker_001 ] SIG   Fatal signal received: SIGSEGV
[25/Jan/2022:14:48:10.898] Recent activity:
[25/Jan/2022:14:48:10.899] Backtrace 1 - wsd 21.11.1.3 21324cf:
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZN7SigUtil13dumpBacktraceEv+0x80)[0x564d16350750]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(+0x30973d)[0x564d1635173d]
[25/Jan/2022:14:48:10.899] /lib/x86_64-linux-gnu/libpthread.so.0(+0x12980)[0x7f063a68b980]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZNK14DocumentBroker21needToUploadToStorageEv+0x8a)[0x564d16211d0a]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZN14DocumentBroker15autoSaveAndStopERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+0x3b0)[0x564d1621c4b0]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZN14DocumentBroker10pollThreadEv+0xded)[0x564d1622adbd]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZN10SocketPoll18pollingThreadEntryEv+0x23d)[0x564d1638c0ad]
[25/Jan/2022:14:48:10.899] /usr/lib/x86_64-linux-gnu/libstdc++.so.6(+0xbd6df)[0x7f063af0b6df]
[25/Jan/2022:14:48:10.900] /lib/x86_64-linux-gnu/libpthread.so.0(+0x76db)[0x7f063a6806db]
[25/Jan/2022:14:48:10.900] /lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f063a3a971f]
[25/Jan/2022:14:48:11.183] kit-00053-00051 2022-01-25 11:48:11.182906 +0000 [ kit_spare_001 ] ERR  Kit connection lost without exit arriving from wsd. Setting TerminationFlag| kit/Kit.cpp:2321
[25/Jan/2022:14:48:11.185] frk-00051-00051 2022-01-25 11:48:11.184568 +0000 [ forkit ] ERR  ForKit connection lost without exit arriving from wsd. Setting TerminationFlag| kit/ForKit.cpp:187

1 Like