Hey all, i have multiple nextcloud server in my network and CODE-server.
How can I make it so that I can only connect to CODE only from one nextcloud server?
F.e. i set eviroment variable in my compose file
version: '3'
services:
code:
image: collabora/code:latest
restart: always
container_name: CODE-server
volumes:
- ./code:/code
environment:
- username=admin
- password=p@ssword
- domain=cloud1\\.example\\.com
- server_name=myservername
- extra_params=--o:ssl.enable=true
cap_add:
- MKNOD
nginx:
image : nginx:stable
restart: always
container_name: nginx_code
volumes:
- ./nginx/vhost.conf:/etc/nginx/conf.d/default.conf:ro
- ./mycerts:/mycerts
ports:
- 443:443
- 80:80
depends_on:
- code
But still i can connect to CODE server from cloud2.example.com, cloud3, cloud4, etc. This is a huge security risk.
Same with
docker run -t -d -p 9980:9980 -e "domain=cloud\\.myserver\\.com" -e "username=admin" -e "password=S3cRet" --restart always --cap-add MKNOD collabora/code
I still can connet from nextcloud.example.com
The problem was that my servers has ip - 192.168… And that addresses allowed by default.
Facing with another problem: if i try to use not allowed server f.e. with ip 145.45.45.1 container restarted, all sessions brokens,
Log:
[25/Jan/2022:14:48:10.841] Ready to accept connections on port 9980.
[25/Jan/2022:14:48:10.841] kit-00053-00051 2022-01-25 11:48:10.836845 +0000 [ kit_spare_001 ] TRC #0 wrote 458 bytes of 458| net/Socket.hpp:1088
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.836889 +0000 [ kit_spare_001 ] TRC #22 Connected to WS Handler 0x5625b59df300| ./net/WebSocketHandler.hpp:166
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.836920 +0000 [ kit_spare_001 ] DBG Inserting socket #22 into kit| ./net/Socket.hpp:738
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.836946 +0000 [ kit_spare_001 ] DBG #22 resetting thread affinity while in transit (was 0x7f52bd490780)| ./net/Socket.hpp:329
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.836996 +0000 [ kit_spare_001 ] TRC #22: Set socket buffer size to 262144| ./net/Socket.hpp:239
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.837021 +0000 [ kit_spare_001 ] INF New kit client websocket inserted.| kit/Kit.cpp:2815
[25/Jan/2022:14:48:10.842] kit-00053-00051 2022-01-25 11:48:10.837046 +0000 [ kit_spare_001 ] INF Kit initialization complete: setting log-level to [warning] as configured.| kit/Kit.cpp:2820
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.897889 +0000 [ docbroker_001 ] ERR No acceptable WOPI hosts found matching the target host [cl3.myserv.com] in config.| wsd/Storage.cpp:276
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.898043 +0000 [ docbroker_001 ] ERR loading document exception: No acceptable WOPI hosts found matching the target host [cl3.myserv.com] in config.| wsd/DocumentBroker.cpp:2008
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.898097 +0000 [ docbroker_001 ] ERR Failed to add session to [/index.php/apps/richdocuments/wopi/files/14835794_ocoqj6f0cfmv] with URI [https://cl3.myserv.com/index.php/apps/richdocuments/wopi/files/14835794_ocoqj6f0cfmv?access_token=uk9xpzqMJwTIvhrx0lojCgKS5obw6REP&access_token_ttl=0]: No acceptable WOPI hosts found matching the target host [cl3.myserv.com] in config.| wsd/DocumentBroker.cpp:1970
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.898145 +0000 [ docbroker_001 ] ERR Unauthorized Request while starting session on /index.php/apps/richdocuments/wopi/files/14835794_ocoqj6f0cfmv for socket #23. Terminating connection. Error: No acceptable WOPI hosts found matching the target host [cl3myserv.com] in config.| wsd/COOLWSD.cpp:3684
[25/Jan/2022:14:48:10.898] wsd-00001-00057 2022-01-25 11:48:10.898341 +0000 [ docbroker_001 ] SIG Fatal signal received: SIGSEGV
[25/Jan/2022:14:48:10.898] Recent activity:
[25/Jan/2022:14:48:10.899] Backtrace 1 - wsd 21.11.1.3 21324cf:
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZN7SigUtil13dumpBacktraceEv+0x80)[0x564d16350750]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(+0x30973d)[0x564d1635173d]
[25/Jan/2022:14:48:10.899] /lib/x86_64-linux-gnu/libpthread.so.0(+0x12980)[0x7f063a68b980]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZNK14DocumentBroker21needToUploadToStorageEv+0x8a)[0x564d16211d0a]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZN14DocumentBroker15autoSaveAndStopERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+0x3b0)[0x564d1621c4b0]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZN14DocumentBroker10pollThreadEv+0xded)[0x564d1622adbd]
[25/Jan/2022:14:48:10.899] /usr/bin/coolwsd(_ZN10SocketPoll18pollingThreadEntryEv+0x23d)[0x564d1638c0ad]
[25/Jan/2022:14:48:10.899] /usr/lib/x86_64-linux-gnu/libstdc++.so.6(+0xbd6df)[0x7f063af0b6df]
[25/Jan/2022:14:48:10.900] /lib/x86_64-linux-gnu/libpthread.so.0(+0x76db)[0x7f063a6806db]
[25/Jan/2022:14:48:10.900] /lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f063a3a971f]
[25/Jan/2022:14:48:11.183] kit-00053-00051 2022-01-25 11:48:11.182906 +0000 [ kit_spare_001 ] ERR Kit connection lost without exit arriving from wsd. Setting TerminationFlag| kit/Kit.cpp:2321
[25/Jan/2022:14:48:11.185] frk-00051-00051 2022-01-25 11:48:11.184568 +0000 [ forkit ] ERR ForKit connection lost without exit arriving from wsd. Setting TerminationFlag| kit/ForKit.cpp:187
1 Like