Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

digitalocean_firewall blocks all ports #1162

Open
joegasewicz opened this issue May 19, 2024 · 1 comment
Open

digitalocean_firewall blocks all ports #1162

joegasewicz opened this issue May 19, 2024 · 1 comment
Labels

Comments

@joegasewicz
Copy link

joegasewicz commented May 19, 2024

Bug Report

I have created the following digitalocean terraform config for a firewall to allow all traffic over http/https, ssh etc.
I was asked by Digital Ocean to add a firewall as after a port scan they closed the port that my Redis instance was running on as they mentioned this is a security risk.

This is my configuration -

This is the droplet

resource "digitalocean_droplet" "nottoboard-web" {
  image    = "docker-20-04"
  name     = "nottoboard-web"
  region   = "lon1"
  size     = "s-1vcpu-1gb"
  ssh_keys = [
    data.digitalocean_ssh_key.macos.id
  ]

  volume_ids = [digitalocean_volume.notto-media-1.id]

  connection {
    host        = self.ipv4_address
    user        = "root"
    type        = "ssh"
    private_key = file(var.pvt_key)
    timeout     = "2m"
  }
 ... etc
}

This is the firewall

resource "digitalocean_firewall" "nottoboard-web" {
  name = "nottoboard-web-firewall"

  droplet_ids = [digitalocean_droplet.nottoboard-web.id]

  inbound_rule {
    protocol         = "tcp"
    port_range       = "22"
    source_addresses = ["0.0.0.0/0", "2002:1:2::/48"]
  }

  inbound_rule {
    protocol         = "tcp"
    port_range       = "80"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  inbound_rule {
    protocol         = "tcp"
    port_range       = "443"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  inbound_rule {
    protocol         = "icmp"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "443"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "80"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "icmp"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "80"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "53"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "53"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

}

I have a docker-compose stack that runs inside the droplet, it works until i add the firewall.
one of the containers in the stack is an nginx image, with the following config -

client_max_body_size 20M;

upstream django {
    server main_app:8001;
}

server {

    listen 80;
    server_name nottoboard.com www.nottoboard.com;

    location / {
        proxy_pass http://django;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
    }

    location /static/ {
        alias /static/;
    }

    location /media/ {
        alias /media/;
    }
}

Describe the bug

After adding this firewall & i try to see the website in a browser with for example - http://www.nottoboard.com/
Please note: I have currently turned the firewall off for this website until i can resolve this issue, so if you check this url it will seem like it works.

With the firewal turned on I get a 502 Bad Gateway.

Affected Resource(s)

  • digitalocean_droplet
  • digitalocean_firewall

Expected Behavior

The website should be available over port 80 so that i can access the website from a browser.

Actual Behavior

The website responds with - 502 Bad Gateway

@jmholla
Copy link

jmholla commented Sep 18, 2024

I deleted my previous responses as I misunderstood DO's outbound firewall rules.

Does your 502 page mention nginx? If so, it isn't DO's firewall blocking inbound connections. I think your issue is your outbound ports. Are you sure your service isn't talking to services that aren't HTTP/HTTPS/DNS or at least not on the expected port? Running tcpdump or ss without the firewalls will let you see what ports your server attempting to reach out to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants