Open
Description
Hi there, i am having a problem that an app has its port visible to the outside world, even if there is no portforwarding set in caprover, nor is the port allowed to the outside world in ufw.
its a postgres database which is installed via direct image: postgis/postgis:17-3.5
these are the app settings:
when i do docker ps it also does not show a port mapped to the host:
root@production:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f5004dd32472 dockerregistry.beta.domain.com/ffy/production-ffyappnameweb:production-10.7.10 "/docker-entrypoint.…" 6 days ago Up 6 days 80/tcp, 8910/tcp srv-captain--web.1.9ft1wjxkri6ltfdcuam2hrbej
7c6ac5dc6b89 dockerregistry.beta.domain.com/ffy/production-ffyappnameapi:production-10.7.10 "bash serve-api.sh" 6 days ago Up 6 days srv-captain--api.1.ib96gw3whnqwu3mfzlpm4oxs5
ca84380274ce caprover/certbot-sleeping:v2.11.0 "/bin/sh -c 'sleep 9…" 2 months ago Up 2 months 80/tcp, 443/tcp captain-certbot.1.s0em4p7b0mymrg2tx350zgtch
9d0f55106e9d nginx:1.27.2 "/docker-entrypoint.…" 2 months ago Up 2 months 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp captain-nginx.1.rgkdfu72djv2s5t06zdhul3qh
90ab8a85b559 caprover/caprover:1.13.3 "docker-entrypoint.s…" 2 months ago Up 2 months 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp captain-captain.1.pcbdtv75uuheelvmy0g1qb2oo
9465d3b1fa72 quay.io/prometheuscommunity/postgres-exporter:master "/bin/postgres_expor…" 2 months ago Up 2 months 9187/tcp srv-captain--postgis-exporter.1.hai5tx9n2z43khnazly7b9go5
7d4d76e1c9c0 prodrigestivill/postgres-backup-local:latest "/init.sh" 2 months ago Up 2 months (healthy) 5432/tcp srv-captain--db-production-backups.1.mzvsoj7uhnq9apebfx9istsvu
6ccc05f8f0c0 caprover/nginx-reverse-proxy:1-ef5ffcb "/docker-entrypoint.…" 2 months ago Up 2 months 80/tcp srv-captain--storage-backup-api.1.urdzwjetwnn1vkk3uiweu32aq
ae064a2803ab dockerregistry.beta.domain.com/ffy/img-captain-storage-backup:3 "/usr/bin/docker-ent…" 2 months ago Up 2 months 9000/tcp srv-captain--storage-backup.1.lcakkwtm2q8fvvj5erhwu1lo6
ece77c25c4af dockerregistry.beta.domain.com/ffy/img-captain-storage:4 "/usr/bin/docker-ent…" 2 months ago Up 2 months 9000/tcp srv-captain--storage.1.hubtsxh4yj51spfy0egp4lynf
fee463e9ec98 lscr.io/linuxserver/openssh-server:version-8.6_p1-r3 "/init" 2 months ago Up 2 months srv-captain--sshd.1.ox8ilvm7bpym06uax0tm4k1gj
0d5fae8dce86 dockerregistry.beta.domain.com/ffy/img-captain-redis:1 "docker-entrypoint.s…" 2 months ago Up 2 months 6379/tcp srv-captain--redis.1.i0sgovhdkmrf59851d0ygkqbi
4219ef35713e prom/prometheus:latest "/bin/prometheus --c…" 2 months ago Up 2 months 9090/tcp srv-captain--prometheus.1.nm5f8n0bfxt6439k5rtecfxj0
77aaa397cd75 postgis/postgis:17-3.5 "docker-entrypoint.s…" 2 months ago Up 2 months 5432/tcp srv-captain--db-production-17.1.j21dwgqi4wlynu1sb8upl12v3
cc0514935284 caprover/nginx-reverse-proxy:1-ef5ffcb "/docker-entrypoint.…" 4 months ago Up 4 months 80/tcp srv-captain--storage-api.1.qtw97s5a8rtf8ff2kunqa1xe8
4bfb2c5badc6 caprover/netdata:v1.8.0 "/run.sh" 6 months ago Up 6 months 19999/tcp captain-netdata-container
netstat -tulpn does not show a 5432 port:
root@production:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3325572/docker-prox
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 953/sshd: /usr/sbin
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 3325358/docker-prox
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3325587/docker-prox
tcp6 0 0 :::2377 :::* LISTEN 999/dockerd
tcp6 0 0 :::7946 :::* LISTEN 999/dockerd
tcp6 0 0 :::2222 :::* LISTEN 999/dockerd
tcp6 0 0 :::80 :::* LISTEN 3325580/docker-prox
tcp6 0 0 :::22 :::* LISTEN 953/sshd: /usr/sbin
tcp6 0 0 :::3000 :::* LISTEN 3325365/docker-prox
tcp6 0 0 :::443 :::* LISTEN 3325595/docker-prox
udp 0 0 0.0.0.0:68 0.0.0.0:* 687/dhclient
udp 0 0 0.0.0.0:4789 0.0.0.0:* -
udp6 0 0 :::7946 :::* 999/dockerd
udp6 0 0 :::2222 :::* 999/dockerd
root@production:~#
docker service inspect:
root@production:~# docker service inspect srv-captain--db-production-17 --pretty
ID: ju4dgiy277mq1ad3jy3h4d3u5
Name: srv-captain--db-production-17
Service Mode: Replicated
Replicas: 1
UpdateStatus:
State: completed
Started: 2 months ago
Completed: 2 months ago
Message: update completed
Placement:
Constraints: [node.id == xab9gxqk7eh260bu75u0slb0g]
UpdateConfig:
Parallelism: 0
On failure: pause
Monitoring Period: 5s
Max failure ratio: 0
Update order: stop-first
RollbackConfig:
Parallelism: 1
On failure: pause
Monitoring Period: 5s
Max failure ratio: 0
Rollback order: stop-first
ContainerSpec:
Image: postgis/postgis:17-3.5
Env: POSTGRES_USER=ffy POSTGRES_PASSWORD=REPLACED POSTGRES_DB=ffy_dev PGDATA=/var/lib/postgresql/17/data POSTGRES_INITDB_ARGS=
Mounts:
Target: /var/lib/postgresql/17/data
Source: captain--db-production-data-17
ReadOnly: false
Type: volume
Log Driver:
Name: json-file
LogOpts:
max-size: 512m
Resources:
Networks: captain-overlay-network
Endpoint Mode: vip
root@production:~#
lsof:
root@production:~# ss -tulpn | grep 5432
root@production:~# sudo lsof -iTCP:5432 -sTCP:LISTEN
root@production:~#
but if i do a portscan using nmap it is there (and i can connect to the very database installed using caprover).
Not shown: 995 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3000/tcp open ppp
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 1095.40 seconds
what is the problem here? is this known? what do i have to do to make it not available from the outside world?
Metadata
Metadata
Assignees
Labels
No labels