Expose a range of ports to the internet #59
Labels
No Label
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Total Time Spent: 27 minutes 37 seconds
Due Date
a
27 minutes 37 seconds
No due date set.
Dependencies
No dependencies set.
Reference: exozyme/exozyme#59
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
It might be a good idea to expose a block of ports to the internet for our users' web hosting and stuff. Sounds like terrible security, so we should think through this before taking action.
Expose a block of ports to the internetto Expose a range of ports to the internetI opened up ports 42000 to 42999 in the firewall since these ports aren't used by any applications.
OK, it looks like those ports are sometimes used by apps so let's open up ports 4200 to 4299 instead.
Yeah let's not do this for now since I don't think it's good for security.
SSH port forwarding is much better for security, and you guys can always ask if you would like a port opened up.
OK, let's do this correctly this time. According to
/proc/sys/net/ipv4/ip_local_port_range
, 32768 is the lowest port number that ephemeral ports so we can't safely expose anything above that. Anything below 1024 is only allowed to be binded on by root. How about we expose 10 ports in the remaining range?Another option could be to use nginx to do the proxying, since this would add greater security from TLS encryption at the expense of only being able to proxy HTTP connections.
@notaiden What are your thoughts on this?
It sounds good! I think exposing ports isn't all that secure, but if you can make it secure that sounds great!
I don't think the ports 4200-4209 are used much so I'll make 0.exozy.me through 9.exozy.me proxy those ports.
OK, I added this to our nginx configs.
@Ta180m I can't seem to use this
I've created an index.html file in a subdirectory and ran
php -S localhost:4200
yet when I try to open https://0.exozy.me I get502 Bad Gateway
Is PHP running the server on
0.0.0.0
or::
? The nginx port proxying only works with IPv4.Basically, you should use
127.0.0.1
instead oflocalhost
.oh ok, thanks!
OK, this is now fixed using
dnsmasq
. I'm not sure if this solution is brittle, but it seems to work. You can now either use IPv4 or IPv6 for the proxied ports! 🎉How about also opening up ports 4200 to 4209 in our firewall? I'm not sure of the security implications of this though.
I opened 4200 to 4209.