crossbar, docker, ufw and ubuntu ... having trouble

#1

All,

I’m trying to run crossbar through docker but I’m having trouble getting it to work on a colo server. When I run on a machine that does NOT use UFW, i don’t have any trouble connecting to the docker forwarded ports and accessing crossbar. To set up crossbar, I installed something like the following:

docker create -u root \

-v /demo/backend/crossbar:/node \

-v /etc/letsencrypt:/etc/letsencrypt \

-p 8080:8080 \

-p 127.0.0.1:9001:9001 \

-p 127.0.0.1:9080:9080 \

--name crossbar \

crossbario/crossbar

However, when I try to connect to a server that DOES use UFW, I can’t establish any connections:

PHP Warning: file_get_contents(http://127.0.0.1:9080/publish): failed to open stream: HTTP request failed! …

I am running the HTTP Bridge “publish” transport on port 9080 to handle pushing events synchronously into crossbar from some CLI and web applications in PHP. The pertinent crossbar configs look as follows:

{

“id”: “web9080”,

“type”: “web”,

“endpoint”: {

“type”: “tcp”,

“port”: 9080

},

“paths”: {

“publish”: {

“type”: “publisher”,

“realm”: “dante”,

“role”: “backend”

}

}

}

In PHP, the publish function I call looks like this:

public function publish(string $topic, $args = [], $kwargs = [])

{

// encode data and create stream context (json)

$context = stream_context_create(

[

‘http’ => [

‘method’ => ‘POST’,

‘header’ => ‘Content-Type: application/json’,

‘content’ => json_encode([‘topic’ => $topic, ‘args’ => [], ‘kwargs’ => $kwargs])

]

]

);

// send to http bridge (publish)

$response = file_get_contents(‘http://127.0.0.1:9080/publish’, false, $context);

// return json decoded data

return json_decode($response, true);

}

On my DEV server, iptables is very simple because I don’t really use any firewall (inside the DMZ):

---------- 8< -------------------- 8< ----------

iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

DOCKER-ISOLATION all – anywhere anywhere

DOCKER all – anywhere anywhere

ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT all – anywhere anywhere

ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain DOCKER (1 references)

target prot opt source destination

ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9080

ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9001

ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:http-alt

Chain DOCKER-ISOLATION (1 references)

target prot opt source destination

RETURN all – anywhere anywhere

---------- 8< -------------------- 8< ----------

But on the production server, iptables is much more complex … but I think the main issue is because the default policies have been changed:

iptables -L | grep ‘(policy’

Chain INPUT (policy DROP)

Chain FORWARD (policy DROP)

Chain OUTPUT (policy ACCEPT)

I want to be able to connect to crossbar from remote hosts but would like to limit those hosts to only the ones I put in my firewall rules. Have any of you worked with ubuntu, ufw, docker, and crossbar enough to tell me how to go about this?

In the end, I don’t know why this has to be so difficult. We should be able to do this:

apt install crossbar

then configure a file in /etc/crossbar/config.json or similar and be DONE:

service crossbar restart

I don’t really want to install and run docker and don’t want to mess with python and/or pypy etc. I can use other services like mongo, redis, beanstalk, and apache, etc without all the docker hassle.

Why isn’t it this simple?

– Dante

0 Likes

#2

I don't really want to install and run docker and don't want to mess with
python and/or pypy etc. I can use other services like mongo, redis,
beanstalk, and apache, etc without all the docker hassle.

Why isn't it this simple?

because it is even simpler (and more robust and secure)!

install:

sudo snap install --edge crossbar

run:

mkdir /tmp/node1
cd /tmp/node1
crossbar init
crossbar start

cheers,
/Tobias

0 Likes