rancher-active-proxy Port leaking

Every ports are open on every domains. I can access the container on port 8080 from any domain that rancher active proxy manages.

example.com redirects on the correct website but example.com:8080 redirect on rancher panel.

Apr 24 '18 08:04 Xstoudi

Hi,

maybe you have your proxy on the same host as rancher and rancher expose 8080 ? Therefore domain resolve to IP of rancher and since you ask for 8080 (exposed by your rancher) it works ?

Apr 24 '18 09:04 ValentinOdier

Exactly, but imo, it shouldn't work.

Apr 24 '18 11:04 Xstoudi

it works as expected.

You query domain.com it tells you it has a super A record pointing to IP_OF_RANCHER_SRV.

Then your browser ask this ip on the provided port. since you ask for 8080 and you explicitly mapped it onto the host it works. You are not hitting the proxy you bypass him. If you don't map 8080 on the rancher server it won't work.

I'm using RAP since a while i never had this behavior.

Apr 26 '18 15:04 ValentinOdier

One more question, is it possible to have only one frontal RAP that redirects on other servers?

Apr 27 '18 07:04 Xstoudi

Yep that's what it was maid for :)

I currently have like 40 servers behind a rancher active proxy works fine

Apr 27 '18 08:04 ValentinOdier

How? I'm currently runnning a RAP instance on each server :c

Apr 27 '18 08:04 Xstoudi

So i currently use just 1 RAP.

You could use more by adding mutiple A record to point to multiples hosts. The only issue is if you use https. If you do you need to have the (same) certificate everywhere. This is not included in RAP so it can be a bit annoying to do.

From what i have tested RAP can handle a lot of traffic even with just 1 container. you might want to update the nginx conf tho.

Apr 27 '18 13:04 ValentinOdier

Yes, I need https but only between the client and the front-nginx, the communication between front-nginx and the server is in an intra-network.

Apr 30 '18 08:04 Xstoudi