[BUG] Host is forced to :: / 0.0.0.0 -- security vulnerability #240
Comments
|
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid. |
|
That's the intended behavior. You haven't specified what it is you would change it to (or what exactly makes you think there would be a security vulnerabiility), but if you're trying to change it to You can control the listen ip as part of the port mapping (ie. |
|
That's the whole point of making it user configurable -- so I can bind a reverse proxy that does authentication for SSO in front of it, and having the whole thing otherwise hidden from the outside world (using the reverse proxy's net, with |
|
put the reverse proxy and sab in the same user defined bridge network and use the address EDIT: and don't map any ports for sab as no connection will be made over the host. The connection will go through the docker network that only your reverse proxy and sab will have access to |
|
Sure... but there is no reason not to make that configurable directly and force it, when it's actually supposed to be user configurable, like every other app |
|
Letting users do crazy weird things leads to a lot more support requests for us. That's work. |
when you run it on bare metal, sure. That's not what we're doing here |
|
I think the port mapping trick from above ( I guess the only option left if it's not made configurable one way or another is to make a docker network for this, although I'm not entirely certain how it will play out with other containers and how I can tweak the isolation:
So right now, I would bind SAB and R onto PROXY's network, listening on 127.0.0.1. => If SAB is put on the same network, but not bound to 127.0.0.1, C will have access to it, unauthenticated |
|
(for reference, ich777 does it right: https://github.com/ich777/docker-sabnzbd/blob/master/scripts/start-server.sh#L62 ) |
No. It's so that the app's port is accessible from the host while the container is in a bridge network. Forget about binding to You're overthinking it. Read up on Put SWAG and sab on network A SWAG can connect to both sab and radarr via their container name and container port, but sab and radarr can't connect to each other. Here's the SWAG docs on that subject: https://docs.linuxserver.io/general/swag/#docker-networking |
|
Oh gosh, that's the point I was missing: a container can attach to multiple networks! I guess that would indeed solve it. Let me try that. Many thanks. |
|
So... I played with it, and solution isn't perfect, as bridge networks needs to go through default route (ie. I can't bind them to a VLAN -- I somehow don't want the containers to be able to reach the host -- Unraid in my case -- or other parts of the network). In ipvlan/macvlan, I'd need to create separate VLANs for each isolation at the router level. Edit: I've made a docker mod to bypass, until I have a better solution: https://github.com/tubededentifrice/docker-mods / https://hub.docker.com/repository/docker/tubededentifrice/mods/general |
|
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions. |
Is there an existing issue for this?
Current Behavior
At https://github.com/linuxserver/docker-sabnzbd/blob/master/root/etc/s6-overlay/s6-rc.d/svc-sabnzbd/run#L4 the host is forced to "::" or "0.0.0.0" (depending on IPv6 availability), preventing the user to binding it only on a single IP (eg. 127.0.0.1)
Expected Behavior
I'm not sure what's the default, but it should only be set like this when there is no existing config file (or at least, make it configurable as an environment variable).
Steps To Reproduce
Try changing SABnzbd Host on the config page, after restarting it's back to "::"
Environment
CPU architecture
x86-64
Docker creation
Container logs
The text was updated successfully, but these errors were encountered: