Score:0

UFW + Docker - allow Tinyproxy container to receive all HTTP/HTTPS traffic

jp flag

Situation

I have a Tinyproxy Docker container forwarding traffic on a host. I also have Nginx reverse proxy receiving/passing HTTP/HTTPS connections to other servers on the same host. Tinyproxy and Nginx are on different Docker networks. Nginx and the servers behind it share the same Docker network. If I try to restrict Nginx's incoming connections to connections coming from Tinyproxy, everything works fine. I checked Nginx's logs and saw that all proxied connections were coming from Nginx's gateway, presumably because Docker was handling the routing between its networks. Then I just restricted incoming connections to the gateway on Nginx's server directives:

allow 192.168.10.1;
deny all;

Problem

When I close 80 and 443/tcp ports on my host, Tinyproxy cannot access the servers. My goal is to close 80 and 443/tcp ports and only allow incoming traffic through Tinyproxy to servers behind Nginx.

What I've Tried

Specified Nginx's and Tinyproxy's networks on my UFW rules (ufw allow from 192.168.20.0/24 to 192.168.10.0/24 port 80/tcp; ufw allow from 192.168.20.0/24 to 192.168.10.0/24 port 443/tcp, being 192.168.20.0/24 Tinyproxy's network). No success.

djdomi avatar
za flag
nginx is a full reverse proxy, for what reason you want to use tiny proxy?
Vinicius Gonçalves Melo avatar
jp flag
@djdomi I'm using Tinyproxy as a forward proxy to limit access to Nginx; one of the apps that are behind Nginx does not support public key for client TLS on auth, so the solution I found was this
djdomi avatar
za flag
nginx can do basic auth for example
Vinicius Gonçalves Melo avatar
jp flag
Yes, I just saw that Nginx can also act as a forward proxy... Well, it makes sense to me to have this host's reverse proxy (Nginx) and forward proxy (Tinyproxy) on different Docker networks, so that I can use different services/ports; what I cannot understand is why Tinyproxy's packets are blocked by UFW in this particular case
Jérôme Radix avatar
cn flag
Have you tried to put the 'allow' directive AFTER the 'deny all' directive ?
Vinicius Gonçalves Melo avatar
jp flag
Hi @JérômeRadix. "The rules are processed in sequence, from top to bottom: if the first directive in the sequence is deny all, then all further allow directives have no effect", from [here](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-tcp/#restricting-access-by-ip-address). It is working with this Nginx config and 80/443 tcp ports opened on my host; doesn't work if I close 80/443 tcp ports on host - Tinyproxy cannot forward to Nginx, even the containers running on the same host.
Jérôme Radix avatar
cn flag
This "logic" hurts mine : how could a "deny all" not denying all if "rules are processed in sequence from top to bottom" and you put "deny all" at the end...
djdomi avatar
za flag
speculate about something that was not explained leads me to Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers. please provide all the things stated inhere in your question
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.