Community discussions

MikroTik App
 
simplyDuck
just joined
Topic Author
Posts: 7
Joined: Fri May 26, 2023 11:14 pm

Hosting gitlab docker and forwarding ports

Fri May 26, 2023 11:34 pm

Hello, I've my own server which is hosting gitlab docker.

My docker forwards internally ports like this:
- "8080:80"
- "8443:443"

With usage DNS tab I set docker.local internal domain and forwards it to server ip(see attachment).

In browser when I get to docker.local:8080 I get my docker. This works fine.

Troubles starts when I try to forward internally port 80 to 8080 so I could type docker.local and don't worry about port anymore.

I get into console and add nat rules

/ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp to-address=192.168.xxx.xxx to-port=8080
/ip firewall nat add chain=dstnat dst-port=443 action=dst-nat protocol=tcp to-address=192.168.xxx.xxx to-port=8443

/ip firewall nat add chain=srcnat src-address=192.168.xxx.0/24 dst-address=192.168.xxx.xxx action=masquerade out-interface=bridge

Then in the browser after typing dockers ip or just docker.local I receive "403 Forbidden" output in the browser. If I add 8080 port it works just fine.

What else I could do to fix this? I was thinking that maybe it's gitlab dockers fault, but can't prove that.

Additional question(I found on the forum that zero tier doesn't provide web hosting, but is there a way to create public ip adress so I could move server far away, plug into internet and my webpage could be accessed from the internet?)
You do not have the required permissions to view the files attached to this post.
 
simplyDuck
just joined
Topic Author
Posts: 7
Joined: Fri May 26, 2023 11:14 pm

Re: Hosting gitlab docker and forwarding ports

Sun Jun 04, 2023 1:49 pm

Refresh: Is here anyone who can help me? I'm still struggling with this issue.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Hosting gitlab docker and forwarding ports

Sun Jun 04, 2023 2:09 pm

Refresh: Is here anyone who can help me? I'm still struggling with this issue.
If you can access over port 80 as on 8080, but that service responses differently on 80, you should try to find reason in service configuration, router is just forwarding packets here. There is older thread on their forum regarding gitlab 403 response - https://forum.gitlab.com/t/403-errors-o ... ab/27386/6 maybe is related to your problem.
 
simplyDuck
just joined
Topic Author
Posts: 7
Joined: Fri May 26, 2023 11:14 pm

Re: Hosting gitlab docker and forwarding ports

Mon Jun 05, 2023 4:20 pm

Sorry sir, maybe I described something wrong.

I've set local dns to connect docker.local as ip address.

And now I want to set routing on my Mikrotik to tunnel port 80 to port 8080.

Setting nat rules as described in first message didn't work. So I'm looking for help.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Hosting gitlab docker and forwarding ports

Mon Jun 05, 2023 7:20 pm

Setting nat rules as described in first message didn't work. So I'm looking for help.
Try to set in your nat rules for ports in-interface with wan interface.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hosting gitlab docker and forwarding ports

Mon Jun 05, 2023 7:27 pm

The firewall rules looks backwards....

My docker forwards internally ports like this:
- "8080:80"
- "8443:443"

[...]

/ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp to-address=192.168.xxx.xxx to-port=8080
/ip firewall nat add chain=dstnat dst-port=443 action=dst-nat protocol=tcp to-address=192.168.xxx.xxx to-port=8443
I presume GitLab is listen on 80 and 443, so that rules should be:
/ip firewall nat add chain=dstnat dst-port=8080 action=dst-nat protocol=tcp to-address=192.168.xxx.xxx to-port=80
/ip firewall nat add chain=dstnat dst-port=8443 action=dst-nat protocol=tcp to-address=192.168.xxx.xxx to-port=443


And since gitlab's redirection may not know about 8443, you likely won't be able to use port 8080 IF gitlab insecure port just redirects to HTTPS (since it have no idea, from outside, the port needed is 8443 not the port 443 it thinks)
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Hosting gitlab docker and forwarding ports

Mon Jun 05, 2023 7:32 pm

And since gitlab's redirection may not know about 8443, you likely won't be able to use port 8080 IF gitlab insecure port just redirects to HTTPS (since it have no idea, from outside, the port needed is 8443 not the port 443 it thinks)
I assumed it is a service problem but his answer "Setting nat rules as described in first message didn't work. So I'm looking for help." was confusing, but correct, dst - to ports needs to be exchanged. Best way to setup 1:1 ports if possible, or check service how is doing redirects, maybe some reverse proxy is needed.
 
simplyDuck
just joined
Topic Author
Posts: 7
Joined: Fri May 26, 2023 11:14 pm

Re: Hosting gitlab docker and forwarding ports

Mon Jun 05, 2023 9:44 pm

Thanks for all your answers.
Setting nat rules as described in first message didn't work. So I'm looking for help.
Try to set in your nat rules for ports in-interface with wan interface.
Probably tried that (I was sitting with this for half week without progress). I will try this again to be sure if it works or not and give feedback tomorrow, the Server is down and cannot switch it on now.


So it goes like this:
I have a docker with gitlab, yes it's working on 80 port, but I can redirect it in docker compose, so we would use 8080. That's why we have
- "8080:80"
- "8443:443"
if we type gitlab.local:8080 now we will access gitlab web server.

What I want to do is making redirection on the router instead of doing that in docker compose, I don't want to host it on port 80(but just checked it and it worked - so it's workaround in case).

I want to redirect port 80 to 8080 so when I type gitlab.local in web browser:
1) my router understand that "gitlab.local" is internal address and router knows it's ip address
2) it knows that when there's a request to this ip address on port 80 it will also redirect this request to port 8080

So I want to do two things(one already made).
Router understand "gitlab.local" but I cannot make second part - redirecting 80 port to 8080

Hope this explained the problem.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Hosting gitlab docker and forwarding ports

Mon Jun 05, 2023 9:57 pm

What I want to do is making redirection on the router instead of doing that in docker compose, I don't want to host it on port 80(but just checked it and it worked - so it's workaround in case).
Router cannot do HTTP redirect, you will need web server / reverse HTTP proxy for that like nginx.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hosting gitlab docker and forwarding ports

Mon Jun 05, 2023 10:03 pm

The container IP in Mikrotik do NOT use the EXPOSE or anything from docker-compose – all ports are mapped automatically to the container's IP. So the yeah the port 80 would work ;).

You may need to use hairpin NAT if you don't want just plumb through the ports directly..., for full details see:
viewtopic.php?t=179343

Although it may be easier to just use /ip/firewall/filter to drop any undesired subnets/interface-list/etc from using port 80/443 to your container instead.
Last edited by Amm0 on Mon Jun 05, 2023 11:16 pm, edited 1 time in total.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Hosting gitlab docker and forwarding ports

Mon Jun 05, 2023 10:18 pm

The container IP in Mikrotik do use the EXPOSE or anything from docker-compose – all ports are mapped automatically to the container's IP. So the yeah the port 80 would work ;).
Yeah, I do not also understand why is problem having service in container with standard ports unless there is other service in same container on that ports.
 
simplyDuck
just joined
Topic Author
Posts: 7
Joined: Fri May 26, 2023 11:14 pm

Re: Hosting gitlab docker and forwarding ports

Tue Jun 06, 2023 10:53 am

What I want to do is making redirection on the router instead of doing that in docker compose, I don't want to host it on port 80(but just checked it and it worked - so it's workaround in case).
Router cannot do HTTP redirect, you will need web server / reverse HTTP proxy for that like nginx.
But if mikrotik can create local dns, so I can use gitlab.local name, what's the problem with also redirecting the port?

I'm doing similar stuff using mikrotik with my global IP address, when I receive a request from the outside world on port 80 I redirect it to port xxxx of another machine, I needed to use hairpin for this.

But with local dns I'm missing something(hairpin as Amm0 mentioned didn't work in this case), don't know why.
In the attachment, you can see my setting for global redirection mentioned above (hairpin), action is set to masquerade.


Yeah, I do not also understand why is problem having service in container with standard ports unless there is other service in same container on that ports
It's the problem. I wanted to run 2 dockers and they both are using port 80, that's why firstly I need to take care of gitlab.local

Unfortunately, restarting my server remotely didn't work, I will run it by hand and try your suggestions in Wednesday or Thursday.
Thanks for help :-)
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hosting gitlab docker and forwarding ports

Tue Jun 06, 2023 11:51 am

Router cannot do HTTP redirect, you will need web server / reverse HTTP proxy for that like nginx.
But if mikrotik can create local dns, so I can use gitlab.local name, what's the problem with also redirecting the port?
[...]
It's the problem. I wanted to run 2 dockers and they both are using port 80, that's why firstly I need to take care of gitlab.local
Basically Optio is right if you have 2 docker that both want to listen on port 80 using router's IP. You need a 3rd container with an HTTP with reverse-proxy. The DNS server alone cannot fix this problem – it just resolve the name to IP address not the port. You need something to look at the incoming HTTP host headers to redirect based on that.

PERHAPS, and only if you were only dealing with HTTPS – not HTTP... You might be able to cheat this, but I'm unsure. If you created/installed a ssl[/tls] certificate with the DNS name (e.g. gitlab.local) for your container, it's possible a mangle rule with tls-host=gitlab.local action=route might work. The tls-host= matcher will look at the certificate flowing through the firewall, BUT only in the mangle (NOT NAT)...now if you set the route= to the container (which is allowed in mangle) & the container remained listening on 443 (with a cert), this might work:
/ip firewall mangle add chain=prerouting dst-port=443  protocol=tcp route-dst=<containerIP> tls-host=gitlab.local action=route 
But never tried this. And really think a 3rd container with ngnix as reverse-proxy be more straightforward, and flexible.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Hosting gitlab docker and forwarding ports

Tue Jun 06, 2023 12:45 pm

Proper setup for this will be by imho:
  • on both containers run http service on port 80 and 443
  • create 3rd container with reverse proxy on port 80 and 443 (ex. nginx) since ROS web server doesn't have such feature (it would be nice to have) and setup virtual hosts (server blocks) to forward to IP and port 80 or 443 of a container depending which host.domain is in http request URL
  • change www service port in ROS to other than 80
  • create dstnat rule for ports 80 and 443 to reverse proxy container IP
  • for external access setup different host.domain for each service in container on your authoritative DNS (or some dyndns service if you don't have DNS) for your public IP which will be handled in reverse proxy
  • setup hairpin nat for 80 and 443 to reverse proxy IP so that you can access over public host.domain inside lan
  • for internal access over local domain setup static DNS records in ROS DNS with local host.domain to resolve http service containers IPs
Then it should work access to services with urls like: http(s)://container1.local, http(s)://container2.local or http(s)://container1.public.domain http(s)://container2.public.domain
 
simplyDuck
just joined
Topic Author
Posts: 7
Joined: Fri May 26, 2023 11:14 pm

Re: Hosting gitlab docker and forwarding ports

Fri Jun 09, 2023 10:48 am

Thank again for your responses. I've tried yesterday your suggestions except for last 2 posts. Reading them, I understood that it would be easier if I lowered difficulty level.

So I hosted create-react-app on port 3000. So it's just a simple application with one page. I can access it through IP address 192.168.xxx.xxx:3000 or DNS name: gitlab.docker:3000
So now again I want to get rid of typing a port. It should be possible through mikrotik with port mapping, but it's not. Idk why it's not working, I'm missing something.
I think I've done something like this on tp link routers in the past. I tried to use hairpin but still it's not working.

Avoiding docker and all the stuff should be easier for me to understand how it works.
Do you know how to forward it through a router, not internally in the server(nginx)?
 
simplyDuck
just joined
Topic Author
Posts: 7
Joined: Fri May 26, 2023 11:14 pm

Re: Hosting gitlab docker and forwarding ports

Wed Jun 14, 2023 6:37 pm

As a conclusion, I can say that it's better to just stick with local DNS and setting necessary ports directly on the server using nginx or some similar tool.
Thank you for help and suggestions
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hosting gitlab docker and forwarding ports

Thu Jun 15, 2023 2:35 am

So now again I want to get rid of typing a port. It should be possible through mikrotik with port mapping, but it's not. Idk why it's not working, I'm missing something.
I think I've done something like this on tp link routers in the past. I tried to use hairpin but still it's not working.
Perhaps the issue is simplier... Do you have the built-in web server (webfig/rest) enabled? You can check /ip/services and see if http and https are DISABLED. Otherwise... the mikroitk is listening on port 80 and 443, so the RouterOS may have grabbed port 80/443 from VETH. This would also effect ngnix container too since it want to listen on port 80 the same as gitlab, but might be blocked by webfig using it in /ip/services.

Otherwise, you have this right on the Mikrotik config side: dst-nat for port 80 and 443 to-addresss=<container-ip>.

Who is online

Users browsing this forum: tangent and 44 guests