digitalocean / terraform-provider-digitalocean

Terraform DigitalOcean provider
https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs
Mozilla Public License 2.0
511 stars 279 forks source link

digitalocean_firewall blocks all ports #1162

Open joegasewicz opened 6 months ago

joegasewicz commented 6 months ago

Bug Report

I have created the following digitalocean terraform config for a firewall to allow all traffic over http/https, ssh etc. I was asked by Digital Ocean to add a firewall as after a port scan they closed the port that my Redis instance was running on as they mentioned this is a security risk.

This is my configuration -

This is the droplet

resource "digitalocean_droplet" "nottoboard-web" {
  image    = "docker-20-04"
  name     = "nottoboard-web"
  region   = "lon1"
  size     = "s-1vcpu-1gb"
  ssh_keys = [
    data.digitalocean_ssh_key.macos.id
  ]

  volume_ids = [digitalocean_volume.notto-media-1.id]

  connection {
    host        = self.ipv4_address
    user        = "root"
    type        = "ssh"
    private_key = file(var.pvt_key)
    timeout     = "2m"
  }
 ... etc
}

This is the firewall

resource "digitalocean_firewall" "nottoboard-web" {
  name = "nottoboard-web-firewall"

  droplet_ids = [digitalocean_droplet.nottoboard-web.id]

  inbound_rule {
    protocol         = "tcp"
    port_range       = "22"
    source_addresses = ["0.0.0.0/0", "2002:1:2::/48"]
  }

  inbound_rule {
    protocol         = "tcp"
    port_range       = "80"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  inbound_rule {
    protocol         = "tcp"
    port_range       = "443"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  inbound_rule {
    protocol         = "icmp"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "443"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "80"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "icmp"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "80"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "53"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "53"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

}

I have a docker-compose stack that runs inside the droplet, it works until i add the firewall. one of the containers in the stack is an nginx image, with the following config -

client_max_body_size 20M;

upstream django {
    server main_app:8001;
}

server {

    listen 80;
    server_name nottoboard.com www.nottoboard.com;

    location / {
        proxy_pass http://django;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
    }

    location /static/ {
        alias /static/;
    }

    location /media/ {
        alias /media/;
    }
}

Describe the bug

After adding this firewall & i try to see the website in a browser with for example - http://www.nottoboard.com/ Please note: I have currently turned the firewall off for this website until i can resolve this issue, so if you check this url it will seem like it works.

With the firewal turned on I get a 502 Bad Gateway.

Affected Resource(s)

Expected Behavior

The website should be available over port 80 so that i can access the website from a browser.

Actual Behavior

The website responds with - 502 Bad Gateway

jmholla commented 2 months ago

I deleted my previous responses as I misunderstood DO's outbound firewall rules.

Does your 502 page mention nginx? If so, it isn't DO's firewall blocking inbound connections. I think your issue is your outbound ports. Are you sure your service isn't talking to services that aren't HTTP/HTTPS/DNS or at least not on the expected port? Running tcpdump or ss without the firewalls will let you see what ports your server attempting to reach out to.