Don't show ports that are bound only to localhost

[rfay]

Bug description

When an application binds to a port on localhost only, as opposed to 0.0.0.0, there's no way that gitpod is going to be able to proxy it, so it might as well be ignored. AFAICT gitpod only proxies ports that are bound on all interfaces.

DrupalPod and ddev-gitpod use ddev, which for security reasons binds a number of ports to localhost only. In the context of Gitpod, there's no reason for Gitpod to even recognize these or point them out to end users, because they're not proxied by gitpod even though they're shown as ports.

Steps to reproduce

As a silly example,

• open https://gitpod.io/#https://github.com/rfay/testtables
• install netcat, sudo apt-get install -y netcat
• nc -l localhost 8888

A "Service is available on port 8888" popup will happen, and this port will be shown in the ports list.

But gitpod isn't going to be able to do anything with it, and the user isn't going to be able to do anything with it, because it's bound explicitly to localhost.

If we were to nc -l 0.0.0.0 8888 that would be entirely different, and gitpod and the user could do something with it (although usually only http works, but that's a different conversation).

Would it be possible to detect only listeners that actually matter, that can be proxied?

Expected behavior

Ports that gitpod can't do anything with can't be shown

Example repository

Above

Anything else?

No response

[shaal]

+1 for getting this resolved. The panel that displays all the ports available should only show ports that can actually be previewed or opened on a browser, otherwise it adds confusion.

[akosyakov]

It is by design. We auto proxy and auto expose localhost ports privately. You can start any service on localhost, click open in browser, see that you can access it via exposed URL. If we won’t do it it will introduce a lot friction since each project has to be reconfigured to bound on 0.0.0.0. In fact that’s there we started.

[akosyakov]

If you have some known ports or port ranges which don’t serve http then you can list them as ignored in .gitpod.yml to avoid notifications. Please see more about ports: https://www.gitpod.io/docs/config-ports

[rfay]

Sorry for the slow response... but

It is by design. We auto proxy and auto expose localhost ports privately

As far as I can tell a port that is bound only to the localhost network interface is unusable in Gitpod, and is not in fact proxied, and you cannot use it on the the exposed URL. My assumption here was that that was by design. I recommend that you either make it actually proxy http services that are bound only to localhost, or make it ignore services that are bound only to localhost. (It could be used via curl, of course, in the terminal, but there's no way to use it otherwise in a proxied situation.)

For our application (DrupalPod/ddev-gitpod) we have added a feature to bind on all interfaces, even that's not normal, to work around this.

[svenefftinge]

@akosyakov don't we forward also those services to localhost when tunneling through the local app?

[akosyakov]

We do tunnel.

[rfay]

I confirm that if I run php -S localhost:8888 in gitpod, the port is opened and properly proxied.

I guess the issue is this doesn't seem to be true with docker binding on localhost only?

[rfay]

Ah, it's when docker binds to localhost.

Try this in a gitpod session. it just runs a php self-contained webserver.

echo "hi there, I'm bound to all interfaces" > index.html
docker run  --name=all_interfaces -v $PWD:/var/www/html -w /var/www/html -p 8888:8888 -d php -S 0.0.0.0:8888
curl localhost:8888
docker rm -f all_interfaces

You get hi there, I'm bound to all interfaces

Now try the same thing with docker binding to localhost only:

echo "hi there, I'm bound to localhost only" > index.html
docker run  --name=localhost_only -v $PWD:/var/www/html -w /var/www/html -p 127.0.0.1:8888:8888 -d php -S 0.0.0.0:8888
curl localhost:8888

You get curl: (56) Recv failure: Connection reset by peer

Note that in both of these cases, port 8888 is shown as available in gitpod, and it's happy to open a browser on it... which of course doesn't work in the localhost-only bound case.

[svenefftinge]

I think we should not just skip such ports but instead tell users that it cannot be exposed. @akosyakov is this doable and how hard would it be to detect such ports and show users that these port?

[rfay]

They should either be usable or be skipped. Making them usable would be a fine thing.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[shaal]

Please add meta: never stale to this issue