search

rommapp / romm

A beautiful, powerful, self-hosted rom manager
https://romm.app
GNU Affero General Public License v3.0
1.77k stars 80 forks source link

[Bug] Traefik port autodiscovery attached to internal redis instead of exposed port. #887

Closed DarkSirrush closed 3 months ago

DarkSirrush commented 3 months ago

RomM version rommapp/romm:latest

Describe the bug When relying on Traefik's port autodiscovery, Traefik incorrectly finds the redis port (6379) instead of the exposed port (8080).

This was tested using both the 'Ports' and the 'Expose' options for docker-compose.

To Reproduce Steps to reproduce the behavior:

  1. Set port in Docker-Compose
  2. Allow Traefik to auto-discover port instead of explicitly setting the correct port
  3. Navigate to URL set by the reverse-proxy
  4. See Redis error stating possible SECURITY ATTACK
services:
  romm:
    container_name: romm
    image: rommapp/romm:latest
    hostname: romm
    restart: unless-stopped
    # ports:
    expose:
      8080
    environment:
      TZ: Canada/Pacific
      DB_HOST: 172.32.0.73
      DB_NAME: ***
      DB_USER: ***
      DB_PASSWD: ***
      ROMM_HOST: https://romm.redacted.com
      IGDB_CLIENT_ID: ***
      IGDB_CLIENT_SECRET: ***
      ROMM_AUTH_SECRET_KEY: ***
      ROMM_AUTH_USERNAME: ***
      ROMM_AUTH_PASSWORD: ***
    volumes:
      - '/dockerconfig/config/romm:/romm/config'
      - '/dockerconfig/config/romm/redis:/redis-data'
      - '/storage/romm/:/romm' 
    depends_on:
     - romm-db
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.romm.middlewares=authwares@file"
     #  - "traefik.http.services.romm.loadbalancer.server.port=8080"
    networks:
      proxied:
        ipv4_address: '172.32.0.21' 

  romm-db:
    image: mariadb:latest
    container_name: romm-db
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: ***
      MYSQL_DATABASE: ***
      MYSQL_USER: ***
      MYSQL_PASSWORD: ***
    volumes:
      - '/dockerconfig/config/romm/sql:/var/lib/mysql'
    labels:
      - "traefik.enable=false"
    networks:
      proxied:
        ipv4_address: '172.32.0.73'

Expected behavior For the reverse proxy to use the user-exposed port of 8080, instead of the application exposed port of 6379.

Screenshots image

Desktop (please complete the following information): N/A

Smartphone (please complete the following information): N/A

Additional context Manually setting the correct port with Traefik works, but should not be necessary. I suspect that the method used of using internally (non-user configured) docker containers confuses Traefik in regards to which port is actually exposed.

DarkSirrush commented 3 months ago

Please note this report is in large part so that anyone else confused can see the issue/fix for reference.

gantoine commented 3 months ago

So what's interesting here is that traefic is suppose to use the first exposed port, when none is defined in the docker-compose. In our case this is 8080 in the Dockerfile:

# Expose ports and start
EXPOSE 8080
EXPOSE 6379/tcp

Exposed Ports: If no specific label is set, Traefik will look at the ports exposed by the container. It will use the first exposed port it finds. In Docker, this is typically defined in the EXPOSE directive in the Dockerfile or through the --expose option in the run command. Default Behavior: If multiple ports are exposed and no specific label is provided, Traefik will generally pick the first exposed port listed in the container metadata.