docker, iptables and cloudflare

Question

I have the same problem that was solved here, trying to create iptables rules that block incoming HTTP/HTTPS traffic except for IPs other than Cloudflare. Docker container accessible only via Cloudflare CDN (selected ip ranges)

This works great except for one problem. My docker services include an SPA (served by Nginx) and an app server. My Nginx configuration performs a proxy_pass which is blocked by my iptables rules. When I don't have the rules, the proxy_pass works.

My nginx.conf:

location @proxy_to_app {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    # we don't want nginx trying to do something clever with
    # redirects, we set the Host: header above already.
    proxy_redirect off;
    proxy_pass http://app:80;
}

And my ip-tables for the DOCKER-USER chain:

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  -- !131.0.72.0/22        anywhere            
ACCEPT     all  -- !172.64.0.0/13        anywhere            
ACCEPT     all  -- !104.24.0.0/14        anywhere            
ACCEPT     all  -- !104.16.0.0/13        anywhere            
ACCEPT     all  -- !162.158.0.0/15       anywhere            
ACCEPT     all  -- !198.41.128.0/17      anywhere            
ACCEPT     all  -- !197.234.240.0/22     anywhere            
ACCEPT     all  -- !188.114.96.0/20      anywhere            
ACCEPT     all  -- !190.93.240.0/20      anywhere            
ACCEPT     all  -- !108.162.192.0/18     anywhere            
ACCEPT     all  -- !141.101.64.0/18      anywhere            
ACCEPT     all  -- !103.31.4.0/22        anywhere            
ACCEPT     all  -- !103.22.200.0/22      anywhere            
ACCEPT     all  -- !103.21.244.0/22      anywhere            
ACCEPT     all  -- !173.245.48.0/20      anywhere            
DROP       tcp  --  anywhere             anywhere             multiport dports http,https

I feel like I need just one more iptables rule to keep iptables from blocking the internal proxy traffic, but have not figured it out.

Answer 1

It depends on how nginx or the app see the requests (and by that I mean if they're originating from the Cloudflare ip ranges or from your docker environment or even the server where docker is running)

With the firewall rules disabled, inspect the docker logs and the nginx logs, see what ip ranges show in the logs. Based on that you can figure what firewall rules to apply.

Answer 2

I have also similar issue. Since app is running on port 80/tcp. The iptables checks the originating IP and it is private IP of docker and not from cloudflare leading to dropping the packets. Simply add subnet of docker0 like this:-

admin@ubuntu: $ sudo ip addr show dev docker0

3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:9e:a1:d1:ae brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

admin@ubuntu: $ sudo iptables -I DOCKER-USER -p tcp -i eth0 -m multiport --dports http,https -s 172.16.0.0/16 -j RETURN;