I've been at this for 2 days now and can't wrap my head around it.
I have installed Docker on my server running WHM. Within Docker I have installed listmonk.app.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0eb46a14e3c2 listmonk/listmonk:latest "./listmonk" 20 hours ago Up 9 minutes 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp listmonk_app
43b308157ebe postgres:13-alpine "docker-entrypoint.s…" 20 hours ago Up 9 minutes (healthy) 0.0.0.0:9432->5432/tcp, :::9432->5432/tcp listmonk_db
Next up, I installed a Cloudflare Tunnel to allow access via https://listmonk.ygprodeck.com
to http://localhost:9000
.
This works until I installed ConfigServer Security and Firewall (CSF) on the server. Port 9000 is blocked in this (not added via TCP_IN
or TCP_OUT
) which is what I would want but now my Cloudflare Tunnel cannot connect to the docker container as it times out.
On the server, I ran curl -v http://127.0.0.1:9000
* Rebuilt URL to: http://127.0.0.1:9000/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:9000
> User-Agent: curl/7.61.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
Disabling CSF fixes the issue, but then these ports are exposed, which is what I am trying to avoid.
Yesterday, Instead of using CloudFlare Tunnel, I used an Apache Reverse Proxy with basically the same end result.
Additionally, I attempted to add docker0
to ETH_DEVICE_SKIP
which just opens port 9000 externally to the world (I believe this just causes it to skip the firewall rules altogether).
I found a Stack question that could possibly be similar but I am not overly familiar with Docker. With listmonk.app, I used the easy production install.
docker-compose.yml:
version: "3.7"
x-app-defaults: &app-defaults
restart: unless-stopped
image: listmonk/listmonk:latest
ports:
- "9000:9000"
networks:
- listmonk
environment:
- TZ=Etc/UTC
x-db-defaults: &db-defaults
image: postgres:13-alpine
ports:
networks:
- listmonk
environment:
- POSTGRES_PASSWORD=<REMOVED>
- POSTGRES_USER=<REMOVED>
- POSTGRES_DB=<REMOVED>
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -U listmonk"]
interval: 10s
timeout: 5s
retries: 6
services:
db:
<<: *db-defaults
container_name: listmonk_db
volumes:
- type: volume
source: listmonk-data
target: /var/lib/postgresql/data
app:
<<: *app-defaults
container_name: listmonk_app
depends_on:
- db
volumes:
- ./config.toml:/listmonk/config.toml
demo-db:
container_name: listmonk_demo_db
<<: *db-defaults
demo-app:
<<: *app-defaults
container_name: listmonk_demo_app
command: [sh, -c, "yes | ./listmonk --install --config config-demo.toml && ./listmonk --config config-demo.toml"]
depends_on:
- demo-db
networks:
listmonk:
volumes:
listmonk-data:
I will also include the listmonk.app config.toml file but I think that mostly needs to be kept as is:
[app]
# Interface and port where the app will run its webserver. The default value
# of localhost will only listen to connections from the current machine. To
# listen on all interfaces use '0.0.0.0'. To listen on the default web address
# port, use port 80 (this will require running with elevated permissions).
address = "0.0.0.0:9000"
# BasicAuth authentication for the admin dashboard. This will eventually
# be replaced with a better multi-user, role-based authentication system.
# IMPORTANT: Leave both values empty to disable authentication on admin
# only where an external authentication is already setup.
admin_username = "<REMOVED>"
admin_password = "<REMOVED>"
# Database.
[db]
host = "listmonk_db"
port = 5432
user = "<REMOVED>"
password = "<REMOVED>"
# Ensure that this database has been created in Postgres.
database = "listmonk"
ssl_mode = "disable"
max_open = 25
max_idle = 25
max_lifetime = "300s"
# Optional space separated Postgres DSN params. eg: "application_name=listmonk gssencmode=disable"
params = ""
Docker and Cloudflare Tunnel client
You did not mention how you deployed the Cloudflare Tunnel client. As you already deployed
listmonk
via Docker, it only makes sense to do the same with the CF Tunnel client and use a shared Docker network for both services.With the following compose file, you add a CF Tunnel client to the existing docker network
listmonk
:The benefit is you don't need to expose
listmonk
service on0.0.0.0:9000
where your firewall can interfere. Also,0.0.0.0
meaning you're allowing remote connections. So you can get rid of:in the listmonk compose file.
(link to cloudflared Docker image on DockerHub)
What about Cloudflare Tunnel client and a Firewall?
From the documentation:
You only need to allow outbound connection on port
7844
: