[分享发现] docker port 10080 映射不了

今天测试 docker-compose.yml 文件。发现一个很奇怪的问题,把 express 容器的端口映射到 10080

docker-compose up -d 都正常没有报错,但是使用 10080 端口就是访问不了。

docker exec 进入 容器里面 用 curl 直接访问容器内的端口也是正常的。

一直想是不是程序哪里弄错了,后面找不出 bug 没办法一通乱试,最后换一个端口 49160 竟然就可以了。

google 一下 port 10080 关键字
才发现是 chrome 把 10080 端口给封了。

还有很多其他端口也是。(见下面链接)

https://www.bleepingcomputer.com/news/security/google-chrome-blocks-port-10080-to-stop-nat-slipstreaming-attacks/

Google Chrome blocks port 10080 to stop NAT Slipstreaming attacks
By Lawrence Abrams
April 8, 2021 04:50 PM 0
Google Chrome

Google Chrome is now blocking HTTP, HTTPS, and FTP access to TCP port 10080 to prevent the ports from being abused in NAT Slipstreaming 2.0 attacks.

Last year, security researcher Samy Kamkar disclosed a new version of the NAT Slipstreaming vulnerability that allows scripts on malicious websites to bypass visitors’ NAT firewall and gain access to any TCP/UDP port on the visitor’s internal network.

Using these vulnerabilities, threat actors can perform a wide range of attacks, including modifying router configurations and gaining access to private network services.

Illustration of the NAT Slipstreaming 2.0 attack
Demonstration of a NAT Slipstreaming 2.0 attack
As this vulnerability only works on specific ports monitored by a router’s Application Level Gateway (ALG), browser developers have been blocking vulnerable ports that do not receive a lot of traffic.

Currently, Google Chrome is blocking FTP, HTTP, and HTTPS access on ports 69, 137, 161, 554, 1719, 1720, 1723, >5060, 5061, and 6566.

Today, Google has stated that they intend to block TCP port 10080 in Chrome, which Firefox has already blocked since November 2020.

我想,浏览器要屏蔽端口,是不是应该有个什么提示会友好点呢?

仔细看 chrome 的错误页面,还真有个提示:ERR_UNSAFE_PORT 这个提示也太不明显了。。。

chrome-port-10080

发表评论

您的电子邮箱地址不会被公开。