I have exactly same containers containing WordPress app on docker swarm. They are both on the same network.
The problem is that after WordPress installation when I send GET to first app curl -I $IP1 randomly I get response 301 with link to IP2...
The first question is - how the heck does one instance know about another? How can I debug what is the reason of such redirection?
And the main question is - how to fix it.
wordpress.yml
version: '3.5'
services:
db:
image: mysql:5.7
networks:
- proxynet
volumes:
- db-data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: changeme
MYSQL_DATABASE: wordpress
MYSQL_USER: wp
MYSQL_PASSWORD: changemetoo
deploy:
placement:
constraints:
- node.role == manager
word:
depends_on:
- db
image: wordpress
networks:
- proxynet
volumes:
- wp-content:/var/www/html
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_NAME: wordpress
WORDPRESS_DB_USER: wp
WORDPRESS_DB_PASSWORD: changemetoo
volumes:
db-data:
wp-content:
network.yml:
networks:
proxynet:
name: proxynet
part of wordpress log:
10.0.0.4 - - [25/Oct/2018:14:49:54 +0000] "HEAD / HTTP/1.1" 301 209 "-" "curl/7.35.0"
10.0.0.4 - - [25/Oct/2018:14:49:56 +0000] "HEAD / HTTP/1.1" 301 209 "-" "curl/7.35.0"
10.0.0.4 - - [25/Oct/2018:14:49:58 +0000] "HEAD / HTTP/1.1" 301 209 "-" "curl/7.35.0"
10.0.0.4 - - [25/Oct/2018:14:50:00 +0000] "HEAD / HTTP/1.1" 200 221 "-" "curl/7.35.0"
10.0.0.4 - - [25/Oct/2018:14:50:02 +0000] "HEAD / HTTP/1.1" 301 209 "-" "curl/7.35.0"
10.0.0.4 - - [25/Oct/2018:14:50:04 +0000] "HEAD / HTTP/1.1" 301 209 "-" "curl/7.35.0"
I thought there was a bug in docker and I have created issue there.
But it was not.
If anyone would have a problem similar to this one, there is splendid answer from #thaJeztah on github
Related
A curious question this time. Someone just made the following HTTP requests to my server:
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //xmlrpc.php?rsd HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET / HTTP/1.0" 200 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //blog/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //web/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //website/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wp/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //news/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //2018/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //2019/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //shop/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //test/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //media/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //site/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:02] "GET //cms/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:02] "GET //sito/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
Anyone any idea why someone would try this. I know it has something to do with WordPress (that I don't use/have installed anyway) But I still wonder why someone would try to make these requests.
Thx a lot,
Jules
P.S. The server says it comes from localhost but that is because it goes through Nginx
This is commonplace. Today more than 40% of the world's internet traffic are bots and 25% are malicious bots.
They are just bots that are constantly looking for possible security flaws in as many indexed domains as possible in order to compromise the site.
There are tools that can help you detect these requests and take action. For example fail2ban.
I'm running an e-commerce store on top of Wordpress/Woo-commerce and I'm wondering whether it's normal to have an almost non-stop GET request log in apache's access log.
My website is hosted on Amazon EC2 running on Wordpress Bitnami's image.
Here's part of the log:
172.31.33.229 - - [09/May/2020:14:18:10 +0000] "POST /wp-cron.php?doing_wp_cron=1589033890.9472939968109130859375 HTTP/1.1" 200 -
172.31.33.229 - - [09/May/2020:14:18:10 +0000] "GET /product-category/printable-templates/wedding-templates/wedding-invitation-templates?query_type_color=or&filter_color=bluebrowncoralgreenturquoise&product_orderby=rating HTTP/1.1" 301 -
172.31.33.229 - - [09/May/2020:14:18:11 +0000] "GET /product-category/printable-templates/wedding-templates/wedding-invitation-templates/?query_type_color=or&filter_color=bluebrowncoralgreenturquoise&product_orderby=rating HTTP/1.1" 200 17499
172.31.33.229 - - [09/May/2020:14:18:15 +0000] "GET /product-category/printable-templates/wedding-templates/wedding-invitation-templates?query_type_color=or&filter_color=purpleredturquoise&product_view=list&product_count=45 HTTP/1.1" 301 -
172.31.33.229 - - [09/May/2020:14:18:16 +0000] "GET /product-category/printable-templates/wedding-templates/wedding-invitation-templates/?query_type_color=or&filter_color=purpleredturquoise&product_view=list&product_count=45 HTTP/1.1" 200 17390
172.31.33.229 - - [09/May/2020:14:18:21 +0000] "GET /product-category/printable-templates/wedding-templates?query_type_color=or&filter_color=black%2Cblue%2Ccoral%2Cmagenta%2Corange%2Cpeach%2Cturquoise HTTP/1.1" 301 -
172.31.33.229 - - [09/May/2020:14:18:22 +0000] "GET / HTTP/1.1" 301 230
What's weird is that eventually, it logs 100% CPU usage causing my server to go frozen. If I restart the EC2 instance, everything will be back to normal again until after around more than 12hours on the average.
Note that 172.x.x.x is part of my subnet, I don't understand why I have this log.
Another clue would be in the top, what's eating my CPU is numerous entries of
php-fpm: pool wordpress.
The URL is https://templatesandvectors.com.
I am new to docker swarm and docker compose.
I built an application that uses a nginx and flask docker containers. nginx acts as a reverse proxy.
when I am building this entire application using docker compose everything works fine
my docker-compose.yml file
version: '2'
services:
web:
restart: always
build: ./web
image: shivanand3939/web
expose:
- "8000"
volumes:
- ./output:/usr/src/app/static
command: /usr/local/bin/gunicorn -w 2 -b :8000 --access-logfile - classifierv2RestEndPoint_ridge_NB:create_app()
nginx:
build: ./nginx/
image: shivanand3939/nginx
ports:
- "80:80"
volumes:
- /www/static
volumes_from:
- web
links:
- web:web
viz:
image: dockersamples/visualizer
ports:
- 8080:8080/tcp
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- "constraint=node.role==manager"
Below is my output:
however, now I want to take it to the next level by deploying it in 3 AWS instances
here is my docker-stack.yml file
version: '3'
networks:
mybridge:
services:
web:
restart: always
build: ./web
image: shivanand3939/web
expose:
- "8000"
volumes:
- ./output:/usr/src/app/static
command: /usr/local/bin/gunicorn -w 2 -b :8000 --access-logfile - classifierv2RestEndPoint_ridge_NB:create_app()
networks:
mybridge:
aliases:
- web
deploy:
replicas: 2
update_config:
parallelism: 2
delay: 10s
restart_policy:
condition: on-failure
nginx:
restart: always
build: ./nginx/
image: shivanand3939/nginx
ports:
- "80:80"
volumes:
- /www/static
networks:
- mybridge
deploy:
replicas: 1
update_config:
parallelism: 2
delay: 10s
restart_policy:
condition: on-failure
viz:
image: dockersamples/visualizer
ports:
- 8080:8080/tcp
volumes:
- /var/run/docker.sock:/var/run/docker.sock
deploy:
placement:
constraints: [node.role == manager]
But now when I deploy this application and check the URL I am getting this
[incorrect home page]
I am not understanding why in the first case there was communication between web and nginx containers but in the second case this communication is stopped.
Can anyone please guide me on this
UPDATE 1:
Upon looking at the nginx service logs I see,
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 2017/09/11 06:49:50 [error] 5#5: *10 "/usr/share/nginx/html/phpmyadmin2013/index.html" is not found (2: No such file or directory), client: 10.255.0.2, server: localhost, request: "HEAD http://35.154.66.136:80/phpmyadmin2013/ HTTP/1.1", host: "35.154.66.136"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 10.255.0.2 - - [11/Sep/2017:06:49:50 +0000] "HEAD http://35.154.66.136:80/phpmyadmin2014/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" "-"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 2017/09/11 06:49:50 [error] 5#5: *10 "/usr/share/nginx/html/phpmyadmin2014/index.html" is not found (2: No such file or directory), client: 10.255.0.2, server: localhost, request: "HEAD http://35.154.66.136:80/phpmyadmin2014/ HTTP/1.1", host: "35.154.66.136"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 10.255.0.2 - - [11/Sep/2017:06:49:51 +0000] "HEAD http://35.154.66.136:80/phpmyadmin2016/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" "-"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 2017/09/11 06:49:51 [error] 5#5: *16 "/usr/share/nginx/html/phpmyadmin2016/index.html" is not found (2: No such file or directory), client: 10.255.0.2, server: localhost, request: "HEAD http://35.154.66.136:80/phpmyadmin2016/ HTTP/1.1", host: "35.154.66.136"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 2017/09/11 06:49:52 [error] 5#5: *17 "/usr/share/nginx/html/phpmyadmin2017/index.html" is not found (2: No such file or directory), client: 10.255.0.2, server: localhost, request: "HEAD http://35.154.66.136:80/phpmyadmin2017/ HTTP/1.1", host: "35.154.66.136"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 10.255.0.2 - - [11/Sep/2017:06:49:52 +0000] "HEAD http://35.154.66.136:80/phpmyadmin2017/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" "-"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 10.255.0.2 - - [11/Sep/2017:06:49:55 +0000] "HEAD http://35.154.66.136:80/phpmyadmin2018/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" "-"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 2017/09/11 06:49:55 [error] 5#5: *18 "/usr/share/nginx/html/phpmyadmin2018/index.html" is not found (2: No such file or directory), client: 10.255.0.2, server: localhost, request: "HEAD http://35.154.66.136:80/phpmyadmin2018/ HTTP/1.1", host: "35.154.66.136"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 10.255.0.2 - - [11/Sep/2017:06:49:57 +0000] "HEAD http://35.154.66.136:80/phpmanager/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" "-"
classifierbot_nginx.1.qhi4b9c1yc3n#ip-172-31-16-132 | 2017/09/11 06:49:57 [error] 5#5: *19 "/usr/share/nginx/html/phpmanager/index.html" is not found (2: No such file or directory), client: 10.255.0.2, server: localhost, request: "HEAD http://35.154.66.136:80/phpmanager/ HTTP/1.1", host: "35.154.66.136"
This is my docker-compose file:
version: '2'
services:
db:
image: mysql:5.7
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: wordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_PASSWORD: wordpress
varnish:
image: eeacms/varnish
depends_on:
- wordpress
ports:
- 9000:6081
environment:
DNS_ENABLED: "true"
BACKENDS: wordpress
BACKENDS_PORT: 80
volumes:
db_data:
wordpress is running on 0.0.0.0:8080 and on 172.17.0.1:8080
But the /etc/hosts of varnish container is like this
root#4cc3dc214d69:/# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 wordpress fd3f01c29d6a dockoor_wordpress_1
172.17.0.3 wordpress_1 fd3f01c29d6a dockoor_wordpress_1
172.17.0.3 dockoor_wordpress_1 fd3f01c29d6a
172.17.0.4 4cc3dc214d69
varnish is mapping wordpress to 172.17.0.3
That why while trying to access 0.0.0.0:8000 i get
Error 503 Backend fetch failed
Backend fetch failed
Guru Meditation:
XID: 3
Varnish cache server
Can someone please point out whats wrong with my compose file?
P.S docker-compose log shows that varnish do hit worpress but its getting a 302 response.
02 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:19 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:20 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:21 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:22 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:23 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:24 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:25 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:26 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:27 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:29 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:30 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:31 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:32 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:33 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:34 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:35 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:36 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:37 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:38 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:39 +0000] "G
Your link appears to be working as expected. 0.0.0.0 is not an IP address you connect to, that's a listener IP that tells the networking stack to listen on all interfaces rather than a specific IP on the host. In your case, all IP's includes 127.0.0.1 (loopback inside the container) and 172.17.0.3 (the IP reachable by other containers on that network.
Note that links are largely deprecated, it's preferred to configure the containers on a network (other than the default bridge) and use the built in DNS discovery. Similarly, compose version 1 file formats are also largely deprecated, you should consider upgrading to at least the version 2 compose file format. With that format, a network will be created by default for your containers to communicate.
Here's an example of your compose file in version 2 format:
version: '2'
services:
wordpress:
image: wordpress
ports:
- 8080:80
mysql:
image: mariadb
environment:
MYSQL_ROOT_PASSWORD: examplepass
varnish:
image: eeacms/varnish
ports:
- "8000:6081"
environment:
DNS_ENABLED: "true"
BACKENDS: "wordpress"
BACKENDS_PORT: 8080
The http 302 is a redirect, whatever you are running is able to see the url but isn't following the redirect or wordpress is not configured to give a correct redirect.
Update: The varnish error you are seeing is because you are probing / on the wordpress server which is responding with a 302 redirect. Varnish appears to need a 200 success code for the url it is probing. For that, you can add a variable like the following to your varnish environment:
BACKENDS_PROBE_URL: /wp-includes/js/jquery/jquery.js
I noticed that in my access logs these records are flooding. I'm not sure is this a brute force attack because the IP address is my server's IP.
How can I figure what's going on?
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
The Solution was to Create a mod_security rule to block such offending IP address.
Create file name “wpbrute.conf” in /usr/local/apache/conf/modsec_rules and add following to it.
SecRule REQUEST_LINE "POST .wp-login."
"pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:35011"
SecRule IP:MAXLIMIT "#gt 10" "log,deny,id:350111,msg:'wp-bruteforce:
denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"
Open file /usr/local/apache/conf/modsec2.user.conf and add include path as below and save the file.
Include /usr/local/apache/conf/modsec_rules/wpbrute.conf
Now all the attacked to the “wp-login.php” should be stopped