Allright, this is probably more of “linux newbie” question rather than “Diaspora support” question.
I set up Camo proxy on my pod and got it working just fine using these instructions.
However now I have my server responding on 8081 port and even though I run camo as separate unprivileged user I am still wondering if it is good practice. As I understand external clients connect to the webserver 443 port anyway and then the web server upstreams some content to Camo internally.
upstream camo {
server 127.0.0.1:8081;
}
So I added these firewall rules to drop outside connections (XX - external IP):
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8081 -m state --state NEW -j ACCEPT
iptables -A INPUT -s XX.XX.XX.XX -p tcp --dport 8081 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -m state --state NEW -j DROP
As soon I apply this firewall config Camo breaks (images from other sources but my pod fail to load). I remove it and it works again. Do I miss something here?
So your first rule accepts all incoming tcp connection FROM localhost on the destination port of 8081 only for connection that are NEW.
Your second rule accepts all connections from your external IP with the tcp destination port of 8081 which are also new.
And your third rule drops all new tcp requests with a destination port of 8081.
Off hand I don’t see anything wrong with your firewall rules, except maybe that state. Do me a favor and remove one at a time and try and identify which one is mucking things up, we can move from there. It could either be your second rule or your last rule (from my perspective).
Hey, maybe I don’t understand the issue, but I am wondering why this is necessary?
My UFW configuration, printed below, seems to resolve the issue while at the same time blocking other stuff. That is, of course, unless I misunderstand the issue
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN x.x.x.x
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)