We have had one of our nodes (running on a NUC like device) up for some time with a public URL, but starting in the last day or two, this URL has stopped working. I tried rebooting but that did not help. I can access the local network IP address, and see that the server is up and running correctly.
Is this an issue on the back-end? Or is there a way to fix this on my side?
I get the following on the browser:
We encountered an error when reaching this balena.io device:
UUID 0597731cc3aaf9fd6496e184683f8f68
tunneling socket could not be established: socket hang up
One possible reason is because nothing is listening on port 80 on the device.
I am confirming the port 80 is still active
Ok, it seems one of my engineers did switch to redirecting to 443, which is why this is breaking. It is unfortunate that we are forced to leave port 80 open if we want to use these feature. Leaving port 80 is not best practices from a security stand point.
@david-archsys
The public URL endpoint goes over a VPN to your device, so the 443 being closed shouldn’t affect this. Could you confirm that the device is showing as online, as this will help identify if the VPN is up and working.
I have confirmed that when I change my NGINX server config back to listening to port 80, it works.
@david-archsys is that the NGINX server within your service container? If so, then the public endpoint will only look at port 80 on the container. I thought you meant that your engineer switched something in your infrastructure which the device is connected to.
As long as port 80 is only exposed, and not host-bound (in the Dockerfile/compose.yml) then you shouldn’t be able to access it from the LAN but only from the public URL. Could you confirm that for me?
The NGINX configuration was redirecting to 443, but if I understand what you are saying, I should
- Add EXPOSE 80 to my NGINX Dockerfile
- Stop redirecting port 80 to 443 on the NGINX config file
- Remove any “80:80” from the NGINX ports section in my docker-compose.yml, leaving only the “443:443”
Will give it a try.
Exactly - so the container binds to the host port 443, not 80 - and the VPN-based public URL should allow access to the containers port 80. If not, let me know and I will find out if that is intended.