今天测试 docker-compose.yml 文件。发现一个很奇怪的问题,把 express 容器的端口映射到 10080
docker-compose up -d 都正常没有报错,但是使用 10080 端口就是访问不了。
docker exec 进入 容器里面 用 curl 直接访问容器内的端口也是正常的。
一直想是不是程序哪里弄错了,后面找不出 bug 没办法一通乱试,最后换一个端口 49160 竟然就可以了。
google 一下 port 10080 关键字 才发现是 chrome 把 10080 端口给封了。
还有很多其他端口也是。(见下面链接)
Google Chrome blocks port 10080 to stop NAT Slipstreaming attacks By Lawrence Abrams April 8, 2021 04:50 PM 0 Google Chrome
Google Chrome is now blocking HTTP, HTTPS, and FTP access to TCP port 10080 to prevent the ports from being abused in NAT Slipstreaming 2.0 attacks.
Last year, security researcher Samy Kamkar disclosed a new version of the NAT Slipstreaming vulnerability that allows scripts on malicious websites to bypass visitors' NAT firewall and gain access to any TCP/UDP port on the visitor's internal network.
Using these vulnerabilities, threat actors can perform a wide range of attacks, including modifying router configurations and gaining access to private network services.
Illustration of the NAT Slipstreaming 2.0 attack Demonstration of a NAT Slipstreaming 2.0 attack As this vulnerability only works on specific ports monitored by a router's Application Level Gateway (ALG), browser developers have been blocking vulnerable ports that do not receive a lot of traffic.
Currently, Google Chrome is blocking FTP, HTTP, and HTTPS access on ports 69, 137, 161, 554, 1719, 1720, 1723, >5060, 5061, and 6566.
Today, Google has stated that they intend to block TCP port 10080 in Chrome, which Firefox has already blocked since November 2020.
我想,浏览器要屏蔽端口,是不是应该有个什么提示会友好点呢?
仔细看 chrome 的错误页面,还真有个提示:ERR_UNSAFE_PORT 这个提示也太不明显了。。。
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.