今天测试 docker-compose.yml 文件。发现一个很奇怪的问题,把 express 容器的端口映射到 10080
docker-compose up -d 都正常没有报错,但是使用 10080 端口就是访问不了。
docker exec 进入 容器里面 用 curl 直接访问容器内的端口也是正常的。
一直想是不是程序哪里弄错了,后面找不出 bug 没办法一通乱试,最后换一个端口 49160 竟然就可以了。
google 一下 port 10080 关键字 才发现是 chrome 把 10080 端口给封了。
还有很多其他端口也是。(见下面链接)
Google Chrome blocks port 10080 to stop NAT Slipstreaming attacks By Lawrence Abrams April 8, 2021 04:50 PM 0 Google Chrome
Google Chrome is now blocking HTTP, HTTPS, and FTP access to TCP port 10080 to prevent the ports from being abused in NAT Slipstreaming 2.0 attacks.
Last year, security researcher Samy Kamkar disclosed a new version of the NAT Slipstreaming vulnerability that allows scripts on malicious websites to bypass visitors' NAT firewall and gain access to any TCP/UDP port on the visitor's internal network.
Using these vulnerabilities, threat actors can perform a wide range of attacks, including modifying router configurations and gaining access to private network services.
Illustration of the NAT Slipstreaming 2.0 attack Demonstration of a NAT Slipstreaming 2.0 attack As this vulnerability only works on specific ports monitored by a router's Application Level Gateway (ALG), browser developers have been blocking vulnerable ports that do not receive a lot of traffic.
Currently, Google Chrome is blocking FTP, HTTP, and HTTPS access on ports 69, 137, 161, 554, 1719, 1720, 1723, >5060, 5061, and 6566.
Today, Google has stated that they intend to block TCP port 10080 in Chrome, which Firefox has already blocked since November 2020.
我想,浏览器要屏蔽端口,是不是应该有个什么提示会友好点呢?
仔细看 chrome 的错误页面,还真有个提示:ERR_UNSAFE_PORT
这个提示也太不明显了。。。
1
ijrou 2021-12-02 13:33:00 +08:00
我觉得很清晰了,毕竟这是给开发者看的,unsafe_port
|
2
CEBBCAT 2021-12-02 14:11:56 +08:00
这贴发得有点水
|
3
cinhoo 2021-12-02 14:14:23 +08:00
This address is restricted
This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection. Firefox 的提示 |
4
selfcreditgiving OP |