Search code examples
dockertcpportgoogle-compute-engine

Google Compute Engine App nothing listening on ports 80 and 443

My post is very similar to this one. I have a Docker container running a very simple node.js/express app listening on port 3000, running on a Google Compute Engine with http and https firewall rules enabled.

For some reason however no processes are listening on any public ports (443 and 80). When I type sudo netstat -tnlp tcp I get:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address   State       PID/Program name    
tcp        0      0 0.0.0.0:5355      0.0.0.0:*         LISTEN      288/systemd-resolve 
tcp        0      0 0.0.0.0:22        0.0.0.0:*         LISTEN      296/sshd            
tcp6       0      0 :::5355           :::*              LISTEN      288/systemd-resolve 
tcp6       0      0 :::3000           :::*              LISTEN      1216/node

As well when I run nmap <EXPOSED_IP> I get:

Not shown: 993 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
80/tcp   closed http
443/tcp  closed https
554/tcp  open   rtsp
3389/tcp closed ms-wbt-server
7070/tcp open   realserver

I am aware that nothing is listening on ports 443 or port 80, and I see my app is listening on port 3000, but I'm not sure how to change / map / expose that. I tried changing my docker-compose to:

...

ports:
  - "80:3000"
  - "443:3000"
  - "3000:3000"
...

But that didn't seem to work. I'm aware I'm not using docker-compose in the VM so that makes sense that it doesn't make a difference. I read here I shouldn't expose public ports in a Dockerfile so that I can run multiple containers on a single VM instance which makes sense. But still not sure how to map 443 and 80 to my container. Any ideas?

UPDATE:

Per the Documentation:

You can only deploy one container for each VM instance. Consider Kubernetes Engine if you need to deploy multiple containers per VM instance. Contact the team if your use case requires you to deploy multiple containers on a Compute Engine instance.

It looks like I'm only allowed to run one container per VM anyway so maybe I'll try forwarding ports on my Dockerfile...

Solution

  • I finally figured it out. 🎉

    Turns out I was trying to manage ports from within the Dockerfile, which obviously does not control the host.

    So I included the answer from this post:

    sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000

    in the creation of my Google Compute Instance Template as such: 

    --metadata startup-script="sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000"

    And then created an instance based off that template. Hooray for learning!