I was wondering which ports are available for me to use for Web apps and which ones are system specific or system reserved.
A basic outline of the way the website works is a user creates and account and a docker container is created, that container sits on a port.
So if I have 100 users I need to know if there is enough ports available or if I have to do a redisign.
Thanks for any help.
Usually web servers will listen on 80 (HTTP) or 443 (HTTPS), all users will connect on one port, browsers usually connect on one of the two ports I've mentioned.
Browsers usually connect to a website on port 80 or 443 by default, you can specify a custom port by a : then the port number after the host name if the server is using a custom port to serve the website.
for example a custom port would look like
http://stackoverflow.com:8080
where 8080 is the custom port.
For a list of the common ports used in applications. you can check this out.
To answer your question, if you're not running the application that listens on that specific port then you can use the port number for your use.
Port numbers range from 0 to 65535, but only port numbers 0 to 1023 are reserved for privileged services and designated as well-known ports.
The ephemeral port range is configurable, so you are not stuck with the defaults. There are tens of thousands, so if you have 100 users the number of ports should not be the breaking point, though the design of having a docker container for each users sounds odd to me.
I assume that your web server will front these containers so that the users don't connect directly to them? Allowing all those ports through the firewall would not be a good design!
Related
I have three tomcat containers running on different bridge networks with different subnet and gateway
For example:
container1 172.16.0.1 bridge1
container2 192.168.0.1 bridge2
container3 192.168.10.1 bridge3
These containers are running on different ports like 8081, 8082, 8083
Is there any way to run all three containers in same 8081?
If it is possible, how can I do it in docker.
You need to set-up a reverse proxy. As the name suggests, this is a proxy that works in an opposite way from the standard proxy. While standard proxy gets requests from internal network and serves them from external networks (internet), the reverse proxy gets requests from external network and serves them by fetching information from internal network.
There are multiple applications that can serve as a reverse proxy, but the most used are:
NginX
Apache
HAProxy mainly as a load-balancer
Envoy
Traefik
Majority of the reveres proxies can run as another container on your docker. Some of this tools are easy to start since there is ample amount of tutorials.
The reverse proxy is more than just exposing single port and forwarding traffic to back-end ports. The reverse proxy can manage and distribute the load (load balancing), can change the URI that is arriving from the client to a URI that the back-end understands (URL rewriting), can change the response form the back-end (content rewriting), etc.
Reverse HTTP/HTTP traffic
What you need to do to set a reverse proxy, assuming you have HTTP services, in your example is foloowing:
Decide which tool to use. As a beginner, I suggest NginX
Create a configuration file for the proxy which will take the requests from the port 80 and distribute to ports 8081, 8082, 8083. Since the containers are on different network, you will need to decide if you want to forward the traffic to their IP addresses (which I don't recommend since IP can change), or to publish the ports on the host and use the host IP. Another alternative is to run all of them on the same network.
Depending on the case, you need to setup the X-Forwarding-* flags and/or URL rewriting and content rewriting.
Run the container and publish the port 80 as 8080 (if you expose the containers on host, your 8081 will be already taken).
Reverse TCP/UDP traffic
If you have non-HTTP services (raw TCP or UDP services), then you can use HAProxy. Steps are same apart from the configuration step #2. The configuration is different due to non-HTTP nature of the traffic and you can find example in this SO
I am deploying a eureka server on a VM(say host external IP is a.b.c.d) as a docker image. Trying this in 2 ways.
1.I am running the docker image without explicit port mapping : docker run -p 8671 test/eureka-server
Then running docker ps command shows the port mapping as : 0.0.0.0:32769->8761/tcp
Try accessing the eureka server from outside of the VM with http://a.b.c.d:32769 , its not available.
2.I am running the docker image with explicit port mapping : docker run -p 8761:8761 test/eureka-server
Then running docker ps command shows the port mapping as : 0.0.0.0:8761->8761/tcp
Try accessing the eureka server from outside of the VM with http://a.b.c.d:8761 , its available.
Why in the first case the eureka server is not available from out side the host machine even if there is a random port(32769) assigned by docker.
Is it necessary to have explicit port mapping to have docker app available from external network ?
Since you're looking for access from the outside world to the host via the mapped port you'll need to ensure that the source traffic is allowed to reach that port on the host and given protocol. I'm not a network security specialist, but I'd suggest that opening up an entire range of ports simply because you don't know which port docker will pick would be a bad idea. If you can, I'd say pick a port and explicitly map it and ensure the firewall allows access to that port from the appropriate source address(es) e.g. ALLOW TCP/8671 in from 10.0.1.2/32 as an example - obviously your specific address range will vary on your network configuration. Docker compose may help you keep this consistent (as will other orchestration technologies like Kubernetes). In addition if you use cloud hosting services like AWS you may be able to leverage VPC security groups to help you whitelist source traffic to the port without knowing all possible source IP addresses ahead of time.
You either have the firewall blocking this port, or from wherever you are making the requests, for certain ports your outgoing traffic is disabled, so your requests never leave your machine.
Some companies do this. They leave port 80, 443, and couple of more for their intranet, and disable all other destination ports.
Can scalable group option on Bluemix container infrastructure work with protocols other than HTTP?
I created a simple TCP server, deployed in a single container on Bluemix and works fine. If I try to deploy it as a scalable group I can only assign HTTP port and it does not respond any more.
Is this a current limitation?
Thank you very much
If you are running a Cloud Foundry app you can only get port 80,433. However if you run a container you can bind to any port you want.
containers environment on Bluemix actually supports a limited list of TCP (not UDP) ports, and 9080 is contained in this list, so your server should work.
If you need any different port from the ones contained in this list you could always ask for the port being opened for your instance, through Bluemix support.
I've been doing some configuration, including releasing some ports, designating them to applications. I've seen so many applications want port 80. Can I ask what is so special with it? Why not port 90? 70?
Port 80 is the standard for HTTP which is the major networking protocol.
So if you have an URL like this (without any port number):
http://stackoverflow.com/questions/31242839/what-is-so-special-with-port-80/31242897#31242897
your browser will communicate with the webserver over port 80.
As #Glorfindel stated, port 80 is the standard for HTTP.
To elaborate - there are a number of fixed TCP, UDP ports "reserved" for different services from 1 - 1024. best practice is to use a port number larger than 1024 for non-standard traffic.
For instance, you might want both an IIS server and a tomcat server running on the same machine. you could issue 80 to one, and 8080 to another, or 8080 to one, and 8090 to another. (note that J2EE servers such as Tomcat, Glassfish, Weblogic, etc often default to 8080, which also defines as HTTP_alternate)
Also, in some operating systems, you need elevated privileges (administrator/root) to register a port below 1024, therefore you may want to use port 8080 in place of 80, for ease of use.
A further reading suggestion: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Note also that (historically at least) Skype, for instance used port 80 to listen on, since it open in many routers, etc.
Due to a virus in the system, one of our clients have made access to internet restricted in their server. We use two web services data on this server (both use a SOAP API).
The client company is asking me for the ports on the firewall they should leave open so we could be able to use those web services only. I'm not good at networks. So how can I get those information?
I need the port or any address from my two services so that they let them pass through the firewall.
I'm not sure I understand the question, but most web services receive connections on one of:
80 (http)
443 (https)
8080 (http)
Most firewalls client should be configured to allow outbound connections to these.
Server firewall MUST be configured to allow inbound connections on one of these (or some other pre-arranged non-standard port).
To work out what ports your existing web server is actually using:
how to investigate ports opened by a certain process in linux?
Its most likely, 80, 443, or 8080.