Hello:
I am trying to get microblog working under docker with a proxy server serving micropub at https://t.l.d/blog2. I have the proxy server set up and all links via /blog2 and the .well-known links are redirecting properly to the back end docker server.
However I couldn't log into the instance. The admin link at the bottom of the page shown using /blog2/ didn't include the /blog2/ subpath.
I edited misc/docker-supervisord.conf between config and docker-compose up steps. However unlike in the docs, I had to :
make build
again to get it to take effect. I was able to verify that --root-path was not set before the build step by exec'ing into the container and catting /proc/[0-9]*/cmdline.
Once I rebuilt the image, I saw the change in the admin link to use the subpath.
So the docs need to be changed to require a rebuild after changing the docker-supervisord.conf.
Also I changed docker-compose to use:
ports:
- "127.0.0.1:8087:8000"
so that the docker port was not externally exposed and is bound only to the loopback IP. When using the:
trusted_hosts = ["*"]
you shouldn't permit any host on the local net to access the micropub instance in the docker container.
https://docs.docker.com/network/#published-ports
Sadly this isn't as good as one would want, but better than nothing as the attacker needs to figure out the internal network ip address used.
-- rouilj
My employers don't acknowledge my existence much less my opinions.