Docker Kong admin API is unreachable

3
votes

I've upgraded the Docker Kong image to the version 0.14.0 and it stopped responding to connections from outside the container:

$ curl 127.0.0.1:8001 --trace-ascii dump.txt

== Info: Rebuilt URL to: 127.0.0.1:8001/
== Info:   Trying 127.0.0.1...
== Info: Connected to 127.0.0.1 (127.0.0.1) port 8001 (#0)
=> Send header, 78 bytes (0x4e)
0000: GET / HTTP/1.1
0010: Host: 127.0.0.1:8001
0026: User-Agent: curl/7.47.0
003f: Accept: */*
004c: 
== Info: Recv failure: Connection reset by peer
== Info: Closing connection 0

The ports mapping is

0.0.0.0:8000-8001->8000-8001/tcp, 0.0.0.0:8443-8444->8443-8444/tcp

Everything is ok when trying to connect from inside the container:

/ # curl 127.0.0.1:8001
{"plugins":{"enabled_in_cluster":[], ...

Port 8000 is available from outside and inside the container. What can that be?

2
dockerkong

2 Answers

4
votes

I have encountered the same issue. The reason is the kong admin configuration set to loopback address by default. But I didn't modify the configuration file. Since Kong Docker Image providing an environment variable to expose the admin port.

KONG_ADMIN_LISTEN="0.0.0.0:8001, 0.0.0.0:8444 ssl"

This bind the admin port to the host machine port

2
votes

The problem was in the binding of the admin server to localhost in /usr/local/kong/nginx-kong.conf

server {
    server_name kong_admin;
    listen 127.0.0.1:8001;
    listen 127.0.0.1:8444 ssl;
...

I've added the following code into my custom entrypoint which removes this binding just before starting nginx:

echo "Remove the admin API localhost binding..."
sed -i "s|^\s*listen 127.0.0.1:8001;|listen 0.0.0.0:8001;|g" /usr/local/kong/nginx-kong.conf && \
sed -i "s|^\s*listen 127.0.0.1:8444 ssl;|listen 0.0.0.0:8444 ssl;|g" /usr/local/kong/nginx-kong.conf

echo "Starting nginx $PREFIX..."

exec /usr/local/openresty/nginx/sbin/nginx \
  -p $PREFIX \
  -c nginx.conf

Of course the admin ports must be closed in production some other way.