Merge pull request #3539 from dokku/3455-ufw-warn

Warn users when ufw is enabled
2025-12-29 00:25:08 +01:00 · 2019-05-12 07:14:15 -04:00
parent 3a5f68e4d1 4f23dd2dd6
commit acc2e84eda
2 changed files with 15 additions and 0 deletions
--- a/contrib/dokku-installer.py
+++ b/contrib/dokku-installer.py
@@ -37,6 +37,15 @@ if os.path.isfile(key_file):
    except subprocess.CalledProcessError:
        pass

+ufw_display = 'block'
+try:
+    command = "sudo ufw status"
+    ufw_output = subprocess.check_output(command, shell=True).strip()
+    if "inactive" in ufw_output:
+        ufw_display = 'none'
+except subprocess.CalledProcessError:
+    ufw_display = 'none'
+

 def check_boot():
    if 'onboot' not in sys.argv:
@@ -77,6 +86,7 @@ def check_boot():
 class GetHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        content = PAGE.replace('{VERSION}', VERSION)
+        content = content.replace('{UFW_DISPLAY}', ufw_display)
        content = content.replace('{HOSTNAME}', hostname)
        content = content.replace('{AUTHORIZED_KEYS_LOCATION}', key_file)
        content = content.replace('{ADMIN_KEYS}', "\n".join(admin_keys))
@@ -294,6 +304,9 @@ PAGE = """
            <small class="form-text text-muted">When enabled, Nginx will be run on port 80 and proxy requests to apps based on hostname.</small>
            <small class="form-text text-muted">When disabled, a specific port will be setup for each application on first deploy, and requests to that port will be proxied to the relevant app.</small>
          </div>
+          <div class="alert alert-warning small mt-3 d-{UFW_DISPLAY}" role="alert">
+            <strong>Warning:</strong> UFW is active. To allow traffic to specific ports, run <code>sudo ufw allow PORT</code> for the port in question.
+          </div>
          <div class="bd-callout bd-callout-info">
            <h5>What will app URLs look like?</h5>
            <pre><code id="example">http://hostname:port</code></pre>
--- a/docs/networking/port-management.md
+++ b/docs/networking/port-management.md
@@ -14,6 +14,8 @@ In Dokku 0.5.0, port proxying was decoupled from the `nginx-vhosts` plugin into

 ## Usage

+> Warning: Mapping alternative ports may conflict with the active firewall installed on your server or hosting provider. Such software includes - but is not limited to - AWS Security Groups, iptables, and UFW. Please consult the documentation for those softwares as applicable.
+
 ### Proxy port mapping

 > New as of 0.6.0