remap docker ephemeral ports to 80 for WP Site Health requesting external ports.

joemaller · joemaller · commit 240082f98ca9 · 2025-03-18T17:04:18.000-04:00
diff --git a/Dockerfile b/Dockerfile
@@ -174,12 +174,21 @@ RUN chmod +x /etc/update-motd.d/*
 RUN echo \
     && echo LS_OPTIONS='--color=auto' >> /root/.bashrc \
     && echo run-parts /etc/update-motd.d/ >> /root/.bashrc \
+    && echo alias wp='wp --allow-root' \
     && echo cd /usr/src >> /root/.bashrc
 
+# Install IPTables to workaround WordPress internal requests to external ports
+# This will be used to remap Docker's entire ephemeral port range back to 80
+RUN apt-get update -yqq \
+    && apt-get install -y --no-install-recommends \
+        iptables \
+    && apt-get autoremove -yqq \
+    && rm -rf /var/lib/apt/lists/*
+
 # Network Debugging Tools
 # TODO: Remove or disable if not needed
 RUN apt-get update -yqq \
-    &&  apt-get install -y --no-install-recommends \
+    && apt-get install -y --no-install-recommends \
         iputils-ping \
         dnsutils \
         vim \
diff --git a/bin/docker-entrypoint-iop.sh b/bin/docker-entrypoint-iop.sh
@@ -33,10 +33,18 @@ if [[ "$1" != apache2* ]] && [ "$1" != php-fpm ]; then
   exit 0
 fi
 
+# Check if NET_ADMIN capability is present
+if ! iptables -t nat -L >/dev/null 2>&1; then
+  echo -e "${GOLD}WARNING: IPTables failed due to missing NET_ADMIN capability."
+  echo -e "         Run with --cap-add=NET_ADMIN or add 'cap_add: [NET_ADMIN]' to docker-compose.yml.${RESET}"
+fi
+# Remap Docker's entire ephemeral port range back to port 80
+iptables -t nat -A OUTPUT -p tcp -d "localhost" --dport 49153:65535 -j REDIRECT --to-port 80
+
 # Create a simple phpinfo() page at /info.php
 echo '<?php phpinfo();' >/var/www/html/info.php
 echo '<?php xdebug_info();' >/var/www/html/xdebug.php
-chown $OWNER_GROUP /var/www/html/info.php /var/www/html/xdebug.php
+chown www-data:www-data /var/www/html/info.php /var/www/html/xdebug.php
 
 # Finally, we run the original endpoint, as intended, to kickoff the server
 exec /usr/local/bin/docker-entrypoint.sh "$@"
diff --git a/boilerplate-tooling/docker-compose.yml b/boilerplate-tooling/docker-compose.yml
@@ -62,25 +62,33 @@ services:
     # Apache will throw errors for any ulimit value below 8192
     # NOTE THAT THIS MIGHT BE MORE THAN THE SYSTEM OFFERS
     # TODO: Still true?
-    ulimits:
-      nofile: 8192
+    # TODO: Testing removal. 2025-03-18
+    # ulimits:
+    #   nofile: 8192
 
-  # Ideas On Purpose's development toolchain
-  # Image from: https://hub.docker.com/r/ideasonpurpose/docker-build
-  tools:
-    # image: ideasonpurpose/docker-build:dev
-    image: ideasonpurpose/docker-build:0.17.2
-    user: "${UID:-1000}:${GID:-1000}"
-    depends_on:
-      - wordpress
-    volumes:
-      - .:/usr/src/site/
-    ports:
-      - "${npm_config_port:-8080}:8080"
-    environment:
-      PORT: ${npm_config_port:-8080}
-    entrypoint: npm run
-    command: start
+    # Required for iptables port-mapping to work inside the Docker image
+    # This is used to fix a PHP/WordPress issue where internal requests
+    # from Site Health tried to load from external ports.
+    cap_add:
+      - NET_ADMIN
+
+  # # TODO: Deprecated and likely ready to remove 2025-03-18
+  # # Ideas On Purpose's development toolchain
+  # # Image from: https://hub.docker.com/r/ideasonpurpose/docker-build
+  # tools:
+  #   # image: ideasonpurpose/docker-build:dev
+  #   image: ideasonpurpose/docker-build:0.17.2
+  #   user: "${UID:-1000}:${GID:-1000}"
+  #   depends_on:
+  #     - wordpress
+  #   volumes:
+  #     - .:/usr/src/site/
+  #   ports:
+  #     - "${npm_config_port:-8080}:8080"
+  #   environment:
+  #     PORT: ${npm_config_port:-8080}
+  #   entrypoint: npm run
+  #   command: start
 
   # Utility service for running composer commands
   # Image from: https://hub.docker.com/_/composer
