I am trying to deploy a small python based webapp that uses the google.oauth2 package for authentication. The webapp runs in a container that uses python:3.10 as its base. The authentication works as expected when running locally on the computer directly and in a container. If I try to deploy the webapp on the server, it can't connect to google for authentication.
After some debugging I found out that google reacts with a 403 Forbidden to every request sent from within the container to its services. I can connect from the server directly though.
I tested with curl:
- On the server without container:
- curl https://www.googleapis.com/oauth2/v1/certs
- cert JSON results as expected
- curl https://www.googleapis.com/oauth2/v1/certs
- On the server in the container
- curl https://www.googleapis.com/oauth2/v1/certs
- 403 forbidden
- curl https://google.com
- 403 forbidden
- curl https://stackoverflow.com
- website HTML as expected
- curl https://www.googleapis.com/oauth2/v1/certs
- locally in the container
- curl https://www.googleapis.com/oauth2/v1/certs
- cert JSON results as expected
- curl https://www.googleapis.com/oauth2/v1/certs
My (abbreviated) dockerfile is
FROM python:3.10
<Installing libraries and setting up some creds>
#RUN
WORKDIR /code
CMD ["uvicorn", "user_api.api.server:app", "--host", "0.0.0.0", "--port", "80"]
My (abbreviated) compose file is:
version: '3.7'
services:
user_api:
image: user_api:latest
ports:
- "8100:80"
env_file:
- /home/user/.env
The server is hosted on Hetzner Cloud and has a static IPv4.
I have tried accessing multiple websites from within the container. All google owned domains I have tries respond with a 403, all other websites I have tested with seem to work.
I am also able to ping google.com and googleapis.com.
I have done the same tests on the server directly, on my local computer and inside of the container running on my local computer. The only place where it doesn't work is inside the container, on the server.
It seems to be related to Hetzner servers being blocked by google. The reason why it only happens in the docker and maybe works in the server itself is that maybe only the ipv4 is blocked and your ipv6 works. If the docker is then only configured for ipv4 it only fails on it.
You can test it with "curl --ipv4 www.google.com" or "curl --ipv6 www.google.com". I had servers/ip addresses that only worked on ipv4, only with ipv6 and didn't work on both.