docs: add port 443 redirect and Linux setcap notes#180
Open
NHerby wants to merge 1 commit intoMVladislav:mainfrom
Open
docs: add port 443 redirect and Linux setcap notes#180NHerby wants to merge 1 commit intoMVladislav:mainfrom
NHerby wants to merge 1 commit intoMVladislav:mainfrom
Conversation
Newer robots (confirmed: Deebot OZMO 920 series) connect to Bumper on port 443 via the jmq-ngiot protocol instead of the standard MQTT port 8883. Without an iptables PREROUTING redirect, the bot silently stays on the cloud. The existing DNS wildcards and cert SANs already cover the jmq-ngiot hostname — it is purely a port interception issue. Also documents the CAP_NET_BIND_SERVICE requirement for running Bumper directly on Linux (non-Docker), where binding port 443 requires either setcap or the WEB_SERVER_HTTPS_PORT alternative. - docs/getting_started/dns.md: new section with iptables rules, tcpdump diagnosis, iptables-persistent persistence note - docs/usage/cli.md: new section with setcap commands and WEB_SERVER_HTTPS_PORT fallback
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this adds
1. Port 443 redirect for newer robots (jmq-ngiot protocol)
Some newer robots (confirmed: Deebot OZMO 920 series) do not connect on the standard MQTT port (8883). Instead they connect on port 443 using the
jmq-ngiot-{region}.area.ww.ecouser.nethostname. Without an iptables redirect, Bumper never receives the connection and the bot silently stays on the cloud.Diagnosis:
tcpdumpshowed the bot connecting on 443 after DNS redirection was in place, with no activity on 8883.Fix: one iptables PREROUTING REDIRECT rule targeting the bot IP. The cert SANs (
*.area.ww.ecouser.net) and DNS wildcard already cover this hostname — it is purely a port interception issue.Added to
docs/getting_started/dns.md: iptables add/remove commands, tcpdump diagnosis,iptables-persistentpersistence note.2. Linux port 443 binding without root (non-Docker)
When running Bumper directly (not via Docker), Python cannot bind port 443 without
CAP_NET_BIND_SERVICE. Added todocs/usage/cli.md:setcapcommands for system Python and uv-managed Python, plus theWEB_SERVER_HTTPS_PORTalternative.Testing
vi829v)