Docker-compose Connection Refused Error

[Charles Williams]

Hi ZAP Team,

I'm working on adding a ZAP service to my Docker-compose file for testing against the other services running in it (isolating to a single docker-compose yml is a requirement in this case). The service I've added looks like the following:

owasp-zap:
  image: owasp/zap2docker-stable:latest
  container_name: owasp-zap
  command: zap.sh -cmd -autorun /zap/wrk/Test_Automation_Plan.yaml
  networks:
    - zap-scan
  volumes:
    - ./owasp_zap_required_files:/zap/wrk/

networks:
  zap-scan:
    name: zapnet

I've tried to follow the instructions from the Docker guide to create an external network, and I've added the zap-scan network under all the required services I have in my file. The intended use case here is to be able to run: 

docker-compose -f docker-compose-zap.yml run owasp-zap

Which would spin up my apps for testing and run ZAP against them all in one go. However, I'm getting the "Connection refused" error on my spider. I'd resolved this locally with docker run by adding the --network flag, but how can I replicate this in the Docker-compose file?

Thank you!

[Charles Williams]

I forgot to mention that I have a depends_on argument in the service which ensures that this doesn't start until the app is up and running, to remove the edge case that this would be an issue with when it runs.

[Charles Williams]

Some last reference information, sorry for the multiple messages - when the app is loaded, the target for ZAP (and the location of the app) is at http://localhost:8000, and my command to run this before successfully was:

docker run -v $(pwd):/zap/wrk/:rw --network=host -t owasp/zap2docker-stable zap.sh -cmd -autorun /zap/wrk/Test_Automation_Plan.yaml

What would this look like translated into a docker-compose?

Thank you for your help!

[Simon Bennetts]

Thanks for letting us know.

We do have some networking advice on https://www.zaproxy.org/docs/docker/about/ but I'm sure it could be improved.

I'm no expert in docker-compose so cant advise on that I'm afraid.

Cheers,

Simon

[Charles Williams]

Hi Simon,

No worries, I figured it out in my case, I just had to replace the network line with network_mode in my services since I'm using the docker-compose.

Best,

Charles

[Simon Bennetts]

Thanks for letting us know.

Can you suggest some text we could put on https://www.zaproxy.org/docs/docker/about/ to cover this case?

Cheers,

Simon

[Charles Williams]

Hi Simon,

As I continued working with it, it eventually stopped working - I'm not quite sure what caused it. But since this may have been a problem just on my end and this could potentially help someone else, maybe an addendum in the "Scanning an app running in another Docker container" with something like:

"If you are using a Docker-compose file to run the ZAP service, you can replicate this behavior by adding the 'networks' argument to your ZAP service:

owasp-zap:
  image: owasp/zap2docker-stable:latest
  container_name: owasp-zap

  networks:
    - zap-scan

networks:
  zap-scan:
    name: zap-scan

Make sure that your application service has the same network set up. If you don't want to make your own external network, and it fits your requirements, you can also set your 'network-mode' argument to host:

owasp-zap:
  image: owasp/zap2docker-stable:latest
  container_name: owasp-zap

  network-mode: host

Again, make sure that all application-related services have the same network setup, otherwise ZAP will get a 'Connection refused' error."

If this helps, great, if not, no worries! Let me know if providing any more information would help.

Best,

Charles