skip to Main Content

I have some project which I run with docker-compose up. This project has frontend on port 4200, backend 3000 and db 5342. When I run it with docker-compose, all these ports are public. So I can (everyone can) access for example to backend https://myserver:3000/api.

How can I disable docker-proxy ports to public? My solution is that I have nginx, using as myapp.myserver.com and redirect to local frontend port 4200 (nginx.conf) – frontend is using backend port 3000 and backend 5432 – but these ports shouldn’t be public. Public ports should be only 80, 443, 22 (ssh) etc.

See my netstat:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               NASLOUCHÁ  11972/nginx: master 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               NASLOUCHÁ  848/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               NASLOUCHÁ  1149/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               NASLOUCHÁ  11972/nginx: master 
tcp6       0      0 :::9000                 :::*                    NASLOUCHÁ  16995/docker-proxy  
tcp6       0      0 :::5000                 :::*                    NASLOUCHÁ  14069/docker-proxy  
tcp6       0      0 :::5001                 :::*                    NASLOUCHÁ  11557/docker-proxy  
tcp6       0      0 :::8080                 :::*                    NASLOUCHÁ  11402/docker-proxy  
tcp6       0      0 :::80                   :::*                    NASLOUCHÁ  11972/nginx: master 
tcp6       0      0 :::22                   :::*                    NASLOUCHÁ  848/sshd            
tcp6       0      0 ::1:25                  :::*                    NASLOUCHÁ  1149/master         
tcp6       0      0 :::443                  :::*                    NASLOUCHÁ  11972/nginx: master 
tcp6       0      0 :::8000                 :::*                    NASLOUCHÁ  17006/docker-proxy

2

Answers


  1. Chosen as BEST ANSWER

    So I solved it with change when mapping ports:

    From:

    ports:
          - "3000:3000"
    

    To:

    ports:
          - "127.0.0.1:3000:3000"
    

    Now it is available only on localhost of VPS where app is running, not possible to call https://myserverip.com:3000/api.


  2. You can use nginx.conf to redirect to backend ports as well. For instance, api.myserver.com will route traffic to backend port 3000 and db.myserver.com will route traffic to port 3000. All these containers should be on the same docker network for easier routing.

    Nginx can control which ports are exposed to the outside world.

    This way, your nginx will server as ingress proxy. All connections are routed through nginx and the rest of the world is oblivious to the ports used internally. This idea is used to open services behind kubernetes to the world.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search