Question posted in 
I have some project which I run with docker-compose up. This project has frontend on port 4200, backend 3000 and db 5342. When I run it with docker-compose, all these ports are public. So I can (everyone can) access for example to backend https://myserver:3000/api.
How can I disable docker-proxy ports to public? My solution is that I have nginx, using as myapp.myserver.com and redirect to local frontend port 4200 (nginx.conf) – frontend is using backend port 3000 and backend 5432 – but these ports shouldn’t be public. Public ports should be only 80, 443, 22 (ssh) etc.
See my netstat:
tcp 0 0 0.0.0.0:80 0.0.0.0:* NASLOUCHÁ 11972/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* NASLOUCHÁ 848/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* NASLOUCHÁ 1149/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* NASLOUCHÁ 11972/nginx: master
tcp6 0 0 :::9000 :::* NASLOUCHÁ 16995/docker-proxy
tcp6 0 0 :::5000 :::* NASLOUCHÁ 14069/docker-proxy
tcp6 0 0 :::5001 :::* NASLOUCHÁ 11557/docker-proxy
tcp6 0 0 :::8080 :::* NASLOUCHÁ 11402/docker-proxy
tcp6 0 0 :::80 :::* NASLOUCHÁ 11972/nginx: master
tcp6 0 0 :::22 :::* NASLOUCHÁ 848/sshd
tcp6 0 0 ::1:25 :::* NASLOUCHÁ 1149/master
tcp6 0 0 :::443 :::* NASLOUCHÁ 11972/nginx: master
tcp6 0 0 :::8000 :::* NASLOUCHÁ 17006/docker-proxy
2
Answers
So I solved it with change when mapping ports:
From:
To:
Now it is available only on localhost of VPS where app is running, not possible to call https://myserverip.com:3000/api.
You can use nginx.conf to redirect to backend ports as well. For instance,
api.myserver.comwill route traffic to backend port 3000 anddb.myserver.comwill route traffic to port 3000. All these containers should be on the same docker network for easier routing.Nginx can control which ports are exposed to the outside world.
This way, your nginx will server as ingress proxy. All connections are routed through nginx and the rest of the world is oblivious to the ports used internally. This idea is used to open services behind kubernetes to the world.