My current Flask and Docker setup is the following:
In this scenario, end users access the application container from the external IP on port 80 (which is a request to the Nginx container), which then proxies the request over to application container running on port 8000 with Gunicorn. However, people can bypass Nginx by using the same URL, but specifying the port as 8000, accessing the app directly using Gunicorn.
How do I limit access to my Flask application so it is only accessible via the Nginx container? If I block port 8000 in my server’s firewall, would Nginx still be able to proxy to the container running on port 8000?
2
Answers
If you
--bind=127.0.0.1:800
(doc) thengunicorn
should be limited to the (docker) host.You should test this to confirm.
Use communication across links. Links allow containers to discover each other and securely transfer information about one container to another container. When you set up a link, you create a conduit between a source container and a recipient container. The recipient can then access select data about the source. To create a link, you use the –link flag.
First start you app.
Then start nginx container with link to your app container.
Your application is now accessible from your nginx container via the alias "my_app" (no ip address needed). It will not be available from the host.
More info: https://docs.docker.com/network/links/#communication-across-links