Basically, I have this doubt, I have some self hosted services in docker where I add the ports like this:
host_port:container_port, so I don’t specify the interface, so by default, it is 0.0.0.0.

Somebody recently told me that this is dangerous and that I expose my services to the public internet by doing this. I don’t want to do that since I am the only one accessing them so I just use a vpn to access them. So, to try this out, I typed in my browser my public ip alongside the host port I used for one of my services but I cannot access it. This has me puzzled. How’s the deal? Am I exposing it? Should I change it?

What are your thoughts? Thanks!

  • NikStalwart@alien.topBEnglish
    2·
    11 months ago

    A few things, in no particular order:

    • Docker interferes with user-defined firewall rules on the host. You need to expend a lot of effort to make your rules persist above docker. This functionally means that, if you are running a public-facing VPS/dedicated server and bind services to 0.0.0.0, even if you set up a firewall on the same machine, it won’t work and your services will be publicly accessible
    • If you have access to a second firewall device  —  whether it is your router at home, or your hosting provider’s firewall (Hetzner, OVH both like to provide firewall controls external to your server)  — this is not the biggest concern.
    • There is no reason to bind your containers to 0.0.0.0. You will usually access most of your containers from a certain IP address, so just bind them to that IP address. My preference is to bind to any address in the 127.0.0.0/8 subnet (yes, that entire subnet is loopback) and then use a reverse proxy. Alternatively, look into the ‘macvlan’ and ‘ipvlan’ docker network drivers.

    Good luck

    • Rafa130397@alien.topOPBEnglish
      1·
      11 months ago

      Hey! Thanks a lot for your reply! I just have two other questions. First of all, the address is regarding the host right? And that ip should be the static ip of the computer or the 127…?And also, is there a way to put that same ip for all services in the docker compose file or I have to do it for everyone manually? Thanks again!