限制对Docker容器的互联网访问？ [英] Restrict internet access to docker container?

问题描述

在仍然转发端口的同时将互联网访问限制在单个Docker容器中的最佳方法是什么？

我目前的操作方式是这样的：

  sudo docker network create --internal --subnet 10.1.1.0/24 no-internet 
 sudo docker run --name gitlab -d -p 80:80 -p 822：22-总是重新启动gitlab / gitlab-ce 
 sudo docker network connect no-internet gitlab 
 sudo docker network断开网桥gitlab 
  

问题是，如果我重新启动系统，端口将不再转发：

sudo docker ps 重启前：

 容器ID图像命令创建的状态端口名称
 2d2a062744ec gitlab / gitlab-ce / assets / wrapper 13秒前向上13秒（运行状况：开始）0.0.0.0:80->80/tcp，443/tcp，0.0.0.0 ：822-> 22 / tcp gitlab 
  

sudo docker ps 重新启动后：

 容器ID图像命令创建的状态端口名称
 2d2a062744ec gitlab / gitlab-ce / assets / wrapper 12分钟前向上2分钟（健康）gitlab 
  

解决方案

因此，如果我正确理解了您的情况，则希望避免将主机的网络共享到gitlab容器，以确保gitlab无法连接到互联网。同时，您希望共享主机的网络以将容器端口绑定到主机系统。那样行不通，但是以下方法可能是您可以接受的解决方法：共享同一内部网络的Docker容器可以连接到同一网络上其他容器的公开/发布的端口。

您可以采用以下方法：

• 在gitlab容器前面运行反向代理


• 反向代理是您内部网络和默认桥网络（包括主机网络）的成员


• 这使反向代理可以绑定到主机端口并转发对gitlab容器的请求，而gitlab仍然无法访问互联网

我很快将这个示例放在一起，希望可以帮助您入门：

docker network create --internal --subnet 10.1.1.0/24 no-internet

docker网络创建互联网

docker- compose.yml ：

 版本：'2'
 
 ser恶习：
 whoami：
图片：jwilder / whoami 
 container_name：whoami 
网络：
-无互联网
 
代理人：
图像：nginx：1.13-alpine 
 container_name：代理
网络：
-互联网
-无互联网
量：
-./vhost .conf：/etc/nginx/conf.d/default.conf 
端口：
- 80:80 
 
网络：
互联网：
外部：
名称：互联网
无互联网：
外部：
名称：无互联网
  

vhost.conf ：

 上游whoami {
服务器whoami：8000; 
} 
 
服务器{
 server_name localhost; 
听80； 
位置/ {
 proxy_pass http：// whoami; 
} 
} 
  

请注意上述实际上不需要互联网，因为Docker容器默认情况下会共享主机网络。

在上述示例中，打开 http：// localhost / 并您将看到 whoami 容器的响应，而 whoami 容器本身却无法连接到互联网。 / p>

What is the best way to restrict internet access to a single docker container while still forwarding ports?

My current way of doing this works like this:

sudo docker network create --internal --subnet 10.1.1.0/24 no-internet
sudo docker run --name gitlab -d -p 80:80 -p 822:22 --restart always gitlab/gitlab-ce
sudo docker network connect no-internet gitlab
sudo docker network disconnect bridge gitlab

The problem is that if I restart the system the ports are not forwarded anymore:

sudo docker ps before reboot:

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                             PORTS                                              NAMES
2d2a062744ec        gitlab/gitlab-ce    "/assets/wrapper"   13 seconds ago      Up 13 seconds (health: starting)   0.0.0.0:80->80/tcp, 443/tcp, 0.0.0.0:822->22/tcp   gitlab

sudo docker ps after reboot:

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                   PORTS               NAMES
2d2a062744ec        gitlab/gitlab-ce    "/assets/wrapper"   12 minutes ago      Up 2 minutes (healthy)                       gitlab

解决方案

So if I understand your scenario correctly, you would like to avoid sharing your host's network to your gitlab container to make sure gitlab cannot connect to the internet. At the same time you wish to share the host's network to bind a container port to your host system. It doesn't work that way, but the following might be an acceptable workaround for you: docker containers sharing the same internal network can connect to exposed/published ports of other containers on the same network.

You could follow this approach:

• Run a reverse proxy in front of your gitlab container
• The reverse proxy is member of your internal network and the default bridge network (which includes the host's net)
• This enables the reverse proxy to bind to a host port and forward requests to your gitlab container while gitlab still can't access the internet

I quickly put this example together, hope that gets you started:

docker network create --internal --subnet 10.1.1.0/24 no-internet

docker network create internet

docker-compose.yml:

version: '2'

services:
  whoami:
    image: jwilder/whoami
    container_name: whoami
    networks:
      - no-internet

  proxy:
    image: nginx:1.13-alpine 
    container_name: proxy
    networks:
      - internet
      - no-internet
    volumes:
      - ./vhost.conf:/etc/nginx/conf.d/default.conf
    ports:
      - "80:80"

networks:
  internet:
    external:
      name: internet
  no-internet:
    external:
      name: no-internet

vhost.conf:

upstream whoami {
    server whoami:8000;
}

server {
    server_name localhost;
    listen 80;
    location / {
        proxy_pass http://whoami;
    }
}

Please note the above mentioned internet network is actually not needed, as a docker container shares the host network by default anyway. It's just there to make things clearer.

In the example depicted above, open http://localhost/ and you will see the response of the whoami container, the whoami container itself however can't connect to the internet.

这篇关于限制对Docker容器的互联网访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！