仅将Docker端口公开到内部网络 [英] Expose docker port to internal network only
问题描述
现在正在为家庭实验室服务器的新版本上运行大量docker,并尝试确保所有内容均已锁定且安全。我将服务器用于各种各样的事情,既需要来自外界的访问(nextcloud),也需要我只能从内部网络(plex)访问的东西。当然,服务器位于限制开放端口但寻求其他安全性的路由器后面-我想将那些我仅想通过内部网络访问的docker限制为192.168.0.0/24。这样,如果以某种方式在我的路由器上打开了一个端口,则该端口将不会被暴露(我是否很偏执?)。
Running numerous dockers right now on a new build for a homelab server and trying to make sure everything is locked down and secure. I use the server for a variety of things, both requiring access from the outside world (nextcloud) and things that I will only access from my internal network (plex). Of course the server is behind a router that limits open ports but looking for additional security - I would like to restrict those dockers that I want to only access via internal network, to 192.168.0.0/24. That way, if somehow a port became open on my router, it would not be exposed (am I being to paranoid?).
当前docker-compose文件正在暴露端口通过:
Currently docker-compose files are exposing ports via:
....
ports:
- 8989:8989
....
这当然可以,但是如果我打开,全世界都可以使用我路由器上的端口。我知道我可以通过
This is of course works fine but is accessible to the world should I open the port on my router. I know i can bind to localhost via
....
ports:
- 127.0.0.1:8989:8989
....
但这对我没有帮助正在尝试从我的内部网络访问docker。我已经阅读了许多有关docker网络和各种标志的文章,还阅读了关于iptables解决方案的信息。
But that doesn't help me when I'm trying to access the docker from my internal network. I've read numerous articles regarding docker networks and various flags and also read about possibility iptables solution.
任何指导都是值得赞赏的。
Any guidance is much appreciated.
谢谢
推荐答案
仅在docker-compose中不声明任何端口,它们在容器之间自动可见。
Simply do not declare any ports in docker-compose, they are automatically visible between containers.
我使用了Elasticsearch
I use an elasticsearch container in this way and a separate kibana can connect to it by the server name declated on the yml.
如果某个端口在我的路由器上打开了,它将不会暴露
if somehow a port became open on my router, it would not be exposed
使用此过程,端口将永远不可见
Using this procedure the ports are never visible outside the docker environment (i.e. outside == in your local network).
如果您担心在执行我告诉您的过程时端口在您的LAN中发布,则它们不是。
If your concern is that ports are published in your LAN when doing the procedure I told you, they are not.
这篇关于仅将Docker端口公开到内部网络的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
