I've set up docker services behind nginx proxy manager so they're accessible with https, but the http services are still open. How do I close them?
-
Don't forward them, close firewall ports, change configs to not listen on those ports, setup redirects to forward all requests on those ports to whichever you want.......lots of options here
-
Nothing is accessible outside my network. The proxy is local only.
-
My firewall is closed, nothing is forwarded. This is all on my LAN only. I just don't want the non-https ports available at all, even on the LAN.
-
I've tried commenting out the ports in the compose file, which should make them only available on the internal network, I thought. But when I do that, the containers can no longer connect to each other.
Did you create an explicit network for them to talk on? Otherwise the default docker network doesn't support internal DNS queries.
https://docs.docker.com/engine/network/#container-networks
Specifically you need a network using the bridge driver: https://docs.docker.com/engine/network/drivers/bridge/
-
Thank you! I'll give that a go!
-
Are you using the default bridge? I have a similar setup (with Traefik instead of NPM), and for each compose file am using separate networks for the internet, proxy, and backend services.
services: some_service: ... networks: - frontend_network - proxy_network - backend_network backend_service: ... networks: - backend_network networks: frontend_network: driver: "bridge" proxy_network: driver: "bridge" internal: true backend_network: driver: "bridge" internal: true -
You need to change the nginx config (for the website you will be hosting your services at.
/etc/nginx/sites-availableWatch a video on how nginx works and how to set it up, and then look for example nginx configs for your services.
I think nginx can be setup to work locally only, but do you even need it for that?
It's primary use is to proxy http requests to the different websites running on your server, enable https via letsencryt and so on, I think. -
There's likely a firewall on the system that hosts the docker services, and docker's default bridge rules bypass it when publishing a port. And since the docker rules are prioritised, it can be quite difficult to override them in a reliable way.
I personally use host networking to avoid the whole mess, but be aware you'll have to change the internal ports for a bunch of services most likely, and that's not always well-documented. And using the container name as the host name won't work when referencing other containers, you'll have to use e.g. http://localhost/:<port number> even inside the network.
You can do the bind to localhost thing that others have mentioned, as long as the reverse proxy itself is inside the docker network.
-
It means you published 8080. Just stop doing it. nginx can reach that container via internal network (assuming they are on same network). Publishing docker-compose would help.
-
Then it doesn’t really matter, does it? If the traffic is only going over your local network, then the only people who could sniff said traffic would already have pwned your entire network, and using SSL would be pointless anyway.
