I have some few containers Docker and i would like to allow the remote access just for few external IP Address.
Example:
docker run -d -p 8080:8080 --restart=unless-stopped --name Jira cptactionhank/atlassian-jira-software
With this command, i will start Jira and everyone who know my external IP address can reach this service. So i would like to open just for some external IPs like 189.56.7.8 and 198.6.7.8 (examples).
I was looking more about and it’s possible to use a comand like:
docker run -d -p 127.0.0.1:3306:3306 --restart=unless-stopped --name MySQL mysql
In this way i can limit the port 3306 (mysql) just on localhost. But if i would like set an access limit for some external IPs?
What does “few external IP” and “some external IPs” mean in your context? Are those interfaces of the docker host? Are those client IPs?
By default a published port is bound to all available IPs of the docker host’s interfaces. If you add a interface’s ip to the host port, the publised port will be only bound to this ip. But what does “But if I would like set an access limit for some external IPs” mean?
All good, I just wanted to be sure that I got you right.
I am afraid Docker itself does not have build in functionality to do so.
Though, if your application is reachable via http/https, you could add a reverse proxy container in front of your application container and define those limitations in the reverse proxy rules. Usualy you can restrict ips and even add authentification in reverse proxies like traefik, nginx, apache… whatever you are comfortable with.
If UFW does the job then go for it. Last time I cheked (roughly 1 or 2 years ago) docker had the nasty habit to punch holes in ufw for each published port. Not sure if the behavior is different now, though.
It is definitly wort a try.
That’s up to you… Depending on your “pain” you could start to work on a solution while waiting for someone with a better answer
Update: I glimpsed at the question and responses - personaly I find those recommendations odd and harmful
I already tried this solution with UFW doesn’t helped me.
For awhile this “pain” is really low but i need work with this for more projects at my company.
Thanks for your help and i hope another people can send me more help.
I would put a (containerized) reverse proxy in front and make sure the app container is only accessible from the reverse proxy by a container network - the app container should not publish any ports. Then implement the restriction in the reverse proxy. Depending on the reverse proxy you could leverage ip restrictions, basic auth, ldap auth, x509 auth, saml auth, oidc auth,… realy whatever commes to mind and is supported by that particular reverse proxy.
