Allow few IP Address to connect

kvrakvra · October 15, 2020, 4:39pm

Hello, everyone.

I have some few containers Docker and i would like to allow the remote access just for few external IP Address.
Example:

docker run -d -p 8080:8080 --restart=unless-stopped --name Jira cptactionhank/atlassian-jira-software

With this command, i will start Jira and everyone who know my external IP address can reach this service. So i would like to open just for some external IPs like 189.56.7.8 and 198.6.7.8 (examples).

I was looking more about and it’s possible to use a comand like:

docker run -d -p 127.0.0.1:3306:3306 --restart=unless-stopped --name MySQL mysql

In this way i can limit the port 3306 (mysql) just on localhost. But if i would like set an access limit for some external IPs?

meyay · October 15, 2020, 7:59pm

What does “few external IP” and “some external IPs” mean in your context? Are those interfaces of the docker host? Are those client IPs?

By default a published port is bound to all available IPs of the docker host’s interfaces. If you add a interface’s ip to the host port, the publised port will be only bound to this ip. But what does “But if I would like set an access limit for some external IPs” mean?

kvrakvra · October 15, 2020, 8:05pm

Sorry about my english…

I would like just to allow some clients to access this Docker by this host port.

meyay · October 15, 2020, 8:12pm

All good, I just wanted to be sure that I got you right.

I am afraid Docker itself does not have build in functionality to do so.
Though, if your application is reachable via http/https, you could add a reverse proxy container in front of your application container and define those limitations in the reverse proxy rules. Usualy you can restrict ips and even add authentification in reverse proxies like traefik, nginx, apache… whatever you are comfortable with.

kvrakvra · October 15, 2020, 8:15pm

I was looking about use UFW but doesn’t match with docker (or i’m wrong):

Should i wait for more people to assist me with this?

meyay · October 15, 2020, 8:21pm

If UFW does the job then go for it. Last time I cheked (roughly 1 or 2 years ago) docker had the nasty habit to punch holes in ufw for each published port. Not sure if the behavior is different now, though.

It is definitly wort a try.

That’s up to you… Depending on your “pain” you could start to work on a solution while waiting for someone with a better answer

Update: I glimpsed at the question and responses - personaly I find those recommendations odd and harmful

kvrakvra · October 15, 2020, 8:24pm

I already tried this solution with UFW doesn’t helped me.
For awhile this “pain” is really low but i need work with this for more projects at my company.
Thanks for your help and i hope another people can send me more help.

meyay · October 15, 2020, 8:28pm

I would put a (containerized) reverse proxy in front and make sure the app container is only accessible from the reverse proxy by a container network - the app container should not publish any ports. Then implement the restriction in the reverse proxy. Depending on the reverse proxy you could leverage ip restrictions, basic auth, ldap auth, x509 auth, saml auth, oidc auth,… realy whatever commes to mind and is supported by that particular reverse proxy.