If what you said above is accurate, what you’re telling me is that it isn’t possible to accomplish what I am trying to do. The 0.0.0.0 host IP address will NOT prevent connections from sources external to the host, and that is why I can’t use 0.0.0.0. It is also what is leading me to consider macvlan or ipvlan as alternatives, which use a different IP address on the host. Isolation in that case is provided on the host.
I am not an IP / network expert or one that understands networking in great detail (for example I don’t comprehend iptables entries), but I can usually work my way thru most networking issues with a little help from google searches.
As I see it I have 2 options:
1. Figure out how to implement an ipvlan (not as much info on ipvlan as there is for macvlan, and ipvlan looks like a special case of and subordinate to macvlan) using a virtual IP address bound to a host interface
2. Come up to speed on docker-compose and re-engineer the entire container system
I ultimately intend to employ the 2nd option, but wanted to start with a single container approach first as an intermediate migration path from the existing non-dockerized system now in production.
I estimate a few weeks of learning and testing will be required to do the 2nd option, whereas the first is now working except the websocket proxy. So close but perhaps not.
I see quite a few post similar questions raised concerning host --> container networking, yet I see no tutorials or explanation on how to accomplish this. I also see no explanation on why some images such as the nginx alpine image allow for host to container connections while NOT allowing external connections external to the host. If it’s possible for that image why isn’t it for others? Why does docker run -d --name test -p 127.0.0.1:8080:80 nginx work and allow only the host to connect if what you said above is true?
Although it may simply be a “corner case” not explicitly excluded, it makes no sense to allow a -p127.0.0.1:xx:xx run argument if the container treats that as “my localhost/container only” and not as a host IP:port. No point in using -p if that’s the case as -p is explicitly for host port mapping to container. That might be a useful case to allow IF it were used to trigger some special networking setup behind the scenes to extend such ports to the host only, but that may break the isolation model docker has established and is against changing in any way.