I’m trying to deploy an Strapi service with docker and NGINX as a reverse proxy.
Because Nginx will be used as a reverse proxy, I don’t want to do port mapping to 0.0.0.0 but just 127.0.0.1. But for some reason, curl 127.0.0.1:1337 does not returns anything. Nginx is running as a service in my Ubuntu VPS.
I suspect that it is a configuration of iptables (it is a custom VPS so I usually do not touch that part).
server {
listen 443 ssl;
server_name _; # managed by Certbot
location / {
proxy_pass http://127.0.0.1:1337;
}
ssl_certificate /etc/letsencrypt/live/_-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/_-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80;
server_name _;
if ($host = _) {
return 301 https://$host$request_uri;
} # managed by Certbot
return 404; # managed by Certbot
}
The service look alive and I also could enter on the docker container and do curl localhost.
And about my iptables rules, there are this ones with DROP policy:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A DOCKER ! -i br-ae6b3f060f7a -o br-ae6b3f060f7a -j DROP
-A DOCKER ! -i br-ca83a216041b -o br-ca83a216041b -j DROP
-A DOCKER ! -i br-f56d2d8a96ef -o br-f56d2d8a96ef -j DROP
-A DOCKER ! -i docker0 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-f56d2d8a96ef -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-ca83a216041b -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-ae6b3f060f7a -j DROP
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j DROP
At this point I dont really know if there also could be something related with host file or host inside dockers containers.
In summary, I only can make curl 127.0.0.1 when the port mapping is: 0.0.0.0:1337->1337. What can I do?
That doesn’t make sense to me, unless you have a special Docker installation where using the loopback IP doesn’t really bind to the loopback IP of your host.
.We usually need the following information to understand the issue:
1. What platform are you using? Windows, Linux or macOS? Which version of the operating systems? In case of Linux, which distribution?
2. How did you install Docker? Sharing the platform almost answers it, but only almost. Direct links to the followed guide can be useful.
3. On debian based Linux, the following commands can give us some idea and recognize incorrectly installed Docker:
docker info
docker version
Review the output before sharing and remove confidential data if any appears (public IP for example)
ii docker-buildx-plugin 0.23.0-1~ubuntu.24.04~noble amd64 Docker Buildx cli plugin.
ii docker-ce 5:28.1.1-1~ubuntu.24.04~noble amd64 Docker: the open-source application container engine
ii docker-ce-cli 5:28.1.1-1~ubuntu.24.04~noble amd64 Docker CLI: the open-source application container engine
ii docker-ce-rootless-extras 5:28.1.1-1~ubuntu.24.04~noble amd64 Rootless support for Docker.
ii docker-compose-plugin 2.35.1-1~ubuntu.24.04~noble amd64 Docker Compose (V2) plugin for the Docker CLI.
snap output: error: no matching snaps installed. But this is possible because I think that I did not use snap for the installation.
So you are using docker-ce from the official repositories, and have no double installation → looks good to me.
Your use case is with the expected usage, and should not require adding any manual iptables rules.
Is nginx installed on the host itself? Judged by your nginx config, it must be.
Did you know that you can publish a container port to the ip of the docker0 interface as well? By default, it will use the 172.17.0.1. This ip is accessible from the host and every container, but not from outside the host.
I just discovered that it was because ufw active. But also even when I try to enable ufw and allow 1337 port, it does not change anything. I’ll keep it off and use only iptables for the rules.
