I’m looking for what would be the best approach to limiting network access to a service running on docker swarm. For example, running an nginx container, I am not able to use the normal access rules in the web server to restrict access by address or subnet because all traffic appears to be originating from the ingress-endpoint address. If I use host networking for the listening ports (80 & 443) then I am not able to connect to some of the overlay networks where this web server functions as a reverse proxy for other containerized services.
Also, it appears that incoming traffic is routed to the ingress network before the hosts firewall (CentOS/RHEL7) can apply any filter rules.
If I want to block public traffic to some vhosts, or limit others to specific subnets, what is the best method for achieving this?
docker-ce version: 19.03.8-3.el7
container ver: nginx:alpine
- target: 80