If you’re running a service using Docker that you want open to the internet via a reverse proxy, and not via Docker’s open port, you’ll need to disable Docker’s default IPTables behavior.
For example, consider a web service that:
- uses Caddy to serve HTTPS on port 443,
- uses Docker to run an HTTP service on port 3000,
- has Caddy configured to serve a reverse proxy to that Docker service, and
- has
ufwconfigured to block all connections except on ports 22 and 443.
By default, Docker automatically opens port 3000 anyway, making your internal HTTP service available on the web on port 3000!
Here’s how to fix that:
First, add this line to your /etc/default/docker file:
DOCKER_OPTS="--iptables=false"(You may need to modify the existing DOCKER_OPTS if one is already
configured.)
Then set "iptables" to false in your
/etc/docker/daemon.json file. If that file does not exist, you can create it
such that it looks something like this:
{ "iptables": false }Finally, restart Docker
sudo service docker restartNow, you’re free to use ufw or your firewall software of choice to manage your
system’s open ports, and plug your reverse proxy of choice as you like!
I learned this information from this StackOverflow answer.