Securing docker setup on Linode? SSL and Proxy?
First time using linode, I have a single docker node with a few containers running. I want to secure the few containers I want exposed as best I can so I want to check that I have the right idea.
I have placed a DNS entry as an A record to the node public ip on Cloudflare and I deployed proxy manager on docker and started testing with one of the docker containers. I created the ssl the certificate in Nginx Proxy Manager and pointed it to the container. But my question is should I be using the internal docker address that is assigned? When I use it, the page is secure but I just get a 502. The container has a port of 8008, in which I tried 80, and 8008 in the proxy host section since is being passed with http scheme.
Is this the correct method to do this or should I be using something like nodebalancer? With my method you could still access the docker containers from the public ip which is not secure so how would I go about locking that down?
I hope I made enough sense with what I want to do. I hope Im using the right idea with what want to do. Secure all my conainers and not allow access to them with the public:port address.
3 Replies
Are you using CloudFlare proxy aswell and/or SSL or just DNS?
Have you enabled Full SSL(end-to-end) (Browser (SSL) -> CloudFlare -> Origin Server (SSL))?
I had some similar problems and signed a Origin SSL that I used on my HaProxy.
I think I would have signed a virtual IP and used it to all the containers, then use Nginx Proxy.
It is also possible to install zerotier (LAN over vpn) on the server and your mobile/computer for internal access. Then you could use the ZT ip on docker containers and again use the ZT ip in Nginx Proxy.
I have done the ZT part but on multiple nodes including servers at home. My home server is not exposed to the internet directly because of Zerotier (no ports open).
For this particular domain, I am just using DNS on cloudflare just to make sure its working. I have another domain that I use to selfhost at home that use proxy (orange cloud) so im trying to understand the different between that and this linode setup.
I think it's all firewall / security. At home you can assign 0.0.0.0:80:80 because it's the LAN ip address and not your public internet address. You don't have to worry about others accessing it.
On Linode you can assign a private address when you create it. It is possible to assign it afterwards. I think you can use that as an internal address. So you get one public and one private ip address. The private address is only reachable to other Nodes on your account on the same location.
You can try to assign < private ip >:< port >:< port > on docker. (192.153.171.XX:8080:80)
Then you can setup the proxy (80,443) to access 192.153.171.XX:8080