Linode with NGIX proxy manager expose on public network to serve Docker services exposed on private network.
Hi, I have a Linode server with a public and a private IP, my goal is to serve various services via a domain.
For security purpouse (tell me if is a bad idea) I want to expose on public IP only port 443 for the reverse proxy and another port for Wireguard VPN to be able to access via SSH the server on private IP.
So over all this is the setup I want to create/partially done:
- Services will be Docker containers exposed on private IP, for example, here is my command to install Portainer:
docker run -d
-p 192.168.xxx.yyy:8000:8000
-p 192.168.xxx.yyy:9443:9443
--name portainer \
--restart=always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data \
portainer/portainer-ce:latest
and by using Wireguard VPN I can open Portainer access to it via http://192.168.xxx.yyy:9443
On public IP I expose only port 443 with NGIX proxy manager (as Docker container, with -p 'public IP:443:443') listening for service1.example.com, service2.example.com, etc. whoose destination are the private IP as shown before in step 1.
As a firewall I've installed UFW and added the lines in /etc/ufw/after.rules as shown in chaifeng/ufw-docker and already allowed 443 for NGIX proxy manager
So, here come the problems and my doubts, this is my Portainer's dashboard, and following the chaifeng/ufw-docker guide I've added the following rule to expose Vaultwarden:
sudo ufw allow from 172.18.0.2 to 172.17.0.3 port 8180
Assuming that I setted up correctly my domain to redirect to my Linode server's public IP and NGIX proxy manager, all I got is 522 connection timed out or sometimes ngix 500 Internal sever error (meaning that NGIX proxy manager is working and exposed on Internet). I've tried several variation of ufw command (for example, using private 192.168.xxx.yyy ip) and even to stop UFW service but no success (is iptable owever on? Since UFW operate on it).
I've a question, too: is possible to not expose at all services on server private IP and access services only after setting a record in NGIX proxy manager? This to even avoid to expose services on Linode's private network.
Sorry if something (or all of it :D) isn't clear or messy, but I'm hitting a wall and I don't know how to solve. Thank you!