this post was submitted on 07 Feb 2025
25 points (96.3% liked)

Selfhosted

52479 readers
1901 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I'm using a docker compose file, and I have everything running just fine, containers talking to each other as needed, NPM reverse proxying everything via a duckdns subdomain... everything's cool.

Problem is, I can still go to, for example, http://192.168.1.30:8080/ and get the services without http.

I've tried commenting out the ports in the compose file, which should make them only available on the internal network, I thought. But when I do that, the containers can no longer connect to each other.

Any advice for me?

Edit:

Thanks for the quick & helpful suggestions!

While investigating bridge networks, I noticed a mention that containers could only find each other on the default container bridge by container name, which I did not know. I had tried 127.0.0.1, localhost, the external IP, hostnames, etc but not container names.

In the end, the solution was just to use container names when telling each container how to find the others. No need for creating bridge networks or any other shenanigans.

Thank you!

top 12 comments
sorted by: hot top controversial new old
[–] schizo@forum.uncomfortable.business 8 points 8 months ago* (last edited 8 months ago)

Change your port definitions so that they're only binding to localhost, like so:

  • "127.0.0.1:8001:8001"

That'll stop access from anywhere but the local host. You'll have to redo your reverse proxy configuration to use 127.0.0.1 instead of whatever you're using now, though.

[–] Scholars_Mate@lemmy.world 4 points 8 months ago

Are you using the default bridge? I have a similar setup (with Traefik instead of NPM), and for each compose file am using separate networks for the internet, proxy, and backend services.

services:
  some_service:
    ...
    networks:
      - frontend_network
      - proxy_network
      - backend_network
  backend_service:
    ...
    networks:
      - backend_network
networks:
  frontend_network:
    driver: "bridge"
  proxy_network:
    driver: "bridge"
    internal: true
  backend_network:
    driver: "bridge"
    internal: true
[–] marsara9@lemmy.world 2 points 8 months ago (1 children)

I've tried commenting out the ports in the compose file, which should make them only available on the internal network, I thought. But when I do that, the containers can no longer connect to each other.

Did you create an explicit network for them to talk on? Otherwise the default docker network doesn't support internal DNS queries.

https://docs.docker.com/engine/network/#container-networks

Specifically you need a network using the bridge driver: https://docs.docker.com/engine/network/drivers/bridge/

[–] robolemmy@lemmy.world 1 points 8 months ago

Thank you! I'll give that a go!

[–] lemonuri@lemmy.ml 1 points 8 months ago* (last edited 8 months ago)

You need to change the nginx config (for the website you will be hosting your services at. /etc/nginx/sites-available/yourdomain.com

You can reroute all http requests to https in that config.

Watch a video on how nginx works and how to set it up, and then look for example nginx configs for your services. It's a pretty standard setting nowadays so the syntax should be easy to find.

I think nginx can be setup to work locally only, but do you even need it for that? It's primary use is to proxy http requests to the different websites running on your server, enable https via letsencryt and so on, I think.

[–] just_another_person@lemmy.world 1 points 8 months ago (1 children)

Don't forward them, close firewall ports, change configs to not listen on those ports, setup redirects to forward all requests on those ports to whichever you want.......lots of options here

[–] robolemmy@lemmy.world 2 points 8 months ago (1 children)

My firewall is closed, nothing is forwarded. This is all on my LAN only. I just don't want the non-https ports available at all, even on the LAN.

[–] vividspecter@lemm.ee 1 points 8 months ago* (last edited 8 months ago)

There's likely a firewall on the system that hosts the docker services, and docker's default bridge rules bypass it when publishing a port. And since the docker rules are prioritised, it can be quite difficult to override them in a reliable way. I personally wish that the default rules would just open a rule to the host, but there might be some complexity that I'm missing that makes that challenging.

I personally use host networking to avoid the whole mess, but be aware you'll have to change the internal ports for a bunch of services most likely, and that's not always well-documented. And using the container name as the host name won't work when referencing other containers, you'll have to use e.g. localhost: even inside the network.

You can do the bind to localhost thing that others have mentioned, as long as the reverse proxy itself is inside the docker network (likely there are workarounds if not).

[–] WhiteOakBayou@lemmy.world 1 points 8 months ago (1 children)

Can you access the http ports from outside your home network?

[–] robolemmy@lemmy.world 1 points 8 months ago (1 children)

Nothing is accessible outside my network. The proxy is local only.

[–] _cryptagion@lemmy.dbzer0.com 0 points 8 months ago

Then it doesn’t really matter, does it? If the traffic is only going over your local network, then the only people who could sniff said traffic would already have pwned your entire network, and using SSL would be pointless anyway.

[–] TheHolm@aussie.zone 0 points 8 months ago

It means you published 8080. Just stop doing it. nginx can reach that container via internal network (assuming they are on same network). Publishing docker-compose would help.