Well if your reverse proxy is also inside of a container, you dont need to expose the port at all. As long as the containers are in the same docker network then they can communicate.
If your reverse proxy is not inside a docker container, then yes this method would work to prevent clients from connecting to a docker container.
Something like this. This is a compose.yml that only allows ips from the local host 8080 to connect to the container port 80.
services:
webapp:
image: nginx:latest
container_name: local_nginx
ports:
- "127.0.0.1:8080:80"
Excuse me have you heard about our lord and savior, NixOS?
Ooo I do love me some Nix modules. Any particular options to look out for in order to configure something like that?
Edit:
It’s programs.chromium.extraOpts isnt it? Lol
Check out Letchworth State park. Its the Grand Canyon of the East!!
Did you allow the containers to talk to eachother with ufw after setting it up?
You can setup wild card certs with a DNS challenge using traefik. No plug-ins needed, works right out the box.
Personally, I quite prefer traefik. Its harder to use than Caddy but offers more features. Also, it uses yaml or docker labels for config. I’m not a fan of the nginx .conf format.
Did you watch ‘I am Legend’? This is exactly what starts the apocalypse lol
Side note, book was waaaayyyyy better
The routers or computers you are using for this have to support forwarding traffic. With Linux this is pretty straight forward for other OSes I’m not sure how easy it is.
You can get around this by having tailscale installed on the default gateway (router) of each network. It might be quite a pain for OP to change routers at each location. On the plus side, OpenWRT has some other cool features like PXE booting.
Im at the compose2nix phase of this pipeline. Ive got a bunch or sevices in Docker compose files and all of my systems have been running Nix for over a year now. Ive gotten the hang of my repo and made a couple modules for my specific uses and im hooked.
What would you suggest to migrate all my compose files into a nix friendly environment? I use flakes as well.
Ahhh interesting video! I appreciate the post. I see the mTLS is more about authenticating who the client is outside the application.
Don’t worry, Im not just exposing thing willy nilly 🤣 For client-side authentication I use Authentik combined with 2FA, Duo, and fail2ban. Authentik provides identity management through LDAP to jellyfin and any sign in request goes to MFA and you get a Duo notification to approve. You can do other MFA, i just havent set it up.
Ive got a lot of family who use my server. Asking them to install a TSL cert on every machine would be impossible. My method also monitors all sign in requests. Setting up Authentik was a hugggeee game changer for me.
Well ya know this is a forum and I was trying to engage in a friendly conversation to learn about something you brought up.
But yeah I know how to fucking Google lol
Oooo ya know I actually don’t know about these. I’ve done both A and B for my homelab and C for work.
Any good resources / insight into mTLS? I appreciate the response btw!
Ya got three options.
Option A is to create your own certificate that is self-signed. You will then have to load the certificate into any client you want to use. Easier than people realize, just a couple terminal commands. Give this a go if you want to learn how they work.
Option B is to generate a certificate with Let’s Encrypt via an application like certbot. I suggest you use a DNS challenge to create a wildcard certificate.
Option C is to buy a certificate from your DNS provider aka something like cloudflare.
IMO the best is Option B. Takes a bit to figure it out but its free and rotates automatically which I like.
I like helping and fixing stuff, if you’d like to know anything just ask :D
I wish I had setup an identity management system sooner. Been self-hosting for years and about a year ago took the full plunge into setting up all my services behind Authentik. Its a game changer not having to deal with all the usernames and passwords.
In a similar vein, before Authentik, I used Vaultwarden to manage all my credentials. That was also a huge game changer with my significant other. Being able to have them setup their own account and then share credentials as an organization is super handy.
Thats just how IPv6 works. You get a delegate address from your ISP for your router and then any device within that gets it own unique address. Considering how large the pool is, all address are unique. No NAT means no port forwarding needed!
Lol naw TOW missile just looks like a gray puff when it blows up. Not as exciting unless the thing you’re hitting is full of fuel and ammo. Then the boom is what you think it would look like (fire ball and all that).
Pink mist is for snipers. You’re so zoomed in from the scope you can actually see the splat and it looks like a pink mist. You can also achieve the same effect with large caliber weapons like a 25mm cannon. Interestingly enough, the Barrett .50 cal sniper that everyone knows is classified as a SASR, Special Application Scoped Rifle. Its not meant for people, its an “anti-material” weapon. You’re only supposed to use it to shoot out engine blocks.
Its not copper either. The meth heads outside the military bases knew to leave TOW wire as recycling places wont take it. I was a TOW gunner and had to reel in miles of that shit when we finished a training range.
Its absolutely a metal of some sort, but it’s super strong. If it wrapped around your boot and you yanked to it to get it off, it would cut straight through your boot. Insanely strong but you could still snip it with scissors. Wild shit.
Hurting people is wrong and should be avoided at all costs. Nothing cool about that.
But when a tank is also full of fuel and ammo, the boom is much bigger lol
I got lucky and shot around 15 to 20 for training. I lost track after 10. Some missilemen never get the chance to shoot one.
Interestingly, I had that kill zone question asked to me by another higher up (different job) and it took me a long time to come to a conclusion. The kill radius is actually not defined in the manuals. There are zones for the shooter to ensure you don’t get hit with back blast, but usually it’s assumed that the vehicle you hit will be destroyed.
Edit:
To explain further, the missile doesn’t hit the target. It flys above it and uses the munroe effect to cause an implosion (not an explosion) that makes the vehicle explode from the inside out. First munroe charge punches a hole into the vehicle, second charge gets sucked in and blow it up from inside. YouTube munroe effect to see how that shape charge works.
Course, feel free to DM if you have questions.
This is a common setup. Have a firewall block all traffic. Use docker to punch a hole through the firewall and expose only 443 to the reverse proxy. Now any container can be routed through the reverse proxy as long as the container is on the same docker network.
If you define no network, the containers are put into a default bridge network, use docker inspect to see the container ips.
Here is an example of how to define a custom docker network called “proxy_net” and statically set each container ip.
networks: proxy_net: driver: bridge ipam: config: - subnet: 172.28.0.0/16 services: app1: image: nginx:latest container_name: app1 networks: proxy_net: ipv4_address: 172.28.0.10 ports: - "8080:80" whoami: image: containous/whoami:latest container_name: whoami networks: proxy_net: ipv4_address: 172.28.0.11Notice how “who am I” is not exposed at all. The nginx container can now serve the whoami container with the proper config, pointing at 172.28.0.11.