search

SelfhostedPro / Yacht

A web interface for managing docker containers with an emphasis on templating to provide 1 click deployments. Think of it like a decentralized app store for servers that anyone can make packages for.
MIT License
3.32k stars 158 forks source link

Container to host port mapping using 127.0.0.1:[host port] does not work correctly #634

Closed thinkbig1979 closed 4 weeks ago

thinkbig1979 commented 9 months ago

A convenient way of preventing containers on a VPS from being unnecessarily exposed to the internet due to Docker's IPtables rules bypassing the system firewall, is that you can map the container port to 127.0.0.1:[host port] rather than just giving docker a host port number. The latter leads to it being mapped to 0.0.0.0.[host port], which is then exposed to the internet.

However, in Yacht, this does not seem to work correctly. E.g. adding 127.0.0.1:8083 in the host port field results in the container being mapped to 32769 for some reason. See screenshots below.

Entering the port: image

The resulting container running on the wrong port, and still exposed to the internet: image

wickedyoda commented 9 months ago

You can't use 127.0.0.1

Because generally 127.0.0.1 refers to the windows loop back pointing back to the windows system not docker.

However when you put that in docker, and a container the container is running a mini os inside it's self. So technically it's if the container has 127.0.0.1, then it points to it's self, but it you use it then it's pointing back to what windows host. You have to remember you treat docker containers like they are other mini VMs on another network. Because they kinda are....

thinkbig1979 commented 9 months ago

Yes and no....

127.0.0.1 is indeed the IP address of the host's loopback interface, which is not exposed to the outside world. 0.0.0.0 is the host's IP address for ALL network interfaces, including whatever interface is exposed to the outside world.

When mapping ports from container to host, if you only provide a port number, then Docker automatically maps the container 's port to that port the host's 0.0.0.0 interface, meaning that your container port is directly exposed to all other interfaces, and therefore also to the outside world. This is a security concern.

However, it is possible with docker to map a container port to the host's loopback address only, by prepending the host port number with 127.0.0.1. This way the container's port is still available to anything on the host system, but is not exposed to the outside world.

It may not be nest practice, but it is a nifty way of keeping your services available on localhost, so you can easily access them for other services on that machine, while not exposing them to the internet.

Also, it's worth pointing out that this already works in Docker CLI, Docker Compose and Portainer.

4val0v commented 4 months ago

Similar problem, used to use this solution before: https://stackoverflow.com/a/46220742 But with Yacht it cannot be done (