search

adi90x / rancher-active-proxy

All in one active reverse proxy for Rancher ! For Kubernetes : https://github.com/adi90x/kube-active-proxy
MIT License
156 stars 55 forks source link

Advise needed: How to secure rancher driven application itself so that it can ONLY be accessed thru rap? #43

Open hanselke opened 6 years ago

hanselke commented 6 years ago

So this is more of a rancher question, but i wish to restrict access to all applications whichcurrently have domain names driven by rap so that it only ever goes thru the nginx-proxy.

Purpose is to be able to install nginx-lua into rap, so that i'm able to run lua scripts against every connection.

How would this be accomplished?

I was thinking that we do not define any ports at all for all applications within the application config. This is probably the easiest way to stop rancher from opening those public ports.

then make rap.port mandatory so that rap will always know which ports are needed , and have rancher active proxy make a docker --link with every container that needs to be proxied?

adi90x commented 6 years ago

If there is no external mapped port for containers they will only be accessible via RAP no ?

hanselke commented 6 years ago

I dont think so. when there is no external port for container, i think RAP just doesnt do anything

hansel

On 28 Feb 2018, 4:52 AM +0800, adi90x notifications@github.com, wrote:

If there is no external mapped port for containers they will only be accessible via RAP no ? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

adi90x commented 6 years ago

No external port for RAP containers or the others ? As main goal of RAP, is to route trafic from one input port(80/http most of the time) to several containers not exposing a port on the outside of rancher, lets say you have RAP exposing & listening on port 80 of host, then you can have unlimited number of Web containers exposing 80 but not listening on host port and RAP will route input trafic based on hostname Is it clearer ?

Le 28 févr. 2018 04:59, "hansel" notifications@github.com a écrit :

I dont think so. when there is no external port for container, i think RAP just doesnt do anything

hansel

On 28 Feb 2018, 4:52 AM +0800, adi90x notifications@github.com, wrote:

If there is no external mapped port for containers they will only be accessible via RAP no ? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/adi90x/rancher-active-proxy/issues/43#issuecomment-369114083, or mute the thread https://github.com/notifications/unsubscribe-auth/AKpqdKfcCK3rFfBW1HkZ3g6BrAjfSUBKks5tZM86gaJpZM4R_esP .