search

chaifeng / ufw-docker

To fix the Docker and UFW security flaw without disabling iptables
GNU General Public License v3.0
4.59k stars 386 forks source link

Docker compose "expose"-ports breaking when UFW enabled #84

Open BE-CH opened 2 years ago

BE-CH commented 2 years ago

Hi!

I have had massive issues with getting UFW and docker to play together! Finally, I almost got it working with the use of the described solution in this repo.

I am now successfully able to allow or deny ports with ufw.

My problem is, when I enable UFW and start my docker-compose files that has services using expose: running on the same docker network. The docker containers (on the same network) are no longer able to reach each other.

The docker network custom_external_network is in bridge mode.

Its basically container to container communication that breaks when UFW is enabled.

The example below, and with UFW enabled, the api service can't connect to the database, even tho they are on the same docker network.

# docker-compose.yml
version: '3.9'

services:
  api:
    container_name: api
    image: image_url
    expose:
      - '3001'
    env_file: api/.env
    volumes:
      - ./api/userAttachments:/app/userAttachments
    restart: always
    networks:
      - custom_external_network
    depends_on:
      - database
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.api-router.entrypoints=web,websecure'
      - 'traefik.http.routers.api-router.rule=Host(`api.localhost`)'

  database:
    container_name: database
    image: mongo:5-focal
    expose:
      - '27017'
    volumes:
      - database_volume:/data/db
    env_file: .env.database
    deploy:
      mode: global
    networks:
      - custom_external_network

networks:
  custom_external_network:
    external: true
volumes:
  database_volume:

Anyone has an idea about what I should do?

bartoll commented 1 year ago

Have you found any solution for this problem?

BE-CH commented 1 year ago

Have you found any solution for this problem?

Sadly not - I ended up disabling UFW and just using Docker to only expose the ports to the host machine that were necessary.

DavidCodesDev commented 3 months ago

I am having this same problem, I noticed whenever I use ufw docker the ssl certificate fetching from traefik doesn't work anymore

Please help anyone