0

I have a docker webapp running, port mapped to a machine-running nginx server, and fail2ban to do rate limiting.

Unfortunately, when viewing netstat, docker looks like its using all internal IPs (things like localhost:59719), rather than exposing through the external IP requests, so the nginx and fail2ban rate limits have no effect.

Has anyone found a way around this?

dessalines
  • 101
  • 1

1 Answers1

0

One way to rate limit on source IP is to not use NATs or proxies. Possibly overly simplistic, as sometimes a proxy is necessary for an application; there are more ways of doing container networking.

A static addressed IPv6 configuration I modified slightly from Michael Stapelberg's blog: Add to /etc/docker/daemon.json

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:13b:330::/64"
}

Create networks and statically addressed containers. 

docker network create --subnet 2001:db8:13b:330::/64 --ipv6 nginx

docker run \
  --network nginx \
  --ip6 2001:db8:13b:330:ff::80 \
  --publish 203.0.113.1:80:80 \
  nginx
John Mahowald
  • 32,050
  • 2
  • 19
  • 34