1

I am using the nginx-proxy image (https://github.com/jwilder/nginx-proxy) to automatically configure nginx proxy in front of my services. The corresponding nginx-proxy container is running in the nginx-proxy network:

docker network create nginx-proxy
docker run -d -p 80:80 --network nginx-proxy -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy

Now I have several containers which need to be proxied by nginx. To make this work, I need to attach all services to the nginx-proxy network. This is required for nginx-proxy to access the containers.

But now, all containers can communicate with eachother via this nginx-proxy network. This is not desired and possibly unsafe. This breaks the principle of isolation.

Is there a way to prevent this?

mohan08p
  • 5,002
  • 1
  • 28
  • 36
John Somen
  • 223
  • 1
  • 11
  • Have you tried to use [multiple networks](https://github.com/jwilder/nginx-proxy#multiple-networks)? – tgogos Feb 05 '18 at 11:57
  • @tgogos I am not really sure how this solves my question. If I have two services and both do `docker network connect nginx-proxy`, I believe they still can communicate with each other via `nginx-proxy` as they both have `nginx-proxy` network in common? – John Somen Feb 05 '18 at 12:47
  • From what I understand by reading that section, you have to create different networks for the services that must be isolated, not only one. You `run` the `nginx-proxy` container and then use `docker network connect` to attach to these networks. – tgogos Feb 05 '18 at 13:00
  • Yes, I understood it as following. You end up with three networks: `network for service 1`, `network for service 2` and `network for nginx-proxy`. Then you connect `network for service 1` with `network for nginx-proxy` and `network for service 2` with `network for nginx-proxy`. With this construction `network for service 1` can communicatie with `network for service 2` (and vice versa) via `network for nginx-proxy`? – John Somen Feb 05 '18 at 13:04
  • 1
    I see your point, yes they can access each other. How: I've created `net-1` and `net-2`, run the `nginx-proxy` with `--network=net-1` and then attach it also to `net-2` manually. `service-1` and `service-2` **do not have direct** access because they are in different networks/subnets. But, if the requests are sent to the `nginx-proxy` with the correct `host` setting, **they can communicate**. – tgogos Feb 06 '18 at 08:58
  • I will try this out and keep you updated. Thank you @tgogos. – John Somen Feb 06 '18 at 16:19

0 Answers0