I am running a Checkmk container alongside a Cloudflared Tunnel container in a docker-compose on my WSL. As of now the tunnel is configured to point from my subdomain to the Checkmk container and makes it available to the outside world.
Only problem is that the Cloudflared container itself not only has access to the Checkmk container but also the whole network of my host machine.
This is technically not a big problem because I can set the access of the tunnel to the Checkmk container only, but I don't really want anyone who gained access to my Tunnel settings to just type in the host name of my smarthome server or my router and gaining access to the gui that way, because as of right now that is possible.
Can someone please tell me how I set the Cloudflared container that it can only see the Checkmk container and the IP of my gateway as if nothing else is there? Can i set a Docker network up that is isolated to the host but not to the hosts internet gateway? Or do i need to configure the firewall of the host system in a special way?
Thank you, Bims
version: '3.1'
services:
cmk:
image: checkmk/check-mk-raw:2.0.0-latest
tmpfs:
- /opt/omd/sites/cmk/tmp:uid=1000,gid=1000
ulimits:
nofile: 1024
container_name: checkmk
restart: unless-stopped
volumes:
- '/etc/localtime:/etc/localtime:ro'
- './omd-sites:/omd/sites'
ports:
- '8095:5000'
- '6557:6557'
cloudflared:
image: "cloudflare/cloudflared:latest"
command: tunnel run
environment:
- TUNNEL_TOKEN= [redacted]
restart: unless-stopped
depends_on:
- cmk
