What is the best way to restrict internet access to a single docker container while still forwarding ports?
My current way of doing this works like this:
sudo docker network create --internal --subnet 10.1.1.0/24 no-internet
sudo docker run --name gitlab -d -p 80:80 -p 822:22 --restart always gitlab/gitlab-ce
sudo docker network connect no-internet gitlab
sudo docker network disconnect bridge gitlab
The problem is that if I restart the system the ports are not forwarded anymore:
sudo docker ps
before reboot:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 13 seconds ago Up 13 seconds (health: starting) 0.0.0.0:80->80/tcp, 443/tcp, 0.0.0.0:822->22/tcp gitlab
sudo docker ps
after reboot:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 12 minutes ago Up 2 minutes (healthy) gitlab
It should have internet access because it's on a custom network. Use --network common2 to make the container use the common2 network. The container cannot reach the internet on the common2 network. If it is started with --network host, then it will have access…
There are HTTPS-based VPNs that you can use. Otherwise, you cannot as classic VPNs use IP protocols that are not supported by (routable to) containers. In most cases, you will need to connect to the container host and then execute a command in the host that connects to the container.
So if I understand your scenario correctly, you would like to avoid sharing your host's network to your gitlab container to make sure gitlab cannot connect to the internet. At the same time you wish to share the host's network to bind a container port to your host system. It doesn't work that way, but the following might be an acceptable workaround for you: docker containers sharing the same internal network can connect to exposed/published ports of other containers on the same network.
You could follow this approach:
I quickly put this example together, hope that gets you started:
docker network create --internal --subnet 10.1.1.0/24 no-internet
docker network create internet
docker-compose.yml
:
version: '2'
services:
whoami:
image: jwilder/whoami
container_name: whoami
networks:
- no-internet
proxy:
image: nginx:1.13-alpine
container_name: proxy
networks:
- internet
- no-internet
volumes:
- ./vhost.conf:/etc/nginx/conf.d/default.conf
ports:
- "80:80"
networks:
internet:
external:
name: internet
no-internet:
external:
name: no-internet
vhost.conf
:
upstream whoami {
server whoami:8000;
}
server {
server_name localhost;
listen 80;
location / {
proxy_pass http://whoami;
}
}
Please note the above mentioned internet
network is actually not needed, as a docker container shares the host network by default anyway. It's just there to make things clearer.
In the example depicted above, open http://localhost/
and you will see the response of the whoami
container, the whoami
container itself however can't connect to the internet.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With