Well if your reverse proxy is also inside of a container, you dont need to expose the port at all. As long as the containers are in the same docker network then they can communicate.
If your reverse proxy is not inside a docker container, then yes this method would work to prevent clients from connecting to a docker container.
Something like this. This is a compose.yml that only allows ips from the local host 8080 to connect to the container port 80.
services:
webapp:
image: nginx:latest
container_name: local_nginx
ports:
- "127.0.0.1:8080:80"
Ooo I do love me some Nix modules. Any particular options to look out for in order to configure something like that?
Edit:
It's programs.chromium.extraOpts isnt it? Lol
Hmm these are some pretty cool features I'd be interested in. I currently use Voyager for lemmy and quite like the layout. Does Piefed have any good mobile clients? Is there something you'd recommend?
You can setup wild card certs with a DNS challenge using traefik. No plug-ins needed, works right out the box.
Personally, I quite prefer traefik. Its harder to use than Caddy but offers more features. Also, it uses yaml or docker labels for config. I'm not a fan of the nginx .conf format.
Did you watch 'I am Legend'? This is exactly what starts the apocalypse lol
Side note, book was waaaayyyyy better
The routers or computers you are using for this have to support forwarding traffic. With Linux this is pretty straight forward for other OSes I'm not sure how easy it is.
You can get around this by having tailscale installed on the default gateway (router) of each network. It might be quite a pain for OP to change routers at each location. On the plus side, OpenWRT has some other cool features like PXE booting.
Ahhh interesting video! I appreciate the post. I see the mTLS is more about authenticating who the client is outside the application.
Don't worry, Im not just exposing thing willy nilly 🤣 For client-side authentication I use Authentik combined with 2FA, Duo, and fail2ban. Authentik provides identity management through LDAP to jellyfin and any sign in request goes to MFA and you get a Duo notification to approve. You can do other MFA, i just havent set it up.
Ive got a lot of family who use my server. Asking them to install a TSL cert on every machine would be impossible. My method also monitors all sign in requests. Setting up Authentik was a hugggeee game changer for me.
Well ya know this is a forum and I was trying to engage in a friendly conversation to learn about something you brought up.
But yeah I know how to fucking Google lol
Oooo ya know I actually don't know about these. I've done both A and B for my homelab and C for work.
Any good resources / insight into mTLS? I appreciate the response btw!
Course, feel free to DM if you have questions.
This is a common setup. Have a firewall block all traffic. Use docker to punch a hole through the firewall and expose only 443 to the reverse proxy. Now any container can be routed through the reverse proxy as long as the container is on the same docker network.
If you define no network, the containers are put into a default bridge network, use docker inspect to see the container ips.
Here is an example of how to define a custom docker network called "proxy_net" and statically set each container ip.
Notice how "who am I" is not exposed at all. The nginx container can now serve the whoami container with the proper config, pointing at 172.28.0.11.