6

We have a docker bridge containing several docker containers. The main docker is an nginx server which acts as web host and forwards all data to the other containers.

Now a requirement is that the connections are limited to only a specified list of ip adresses. To do this I've editted the nginx server file:

server {
        allow 127.0.0.0/8;
        deny all;
        ...

Which should allow the loopback 127.0.0.1 to connect.

This however fails, and looking at the access.log shows why: All rows start with:

    172.25.0.1 - - [10/Apr/2018:08:22:46 +0000] "GET

172.25.0.1 is the docker bridge network gateway; thus the docker "forgets" the external ips and I can't filter on that anymore.

How can I filter on ips? Or forward the source ips to the docker?

paul23
  • 193
  • 1
  • 7
  • 127.0.0.1 is internal to the container only. Everything else comes from an ip assigned by dockerd to each container. Can you please explain what you are wanting exactly? the end result. Who are you trying to restrict access to where and why? – hookenz Oct 15 '18 at 19:56
  • We wish to restrict access except to a few limited ips of "trusted organizations". the `127.0.0.1` was indeed just a "test example". The problem is that all adresses (as reported by nginx) are from 172.25.0.1 – paul23 Oct 15 '18 at 19:59

1 Answers1

1

This is expected and is the way docker networking works. By default you end up with something a bit like a virtual network on your docker host. Connections forwarded through from the outside will come to each container via docker0 and NAT.

To overcome that, the simple answer is to use host networking on the nginx container. i.e. --network host option to docker run command. See: host networking

Also, read through the docker networking documentation. It's explained more thoroughly there. https://docs.docker.com/network/

hookenz
  • 14,132
  • 22
  • 86
  • 142
  • The problem with `--network host` is that multiple docker containers can no longer "see" each other behind their own network (all our setups run a triplet of nginx + nodejs + redis dockers). – paul23 Oct 15 '18 at 23:38
  • @paul23 there isn't a simple solution. But you might consider switching to swarm mode which I believe has a solution to this. – hookenz Oct 16 '18 at 05:12
  • https://docs.docker.com/engine/swarm/ingress/#publish-a-port-for-tcp-only-or-udp-only – hookenz Oct 16 '18 at 05:13