2

I am building a new microservice which is a Python Flask app that is fronted by gunicorn and can take and respond to HTTP get requests. It's kinda like a local proxy service to an external API. I run the gunicorn app on port 5000. I want to remap the port to something similar with my other services but I also want to restrict this container so it is only accessible by other containers on my host, I never want this container to be accessible by the outside world. However, it needs to be able to go to the outside world to make the API request.

So I thought I would bind a port that is in line with what my containers use and restrict it to localhost by running the container like below:

docker run --name proxy-app --env SECRET="MYSECRET" -p 9000:5000 -d killerkode/proxy-app

On the host system, I can successfully send requests to the container by running something like:

curl -XPOST -H "Content-type: application/json" -d '{"message": "test"}' 'http://127.0.0.1:9000/send_message'

But then I run another container and when I exec into that container and run the same curl command, it can't see localhost - I assumed this is because insider the container the localhost is different to outside the container.

So I looked into docker networks and decided to create a bridge network. I put both containers on the same bridge network and then I tried the same command using the proxy containers IP (which for arguments sake lets say is 172.30.1.2), but the problem I have is the request works on port 5000 but not port 9000. I don't want the second container to see port 5000 at all, I want it to only see port 9000 and have that as it's only access to the proxy container. Just like the host system cannot see port 5000 but can send requests to port 9000.

curl -XPOST -H "Content-type: application/json" -d '{"message": "test"}' 'http://172.30.1.2:5000/send_message'

TL;DR; is, I am trying to get 2 containers running on 1 host. The first container (proxy container) needs to remap it's app port from 5000 to 9000 and then it should only be accessible by the host system or other containers on the host system from port 9000 only. How do I achieve this?

Improve this question
2
  • Can you put the other containers on the same network in Docker? Then they'll have access.
    – slhck
    Commented Nov 21, 2019 at 21:27
  • Yes they are on the same network, I did try that. They do have access but my other stumbling point is that the port exposing no longer works (i.e. remapping port 5000 to 9001). This is problamatic if I had many containers all with port 5000 they would clash. I rely on docker being able contain the ports and remap them so other containers don't know the real port. Putting them on the same network seems to prevent me from doing that.
    – KillerKode
    Commented Nov 21, 2019 at 21:40

1 Answer 1

Reset to default
0

Inside the other container you just need to replace 127.0.0.1 with the ip of the host in the curl command.

To prevent access from other hosts you could filter with iptables. Something like -A INPUT -j DROP -i eth0 --dport 9000

Improve this answer
5
  • Hm, interesting idea, didn't think of that. But what if the host IP is not always the same? For example, what if I wanted to deploy on multiple hosts and don't necessarily have a static IP I can put in my build script? 127.0.0.1 is nice because it is universal. Is there an equivilant universal way of doing this?
    – KillerKode
    Commented Nov 21, 2019 at 21:21
  • The docker0-interface also has an IP (172.17.0.1 in my case), but I don't know if it is always the same...
    – Virsacer
    Commented Nov 21, 2019 at 21:41
  • Are you talking about the host IP or docker network IP? If we are talking about the docker network IP, can I bind a port to a docker network IP so that the entire network can see it? For example -p 172.17.0.1:9000:5000 - is something like that possible? When I was testing, I couldn't get it to work for the entire network, I could only map it to one container based on exact IP.
    – KillerKode
    Commented Nov 21, 2019 at 21:44
  • docker0 is the (virtual) interface on the host - look up its IP and try with curl. But again: I dont know if it is the same adress on all hosts (it could depend on th OS and/or number of containers)
    – Virsacer
    Commented Nov 22, 2019 at 7:34
  • Reading up on it, I understand docker0 is by default a bridge connection to the host. So the IP's would change based on the host network setup.
    – KillerKode
    Commented Nov 22, 2019 at 9:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .