Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

How do I Secure Docker Networks?

Featured Replies

Hi there!

I'd like some assistance figuring out how to secure my docker network and some of the various services.

So, there some services I'd like to secure away from my home network, and possibly between other docker images. This includes things like services that only provide non secure connections (Such as http, which instead get run through a reverse proxy to secure them), or services that are just to hard to get secured (such as ssl on postgress, or LDAP, omg LDAP just fights so much).

For example, I'd like to make something like this:

 

Network: bro

Image             |       Access
pihole             |      IP: Lan IP


Network: Docker Bridge (Default Network)
I probably won't even use this If I can get the other stuff going.

Network: Docker Secure
Image             |       Access
Postgres         |      Internal only
Maridb            |      Internal only

Keycloak        |      Internal only

LDAP             |      Internal only
searx              |      Internal only
letsencrypt     |      Port 80 and 443 Exposed
 

Network: Docker Test
Image             |       Access
Postgres         |      Port 5432
searx              |      Internal only
letsencrypt     |      Port 80 and 443 Exposed

Network: host
Image             |       Access
Plex                |      Host


Sadly I can't really look into vlans atm. In terms of HW, I have:
FritzBox 7490 (Seems to not support vlan or work as a managed switch)
My server as listed in my Sig.

I don't have a spare network card, and I can't really earn money, so saving for hardware takes a really long time. Not complaining mind, but it limits what I can do sorry.
During tests, I found some weird things I can't explain, like giving the letsencrypt docker it's own ip stopped it from serving any site from the server, citing the gateway was bad. Also I notice linuxserver's images use names to talk to other images lot, however that doesn't work for me and I have to often replace the names with the server's lan ip.

Any help would be greatly appreciated!

  • 2 weeks later...
  • Author

Got it, learned about docker networks a bit better, and learned that this

On 6/9/2019 at 11:45 AM, Ryonez said:

Also I notice linuxserver's images use names to talk to other images lot, however that doesn't work for me and I have to often replace the names with the server's lan ip.


was just because the default network unRaid makes doesn't have DNS resolution on it.

So what did you end up having to do?

  • Author

I found this: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/#simplehtmlwebpagehosting
And then I noticed the readme file in /ngnix/proxy-confs. Both of these were created long after I first started using the container >.<

As for creating the network I used this:

`docker network create [networkname]`


That paired with using lowercase characters in the container names and switching the containers into using that network, brought the container name dns resolution up.

Then changed unRAID's web ports and switch letsencypt's ones to be exposed in their place. With pihole managing dns for my network, I set up internal domain names to point at the unRAID's ip. This gave me internal site resolution for sites I wanted internally accessed. To secure those sites I added the following to the location blocks of internal site confs:

allow [internal IP]/24;
deny all;

Now I have https with a valid cert, that can only be accessed on my internal network.

External sites are still accessible as well.

This is a massive improvement over what I had before. While I do control my network, it always sat wrong with me that exposed unsecured traffic could be caught before. Like I hated it, especially considering the changes I'd have to make to some dockers to secure traffic that should be secured by default. Looking at you LDAP, postgres and maridb. I feel so much more comfortable now.

The only two containers still outside the bridge are pihole and openvpn-as. I'd like to secure the web interface for pihole better that it's default later. openvpn-as is a selfsigned cert, but I'm okay with it atm.

Edited by Ryonez

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.