-
-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Container to host port mapping using 127.0.0.1:[host port] does not work correctly #634
Comments
You can't use 127.0.0.1 Because generally 127.0.0.1 refers to the windows loop back pointing back to the windows system not docker. However when you put that in docker, and a container the container is running a mini os inside it's self. So technically it's if the container has 127.0.0.1, then it points to it's self, but it you use it then it's pointing back to what windows host. You have to remember you treat docker containers like they are other mini VMs on another network. Because they kinda are.... |
Yes and no.... 127.0.0.1 is indeed the IP address of the host's loopback interface, which is not exposed to the outside world. When mapping ports from container to host, if you only provide a port number, then Docker automatically maps the container 's port to that port the host's 0.0.0.0 interface, meaning that your container port is directly exposed to all other interfaces, and therefore also to the outside world. This is a security concern. However, it is possible with docker to map a container port to the host's loopback address only, by prepending the host port number with 127.0.0.1. This way the container's port is still available to anything on the host system, but is not exposed to the outside world. It may not be nest practice, but it is a nifty way of keeping your services available on localhost, so you can easily access them for other services on that machine, while not exposing them to the internet. Also, it's worth pointing out that this already works in Docker CLI, Docker Compose and Portainer. |
Similar problem, used to use this solution before: https://stackoverflow.com/a/46220742 |
A convenient way of preventing containers on a VPS from being unnecessarily exposed to the internet due to Docker's IPtables rules bypassing the system firewall, is that you can map the container port to 127.0.0.1:[host port] rather than just giving docker a host port number. The latter leads to it being mapped to 0.0.0.0.[host port], which is then exposed to the internet.
However, in Yacht, this does not seem to work correctly.
E.g. adding 127.0.0.1:8083 in the host port field results in the container being mapped to 32769 for some reason. See screenshots below.
Entering the port:
The resulting container running on the wrong port, and still exposed to the internet:
The text was updated successfully, but these errors were encountered: