-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify a local address when exposing ports with Docker #20891
base: develop
Are you sure you want to change the base?
Conversation
@@ -174,15 +174,15 @@ The Docker image can be used to serve element-web as a web server. The easiest w | |||
it is to use the prebuilt image: | |||
|
|||
```bash | |||
docker run -p 80:80 vectorim/element-web | |||
docker run -p 127.0.0.1:80:80 vectorim/element-web |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd also like to make a further change if you don't object:
docker run -p 127.0.0.1:80:80 vectorim/element-web | |
docker run --rm -p 127.0.0.1:80:80 vectorim/element-web |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before we can move this forward would you be able to write a description of what you're trying to achieve and what use cases you're trying to cater for
This corrects what looks like accidental creation of potentially attackable network exposure. From the linked Docker documentation:
The local development server should instead be confined only to the local host unless there is specific reason to make it network available (which is what this PR addresses). |
The command is suggested to serve element-web as a web server, with all the use cases that entails. I think you might be assuming that only a development or local use-case exists, but there is also the use case of serving it to other clients on the network (e.g. run your own app.element.io with your own customisations, as many people do). |
fwiw, the documentation in this area was written more as a point of interest rather than something to copy/paste. It's fairly rare that folks use bare docker commands these days, so the important aspect becomes the ports and container name. |
That use case is certainly valid, but I believe running a server that supports it should be intentional rather than accidental—it's generally bad form to encourage creation of unnecessary attack surface area.
Acknowledged. Unless you see harm in these changes, though, I still consider it valuable to default to restricted access. |
My suggestion is to list the different commands for the different use cases noting the implications. |
…to localhost Signed-off-by: Richard Gibson <[email protected]>
@novocaine Done. |
cf. https://docs.docker.com/engine/reference/commandline/run/#publish-or-expose-port--p---expose
Notes: none
This PR currently has no changelog labels, so will not be included in changelogs.
A reviewer can add one of:
T-Deprecation
,T-Enhancement
,T-Defect
,T-Task
to indicate what type of change this is, or addType: [enhancement/defect/task]
to the description and I'll add them for you.