I’ve got a standard docker setup on Debian with host IP of 192.168.11.100.
I’m able to map containers ports and to the host network.
I can see everything by typing the host IP and the ports so it all works.
how do I get the host to map hostnames to the relevant service a bit like a webserver would ?
plex.local
somewebsite.local
etc.local
I thought about adding mutiple IPs but I’m wondering if there is a simpler way?
Using your DNS server. For example if you are using pfsense you can add entries for each of those in the DNS server settings under “Host Overrides”
Just a few things – which are pretty common sense.
Look at your docker containers. Anything that doesn’t really need to be exposed to the outside world but rather only to the internal docker network I would use the expose setting rather than the ports setting. Things like docker databases (mysql, mariadb), caching servers (redis), etc are usually candidates for such settings since really they only need to be accessible by the internal docker network. This decreases your attack vector.
I also suppose you probably have a bunch of different services exposes that are running on a variety of port numbers. If using a host firewall, make sure you have exceptions for these ports (although I’m aware that there is a debate whether the docker daemon completely bypasses iptables restrictions no matter what the firewall is doing – this should be a simple test but I haven’t performed it yet).
Assuming your docker host (debian) is known as debian.mydomain.com, I’m betting right now you access your individual docker services similar to debian.mydomain.com:3306, or debain.mydomain.com:8888. I’m interpreting your question as meaning you’d like to access your docker containers such as mydockerservice.mydomain.com rather than debain.mydomain.com:3306. You need two thing to allow for this –
I get the basics of DNS and I have the names on the DNS server resolving to the IP.
I’m not sure a reverse proxy is the solution.
I think the issue is the binding on the host? sorry I’m not familiar with the terminology.
Kev, to your point I can resolve a myServer.something:8080
I want the host to know that if a user hits myServer:something to respond with the service on port 8080. Nearest example I can think of is in IIS where I can bind a website/service to a particular port, IP, hostname or combination of.
Can you map hostnames in this way using docker? I’d assumed this would be possible given it can be used to host a multitude of services.
Failing that I figured I could just setup multiple IPs on the host and bind the ports to that IP, but this is a layer of admin/complexity I’d prefer to avoid if I can.
I hope that makes sense!
Having done some more reading, it seems in the linux world a proxy is the only way to do this.
My next question is likely to be how that works in relation to firewall rules.
I’ll give HA proxy a go.
Couple of things you might want to consider since yes I believe a reverse proxy is what you want. Do you need to protect some of your docker services with SSL certs – meaning have an encrypted connection up to the level of the proxy? Some reverse proxies like traefik and caddy have let’s encrypt solution baked into their reverse proxies that will do this type of certificate management and renewal. I believe if you have pfsense, that their HA is tied into their Acme renewal service. I don’t know if HA proxy has SSL certificate management built into itself natively (I could be wrong about this). Just some consideration you may want to think about.
to be honest I wasn’t too bothered for now as its an internal network. I’m already slightly ahead of you having (as usual) found a video from Tom that answer my HA Proxy questions and addresses the points you are making.
How To Setup ACME, Let’s Encrypt, and HAProxy HTTPS offloading on pfsense
In hindsight this could make managing things easier and more secure as I can lock all the services away on a vlan and just expose what I need via the proxy.
I imagine it will allow me to group core ports/services and create simpler rule sets on my firewall.
It will also make life easier in the future if I move back end servers around (e.g. my plex) as I wont have to reconfigure all my devices.
I’ve only every really used proxies for internet access before, so this is something of a revelation but it seems pretty straightforward once you know what you are looking for.
thanks for your help.
Hopefully your experience with HA proxy on pfsense works better than mine. I’ve personally had more success with nginx, however it’s probably something I’m configuring incorrectly. There are always docker reverse proxies as well that work quite well as another option.
How can you set this up for a Host Override across VLAN’s? Mobile device on IOT VLAN cannot access a web server on the Production LAN even with a Host Override. It cannot access it without a Host Override and that is what lead me to this thread. Any assistance is appreciated.