I'm running Docker on my Raspberry Pi 4 with some containerized web apps and I want all traffic to go through nginx as reverse proxy.
My problem is that I can access the Docker container ports from any device in my network, i. e. I'm bypassing nginx.
This is my nginx config:
server {
listen 80;
server_name myRaspi;
location /cool {
proxy_pass http://127.0.0.1:5000/cool;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
As you can see, I'm forwarding the traffic for http://myRaspi/cool to http://localhost:5000/cool (a web app running inside a Docker container). At the moment, I can access both http://myRaspi/cool and http://myRaspi:5000/cool from any device in my network.
I followed the official Docker docs and configured the following:
iptables -I DOCKER-USER -i ext_if ! -s 192.168.174.0/24 -j DROP
Executing sudo iptables --list shows the new rule.
Since all of my network devices are in the subnet 192.168.175, so I'd expect that now all traffic to both http://myRaspi/cool and http://myRaspi:5000/cool should not work (as I'm blocking everything except 192.168.174, but I'm in 192.168.175).
Unfortunately, this does not work: I can still access both http://myRaspi/cool and http://myRaspi:5000/cool.
After sudo reboot, the formerly created rule is gone and sudo iptables --list doesn't contain it anymore.
Since I'm still a novice to the Docker/Linux/nginx network world, I'd appreciate your help on how to configure Docker/nginx so that all traffic goes through nginx as reverse proxy and access to container ports from outside this Raspi is not possible.
