All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Firewall with Docker on Ubuntu
rasping5978
Member
Hi, I recently purchased my new VPS running Ubuntu 22. I have a public IPv4 address. I have set up Docker on Ubuntu and was able to spin up my services. However, those exposed ports are publicly on the internet and anyone can access through :. I don't want the service port to be exposed so I set up Nginx Proxy Manager as my reverse proxy. It works but service port is still exposed.
I then used a firewall (ufw) and only allow 80 and 443, however it still doesn't block. Searched up and looks like its a bug for Docker and ufw. Now I used ufw-docker, yes it blocks my Docker services from the public network. Now I want to continue to only proxy my services through the reverse proxy. However it still does not seem to work. I tried adding a nginxproxymanager bridge network and having all my Docker containers use that bridge network, however nginxproxymanager could not seem to reach the other containers.
At this point I feel like giving up hahaha I am not sure what is the cause, is it Ubuntu, ufw-docker, or Docker? I am accessing the VPS though Wireguard and it works as expected. Yay.
What is the best practices for setting up Ubuntu, Docker on a VPS? What other tips would you provide? I have set up password-less authentication on SSH too and set up 2FA on my provider.
For context I have my homelab set up using my home IP. I am trying to have a similar set up on a VPS, where the server directly have the public IP, unlike a home network where it goes through a firewall/router. My local server can expose services internally eg 192.168.1.20:9999 without exposing it to the public internet.
Thank you!
Comments
Follow this tutorial,
https://www.fuzzygrim.com/posts/secure-vps#ufw
It's not really a bug, rather both ufw and docker alter iptables
Had this problem a while back.
What happened is docker overrides ufw since it interacts with iptables after ufw rules were set.
Solutions:
Thank you all for the help, I managed to set up my services with the help from this guide https://thesmarthomebook.com/2021/08/25/nginx-proxy-manager-setup-and-a-fix-for-your-502-gateway-errors/
Basically I set up a shared Docker network for all my services, that connects the reverse proxy to those services. Instead of using the IP, I used the Docker service name.
For hardening the server, I followed more guides provided. More to learn!
It's a known issue with a few workarounds. The best I am aware of is https://github.com/chaifeng/ufw-docker
I am currently using ufw-docker as a workaround too! Works like a charm!
It's definitely the best workaround I have found and the script is easy to use