Skip to content

Docker and UFW

Warning

This guide assumes:

  • You are using NGINX
  • You have a non-root user with sudo privileges
  • You have a domain name pointing to your server

This guide will walk you through how to use Docker with UFW and NGINX as a reverse proxy. This setup will allow UFW to block the service your Docker command makes as well as proxy requests coming from a subdomain.

By default, if you start a Docker container without localhost/127.0.0.1 before the port, the service will bypass UFW and be publicly accessible for everyone.

DNS Setup

Set up a subdomain for your app. Since this varies greatly between DNS providers, I will not go into details but please google it if you are having trouble.

Docker

Start a simple docker container with port 9000 exposed. Something like 127.0.0.1:9000:80. The 127.0.0.1 is very important here

UFW

Configure UFW to allow connections to port 80 and/or 443 (if not already enabled)

sudo ufw allow http
sudo ufw allow https

NGINX

Set up the configuration file in the /etc/nginx/sites-available/ directory. You will want it to set up as a proxy to the port of your docker container. It should look something like the below.

server {
  listen 443 ssl;
  server_name subdomain.example.com;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options "SAMEORIGIN";

  location / {
    proxy_pass http://127.0.0.1:9000;
  }
  location ~ /\.ht {
    deny all;
  }
}


Last update: November 26, 2020