Docker and UFW
Warning
This guide assumes:
- You are using NGINX
- You have a non-root user with sudo privileges
- You have a domain name pointing to your server
This guide will walk you through how to use Docker with UFW and NGINX as a reverse proxy. This setup will allow UFW to block the service your Docker command makes as well as proxy requests coming from a subdomain.
By default, if you start a Docker container without localhost/127.0.0.1 before the port, the service will bypass UFW and be publicly accessible for everyone.
DNS Setup
Set up a subdomain for your app. Since this varies greatly between DNS providers, I will not go into details but please google it if you are having trouble.
Docker
Start a simple docker container with port 9000 exposed. Something like 127.0.0.1:9000:80. The 127.0.0.1 is very important here
UFW
Configure UFW to allow connections to port 80 and/or 443 (if not already enabled)
sudo ufw allow http
sudo ufw allow https
NGINX
Set up the configuration file in the /etc/nginx/sites-available/ directory. You will want it to set up as a proxy to the port of your docker container. It should look something like the below.
server {
listen 443 ssl;
server_name subdomain.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
location / {
proxy_pass http://127.0.0.1:9000;
}
location ~ /\.ht {
deny all;
}
}