alt Hacker NewsMy containers run in dedicated "docker host" VMs. And I never expose ports on 0.0.0.0, just the private internal IP. Most (all) of my docker hosts do not have a public IP anyway. I use wireguard to access them myself. If they need to be public I reverse proxy with caddy from my web server (or use Authentik's embedded proxy). These servers have access to the same private LAN which could be hardened without having the issues you brought up.
By the way most docker based implementations do not actually need the userland proxy docker runs automatically. Disable it in /etc/docker/daemon.js
{
"userland-proxy": false
}Replies
hkpack • today at 12:54 PM
This is the way, ended up using identical setup.
Lord_Zero • today at 1:09 PM
Could you elaborate on your setup? Is the docker host also your web server on which you run caddy?
What would the config look like if I have my docker containers split up over multiple VMs?