限制对Docker容器的Internet访问?
[英]Restrict internet access to docker container?
问题描述
What is the best way to restrict internet access to a single docker container while still forwarding ports? 
在仍然转发端口的同时限制对单个docker容器的Internet访问的最佳方法是什么?
My current way of doing this works like this: 我目前这样做的方式是这样的:
sudo docker network create --internal --subnet 10.1.1.0/24 no-internet
sudo docker run --name gitlab -d -p 80:80 -p 822:22 --restart always gitlab/gitlab-ce
sudo docker network connect no-internet gitlab
sudo docker network disconnect bridge gitlab
The problem is that if I restart the system the ports are not forwarded anymore: 问题是,如果我重新启动系统,端口将不再转发:
sudo docker ps before reboot: 重启前sudo docker ps :
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 13 seconds ago Up 13 seconds (health: starting) 0.0.0.0:80->80/tcp, 443/tcp, 0.0.0.0:822->22/tcp gitlab
sudo docker ps after reboot: sudo docker ps重启后:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 12 minutes ago Up 2 minutes (healthy) gitlab
2 个解决方案
解决方案1
2 已采纳 2017-10-30 05:06:03
So if I understand your scenario correctly, you would like to avoid sharing your host's network to your gitlab container to make sure gitlab cannot connect to the internet. 因此,如果我正确理解您的场景,您希望避免将您的主机网络共享到您的gitlab容器,以确保gitlab无法连接到互联网。 At the same time you wish to share the host's network to bind a container port to your host system. 同时,您希望共享主机的网络以将容器端口绑定到主机系统。 It doesn't work that way, but the following might be an acceptable workaround for you: docker containers sharing the same internal network can connect to exposed/published ports of other containers on the same network. 它不起作用,但以下可能是您可接受的解决方法:共享同一内部网络的docker容器可以连接到同一网络上其他容器的公开/已发布端口。
You could follow this approach: 你可以遵循这种方法:
- Run a reverse proxy in front of your gitlab container 在gitlab容器前运行反向代理
- The reverse proxy is member of your internal network and the default bridge network (which includes the host's net) 反向代理是您的内部网络和默认桥接网络(包括主机网络)的成员
- This enables the reverse proxy to bind to a host port and forward requests to your gitlab container while gitlab still can't access the internet 这使得反向代理能够绑定到主机端口并将请求转发到gitlab容器,而gitlab仍无法访问互联网
I quickly put this example together, hope that gets you started: 我很快把这个例子放在一起,希望能让你开始:
docker network create --internal --subnet 10.1.1.0/24 no-internet
docker network create internet
docker-compose.yml : docker-compose.yml :
version: '2'
services:
whoami:
image: jwilder/whoami
container_name: whoami
networks:
- no-internet
proxy:
image: nginx:1.13-alpine
container_name: proxy
networks:
- internet
- no-internet
volumes:
- ./vhost.conf:/etc/nginx/conf.d/default.conf
ports:
- "80:80"
networks:
internet:
external:
name: internet
no-internet:
external:
name: no-internet
vhost.conf : vhost.conf :
upstream whoami {
server whoami:8000;
}
server {
server_name localhost;
listen 80;
location / {
proxy_pass http://whoami;
}
}
Please note the above mentioned internet network is actually not needed, as a docker container shares the host network by default anyway. 请注意,实际上不需要上面提到的internet ,因为无论如何,泊坞容器默认共享主机网络。 It's just there to make things clearer. 它只是让事情变得更清晰。
In the example depicted above, open http://localhost/ and you will see the response of the whoami container, the whoami container itself however can't connect to the internet. 在上面描述的示例中,打开http://localhost/ ,您将看到whoami容器的响应,但是whoami容器本身无法连接到Internet。
解决方案2
2 2018-08-09 11:08:18
You can also use internal:true to disable internet connectivity: 您还可以使用internal:true来禁用Internet连接:
networks:
yournetwork:
internal: true
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.