In short, I'm trying to set up an nginx container to proxy_pass to other containers on port 80.
I was following along with this tutorial: https://dev.to/domysee/setting-up-a-reverse-proxy-with-nginx-and-docker-compose-29jg
They describe having a docker compose file that looks something like:
version: '3'
services:
nginx:
image: nginx:latest
container_name: production_nginx
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./nginx/error.log:/etc/nginx/error_log.log
- ./nginx/cache/:/etc/nginx/cache
- /etc/letsencrypt/:/etc/letsencrypt/
ports:
- 80:80
- 443:443
your_app_1:
image: your_app_1_image:latest
container_name: your_app_1
expose:
- "80"
your_app_2:
image: your_app_2_image:latest
container_name: your_app_2
expose:
- "80"
your_app_3:
image: your_app_3_image:latest
container_name: your_app_3
expose:
- "80"
Then in the nginx config they do a proxy_pass based on the path like this:
proxy_pass http://your_app_1:80;
This all makes sense to me, however when I was making a test node server to listen on port 80, I'm getting the error: Error: listen EACCES: permission denied 0.0.0.0:80. In my Dockerfile for the node server, I'm using a different user:
USER node
I know I'm getting this error because non root users are not supposed to be able to bind below port 1024 or something. And I know it's bad practice to run as root in a container... so how in the world is something like this possible? I feel like I'm missing something here. It would be nice to not have to remember some custom high port your server is running on every time you do a proxy_pass in nginx... or is that just a fact of life?
I see zero issues in doing an expose on the port,as long as we dont publish the port.
EXPOSE will not allow communication via the defined ports to containers outside of the same network or to the host machine. To allow this to happen you need to publish the ports.
But its doable at the cost of adding security holes by granting kernel capabilities using --add-cap
flag on the Docker client or the Docker-Compose cap_add
. NET_BIND_SERVICE is the capability that we should be adding.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.