I'm trying to secure containers on my homelab.
The main goal is:
- isolating nginxA and nginxB, so they are not able to talk to each other via
172.17.0.1
(eg. preventing nginxA from reaching nginxB via 172.17.0.1:5001
)
- isolating nginxA and nginxB from localhost, making them exclusively accessible via traefik
- Allowing nginxA to talk to nginxA_DB, which are in the same stack, but without allowing other containers nor traefik to talk to nginxA_DB
Each docker stack has a nginx/apache service with it's port exposed in docker-compose in the following manner:
docker-compose-nginxA.yml:
networks:
internal:
ipam:
config:
- subnet: 10.0.0.0/29
...SNIP...
nginxA:
networks:
internal:
ipv4_address: 10.0.0.2
ports:
- "172.17.0.1:5000:80"
docker-compose-nginxB.yml:
networks:
internal:
ipam:
config:
- subnet: 10.0.0.8/29
...SNIP...
nginxB:
networks:
internal:
ipv4_address: 10.0.0.10
ports:
- "172.17.0.1:5001:80"
Making these services only accessible via localhost (172.17.0.1) or traefik,
Traefik being also on the same machine with the following configuration:
http:
routers:
nginxA:
entryPoints:
- web
service: nginxA
nginxB:
entryPoints:
- web
service: nginxB
...SNIP...
services:
nginxA:
loadBalancer:
servers:
- url: http://172.17.0.1:5000
nginxB:
loadBalancer:
servers:
- url: http://172.17.0.1:5001
An idea was to connect all the containers in a same /24
network with traefik, without exposing any ports via compose, but a single traefik network wouldn't isolate the containers from each other, only from the outside.
Another idea was to create a /31
network for each container and merge all the networks traefik, but I'm unsure if this will do the isolation as intended. eg.
nginxA:
networks:
internal:
ipv4_address: 10.0.0.2 # /29
nginxA-traefik:
ipv4_address: 10.50.0.1 # /31
traefik:
networks:
nginxA-traefik:
nginxB-traefik:
...
Thanks for reading this far! Do you have any ideas how this can be done?