I'm using docker-compose for context. So I have a docker container 'proxy' which as you may have guessed, acts as a proxy to other containers. It does this based on the subdomain used.
x.localhost goes to container x, y.locahost goes to container y, etc. There's 5 of these, they're web exposed through this proxy container.
However I'm now trying to add an IP whitelist to my proxy container so that only certain IPs can access x.localhost, while everyone can still access y.localhost.
So just testing from my machine currently: it seems that because these containers are on a network, any access to proxy appears with the gateway IP address. So a whitelist is impossible in that way. If I remove proxy from the compose created network and have it use network_mode host. Then it of course can't access the x.localhost and y.localhost namespaces any more as they're on a separate network.
I can't expose those other containers to host as that would defeat the purpose of the whitelist in the first place as it would allow for a bypass. And while x-forwarded-for is kept that's not secure and can't be relied upon. Although frankly the more I work on this whitelist the more I'm wondering if an IP whitelist is a secure way to restrict access in the first place. Should I be doing something with a SSL client certificate instead?
Let me know if you think the full docker-compose.yml file would be helpful.
