I've upgraded the Docker Kong image to the version 0.14.0 and it stopped responding to connections from outside the container:
$ curl 127.0.0.1:8001 --trace-ascii dump.txt
== Info: Rebuilt URL to: 127.0.0.1:8001/
== Info: Trying 127.0.0.1...
== Info: Connected to 127.0.0.1 (127.0.0.1) port 8001 (#0)
=> Send header, 78 bytes (0x4e)
0000: GET / HTTP/1.1
0010: Host: 127.0.0.1:8001
0026: User-Agent: curl/7.47.0
003f: Accept: */*
004c:
== Info: Recv failure: Connection reset by peer
== Info: Closing connection 0
The ports mapping is
0.0.0.0:8000-8001->8000-8001/tcp, 0.0.0.0:8443-8444->8443-8444/tcp
Everything is ok when trying to connect from inside the container:
/ # curl 127.0.0.1:8001
{"plugins":{"enabled_in_cluster":[], ...
Port 8000 is available from outside and inside the container. What can that be?
The problem was in the binding of the admin server to localhost in /usr/local/kong/nginx-kong.conf
server {
server_name kong_admin;
listen 127.0.0.1:8001;
listen 127.0.0.1:8444 ssl;
...
I've added the following code into my custom entrypoint which removes this binding just before starting nginx:
echo "Remove the admin API localhost binding..."
sed -i "s|^\s*listen 127.0.0.1:8001;|listen 0.0.0.0:8001;|g" /usr/local/kong/nginx-kong.conf && \
sed -i "s|^\s*listen 127.0.0.1:8444 ssl;|listen 0.0.0.0:8444 ssl;|g" /usr/local/kong/nginx-kong.conf
echo "Starting nginx $PREFIX..."
exec /usr/local/openresty/nginx/sbin/nginx \
-p $PREFIX \
-c nginx.conf
Of course the admin ports must be closed in production some other way.