What I am trying is to create a container isolated otherwise but having a port open for access from outside. I'd like to keep it so that container can't access internet.
I have internal network and container that has a single port open for accessing the service.
example docker-compose.yml:
version: '3.8'
networks:
vaultwarden:
driver: default
internal: true
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
ports:
- 8050:80
stdin_open: true
tty: true
volumes:
- /home/user/password_test:/data/
environment:
- WEBSOCKET_ENABLED=true
- ROCKET_WORKERS=8
networks:
- vaultwarden
It seems to work, service is accessible in localhost:8050 and from the container I can't access internet.
Still I am wondering is this right way to do it?
EDIT: I'm using podman-compose where this works but in docker-compose I have to put bridge instead of default. And it seems with docker this solution does not work at all
Solution of some sorts was to create a reverse-proxy and attach it to to the internal and to a driver:bridge network. Now the traffic to vaultwarden app goes through the other network and vaultwarden itself can't access internet.
networks:
vaultwarden_net_internal:
internal: true
vaultwarden_net_outside:
driver: bridge
services:
vaultwarden:
image: vaultwarden/server:latest
restart: always
stdin_open: true
tty: true
volumes:
- /home/user/password_test:/data/
environment:
- WEBSOCKET_ENABLED=true
- ROCKET_WORKERS=8
networks:
- vaultwarden_net_internal
proxy:
build:
context: ./
dockerfile: Dockerfile
restart: always
stdin_open: true
tty: true
networks:
- vaultwarden_net_internal
- vaultwarden_net_outside
ports:
- 8051:80
depends_on:
- vaultwarden