Last active
November 13, 2023 20:50
-
-
Save BTabaku/f7cd24b63057803548a39e791688687b to your computer and use it in GitHub Desktop.
Expose Docker API but only for specific service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# this file might behave differently on different OS | |
# it is tested on centos 8 | |
# edit the following file /lib/systemd/system/docker.service | |
sudo vi /lib/systemd/system/docker.service | |
# add the following line to the file -H tcp://0.0.0.0:2375 | |
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 --containerd=/run/containerd/containerd.sock | |
# reload the daemon | |
sudo systemctl daemon-reload | |
sudo systemctl restart docker | |
# now we can use the docker api from any host in the network but there we need to cover the safety part | |
# we can use the firewall to allow only specific hosts to access the docker api | |
# we can do it throught firewalld and nginx as a reverse proxy, so we edit the specific file of nginx server | |
``` | |
# docker API for ubot207lb server | |
server { | |
listen 80; | |
server_name ubot207dockerlb.btabaku.co; | |
location / { | |
proxy_pass http://161.35.213.2:2375; # Use the ArgoCD service NodePort (argocd-server-nodeport) IP and port here | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
} | |
# Add any additional configurations or SSL settings as needed | |
} | |
``` | |
# but now we need to make it accessible only by a specific IP or user so we need to edit the firewall, run these on docker host os (centos 8) | |
# ip of ubot207dockerlb.btabaku.co is 132.22.44.69 so we allow only this ip to access the docker api | |
sudo iptables -A INPUT -p tcp --dport 2375 -s 132.22.44.69 -j ACCEPT | |
sudo iptables -A INPUT -p tcp --dport 2375 -j DROP | |
sudo systemctl restart docker |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment