I am very new to using docker. I have been used to using dedicated VM’s and hosting the applications within the servers OS.

When hosting multiple applications/services that require the same port, is it best practice to spin up a whole new docker server or how should I go about the conflicts?

Ie. Hosting multiple web applications that utilize 443.

Thank you!

  • Scott@lem.free.as
    link
    fedilink
    English
    arrow-up
    39
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Use a single reverse proxy on that one port… it can then route the requests to the various back ends.

    You probably want something that’s Docker-native like Traefik or Caddy.

    • EliteCow@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      Thank you! I am using Caddy and was able to define a unique random port for the other containers and access this via reverse proxy!

      • herrfrutti@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        If the containers are all in the same network. You dont need to expose a port.

        Lets assume you create a docker network called reverse_proxy and add all your contaiers that you want to be accessed by the reverse proxy to that network (including caddy).

        Then you can address all containers through the hostname in you caddy file and the port would be the default configurated port from the container.

        So in the end you just expose the caddy container and nothing more.

        • EliteCow@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          In addition to Caddy being apart of the reverse_proxy network. Would I also have to add it to the Bridge network so that I can utilize the machine IP that docker is hosted on for port forwarding 443?

          • herrfrutti@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            1 year ago

            Caddy would have the bridge proxy network and the port 443 exposed.

            version: "3.7"
            
            networks:
              proxy-network:
                external: true
            # needs to be created manually bevor running (docker create network proxy-network)
            services:
              caddy:
                image: caddy
                container_name: caddy
                restart: unless-stopped
                ports:
                  - 80:80
                  - 443:443
                volumes:
                  - ./data:/data
                  - ./config:/config
                  - ./Caddyfile:/etc/caddy/Caddyfile:ro
                networks:
                  - proxy-network
            

            Other services:

            version: "3.7"
            
            networks:
              proxy-network:
                external: true
            
            services:
              app:
                image: app
                container_name: app
                restart: unless-stopped
                volumes:
                  - ./app-data:/data
                networks:
                  - proxy-network
            

            Caddy can now talk to the app with the apps container_name.

            Caddyfile:

            homepage.domain.de {
                reverse_proxy app:80
            }
            

            So the reverse proxy network is an extra network only for containers that need to be exposed.

        • d_k_bo@feddit.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          That wouldn’t work if multiple containers use the same port (eg. 8000), right?

          Without a docker network, I can just map 8001:8000 and don’t have that issue.

          • aguslr@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            Yes, it’d work just fine because each container listens on port 8000 of their own IP address, not the docker server’s IP address. Caddy/Traefik just redirects traffic to that port.

  • pacoboyd@lemm.ee
    link
    fedilink
    English
    arrow-up
    24
    ·
    1 year ago

    That’s the cool thing about docker you can just map a different external port.

    https://docs.docker.com/network/

    So if you look at the first flag it mentions: -p 8080:80

    This means it’s mapping external port 8080 to the internal port 80. You can change the 8080 to anything you want so you don’t have conflicts.

    • EliteCow@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      1 year ago

      I have done what you mentioned and used a random port internally and kept 443 as the listening port. I am using Caddy to then direct the traffic reverse proxy it.

      Thank you so much!

      • pacoboyd@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Just FYI, we may be using “internally” differently, but you can’t change the port number to the right of the “:” That’s usually a fixed port needed for the container (the internal docker port).

        I think you are using “internal” to mean your local network port though, but in Dockers case it would be the “external port” (external to docker).

        Flow would be: Proxy → External Docker Port (8080, can be variable) → Internal Docker Port (80, fixed per docker container)

        Probably getting overly picky with wording, but wanted to make sure you knew that the inernal docker port can’t be changed, just the mapping.

        • EliteCow@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Thanks for the heads-up on terminology! What you mentioned is how I set it up.

          I had no idea that the ports could be configured like that! This is very helpful. Docker is a beast to get used to!

  • flunky@lemmy.flunky.club
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 year ago

    For hosting multiple web apps, what you probably want is a reverse proxy. I recently started using Caddy (specifically Caddy-Docker-Proxy), and I’m liking it. There’s also Traefik, nginx, etc.

    For other types of services, you can simply map whatever (available) port you like in your docker compose file. See here: https://docs.docker.com/compose/networking/

  • redcalcium@lemmy.institute
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    1 year ago

    You’ll need a load balancer/reverse proxy listening on ports 80 and 443. Then configure the load balancer to route traffics to the right containers. How to do that depends on the load balancer you use and the container platform you have. For example, Traefik works very well on docker compose platform because you can simply annotate your container to define the route. Another self-hosters favorite is Nginx Proxy Manager. If using kubernetes (e.g. via k3s), using Nginx Ingress is a good choice because the documentation is excellent and it’s easier to find help on the internet when you run into problems.

    • Nyknyak@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Came here to say the same. I just got done learning to do this with traefik and I’m very pleased with the docker-compose workflow

  • Haui@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Hi there,

    thats an interesting question. I suppose it depends on what you need to do.

    If you can, divert the ports in the run command or compose file with -p 4430:443 (run) Or Ports:

    • 4430:443

    Then you tell the apps that need this port to use that one instead.

    Thats the easiest solution I know of.

    If you want a more elegant solution, you use custom domains with a reverse proxy like npm (nginx proxy manager).

    You spin up npm and start defining hosts like cloud.yourhomedomain.com and define those over your dns if possible (router or in my case, pihole)

    Docker is a universe of itself and you can invest hundreds of hours and still feel like a noob (good game mechanic btw, easy go get into, hard to master).

    Hit me up if you need more info. Get familiar with stack overflow and the likes because you will need em. :)

    Good luck

    • EliteCow@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Thanks a ton! I did not realize you could have a different listing port vs internally used port.

      I have done what you mentioned and used a random port internally and kept 443 as the listening port. I am using Caddy to then direct the traffic reverse proxy it.

      Thanks again!

      • PupBiru@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        if you’re only going to be using those services through the proxy, it can also be a useful security upgrade to not forward their ports at all, and run caddy inside docker to connect to them directly!

        if you forward the ports (without firewalling them), people can connect to them directly which can be a security risk (for example, many services require a proxy to add the x-forwarded-for header to show which IP address originally made the request… if users can access the service directly, they can add this header themselves and make it appear as though they came from anywhere! even 127.0.0.1, which can sometimes bypass things like admin authentication)

        • EliteCow@lemmy.dbzer0.comOP
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Thank you! Just to clarify - I should only forward 443 & 80 for Caddy. Then in the Caddy config define the ports within the reverse proxy. Is that correct?

          How safe/secure is it to host a public website or services like a Lemmy instance doing this?

          For services I don’t care to be available outside of my network, I am not adding to Caddy and accessing them directly via internal IP.

          • PupBiru@kbin.social
            link
            fedilink
            arrow-up
            4
            ·
            1 year ago

            so what you ideally want is people to ONLY be able to access your backend service through caddy, so caddy should be the only one with ports publicly accessible, yes

            caddy running in the same docker network as your services can talk to those services on their original ports; they don’t need to even be mapped to the host! in this case, you have 3 containers: caddy, service 1, service 2… caddy is the only one that needs to have ports forwarded and you can just forward caddy:443 and no need to worry! then caddy can talk directly to services:80 or services:443 (docker containers show up to other docker containers by their container name! so if you run eg: docker run … —name lemmy, then caddy in the same docker network would be able to connect to http://lemmy:80!)

            … but if you forward say service 1 and 2 on :8443 and :9443 (without firewall, and even with it makes me uncomfortable - that’s 1 step away from a subtle security problem), someone could be able to access <yourserver>:8443, right? so they don’t have to go through caddy to get to the backend service… for some services, that can be a big deal in ways that it’s difficult to understand, so it’s best to just not allow it if possible

            an alternative is to make sure your services are firewalled so that nobody from the internet can hit them, but caddy still can… but i like this less, because it’s less explicit what’s happening so it’s easier to forget about

            • EliteCow@lemmy.dbzer0.comOP
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Thank you for all of this info. 443 is now my only open port and directs to my Caddy server. For extra security, I’m going to look into implementing an authentication portal for each backend service that is not “public” for all.

    • earthling@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      This is the correct answer.

      I run several containers that offer up http/s and they obviously can’t all use 80/443. Just adjust the left side of that port setting and you’re good.

      That plus a reverse proxy for offering these services up over the public internet, if you choose to do so, is a killer pair.

      • Haui@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        One addition to this: I actually run those in my private setup since I have highly sensitive data on there. Even if you’re not opening them, reverse proxy works wonders. :)

  • Ocelot@lemmies.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    create a separate macvlan network and have each container get its own unique IP. Its bad security practice to have it share the host network anyway.