zlacker

[parent] [thread] 2 comments
1. 01HNNW+(OP)[view] [source] 2025-01-05 15:54:48
I thought "external" referred to whether the network was managed by compose or not
replies(1): >>Fnoord+yd
2. Fnoord+yd[view] [source] 2025-01-05 17:43:05
>>01HNNW+(OP)
Yeah, true, but I have set it up in such a way that such network is an exposed bridge whereas the other networks created by docker-compose are not. It isn't even possible to reach these from outside. They're not routed, each of these backends uses standard Postgres port so with 1:1 NAT it'd give errors. Even on 127.0.0.1 it does not work:

$ nc 127.0.0.1 5432 && echo success || echo no success no success

Example snippet from docker-compose:

DB/cache (e.g. Postgres & Redis, in this example Postgres):

    [..]
    ports:
      - "5432:5432"
    networks:
      - backend
    [..]
App:

    [..]
    networks:
      - backend
      - frontend
    [..]
networks: frontend: external: true backend: internal: true
replies(1): >>akerl_+wg
◧◩
3. akerl_+wg[view] [source] [discussion] 2025-01-05 18:05:39
>>Fnoord+yd
Nobody is disputing that it is possible to set up a secure container network. But this post is about the fact that the default docker behavior is an insecure footgun for users who don’t realize what it’s doing.
[go to top]