CIS 527



Lab 5.A - Reverse Proxy

Image Source: Linux Handbook

Option 1 - Nginx

services:
  nginx:
    image: nginx:alpine
    container_name: proxy
    ports:
      - "8080:80"
    volumes:
      - /home/cis527/docker/proxy:/etc/nginx/templates:ro
    networks:
      - default
      - internal
  whoami1:
    image: jwilder/whoami
    container_name: whoami1
    networks:
      - internal
  whoami2:
    image: jwilder/whoami
    container_name: whoami2
    networks:
      - internal
networks:
  internal:
    internal: true

Option 1 - Nginx

# /home/cis527/docker/proxy/default.conf.template
server {
    listen 80;
    server_name one.local;
    location / {
        proxy_pass http://whoami1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_http_version 1.1;
        proxy_intercept_errors on;
    }
}
server {
    listen 80;
    server_name two.local;
    location / {
        proxy_pass http://whoami2:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_http_version 1.1;
        proxy_intercept_errors on;
    }
}

Option 1 - Nginx

Option 2 - Nginx Proxy

services:
  proxy:
    image: jwilder/nginx-proxy:latest
    container_name: proxy
    ports:
      - "8080:80"
    volumes:
      # Security Concern!
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - default
      - internal
  whoami1:
    image: jwilder/whoami
    container_name: whoami1
    networks:
      - internal
    environment:
      - VIRTUAL_HOST=one.local
      - VIRTUAL_PORT=8000
  whoami2:
    image: jwilder/whoami
    container_name: whoami2
    networks:
      - internal
    environment:
      - VIRTUAL_HOST=two.local
      - VIRTUAL_PORT=8000
networks:
  internal:
    internal: true

Option 2 - Nginx Proxy

Security Concern

  • Uses Docker Socket
  • Allows Detection of Containers
  • root in container = root on host
  • Secure using TLS
  • Protect via proxy
  • Don't expose to internet!

Option 3 - Traefik Proxy

Image Source: Traefik

Option 3 - Traefik Proxy

services:
  proxy:
    image: traefik:v2.7
    container_name: proxy
    command: --api.insecure=true --providers.docker
    ports:
      - "8080:80"       # proxy
      - "8081:8080"     # web dashboard
    volumes:
      # Security Concern!
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - default
      - internal
  whoami1:
    image: jwilder/whoami
    container_name: whoami1
    networks:
      - internal
    labels:
      - "traefik.http.routers.whoami1.rule=Host(`one.local`)"
      - "traefik.http.services.whoami1.loadbalancer.server.port=8000"
  whoami2:
    image: jwilder/whoami
    container_name: whoami2
    networks:
      - internal
    labels:
      - "traefik.http.routers.whoami2.rule=Host(`two.local`)"
      - "traefik.http.services.whoami2.loadbalancer.server.port=8000"
networks:
  internal:
    internal: true

Option 3 - Traefik Proxy

Option 3 - Traefik Proxy

Summary

  • Nginx
  • Nginx Proxy
  • Traefik
  • Many Others

Kubernetes handles this for you