Docker Networking

Traefik Traefik v1
1

Hey guys,

This might not be directly traefik related, but most likely something you do often deal with.. Given a bunch of docker services attached to Traefik through a docker network, all these services can also reach each other directly over that network.

     traefik
        |
    traefik-net
      /    \
service1   service2

In this scenario service1 can directly reach service2 through the shared network 'traefik-net'. Other than creating a 'traefik-net-[service]' per service, is there another common practice that I'm overlooking which can be used to ensure isolation between service1 and service2?

Another issue I found, is that when "faking" the "Host" header, one can reach all services.
For instance, given the following two SNI names:

Issueing the following cURL command against the External service (and IP):

curl -H "Host: service1.my-internal-domain.lan" https://service1.my-external-domain.com

allows me to serve up the 'internal' site by connecting to the external URL; granted knowledge of the internal sites name is required, nevertheless I would like to prevent this from being possible.t

2

Uhm, like what? Network is the unit of isolation. If you put two service on the same network, they will be able to access each other directly, if you put them on different networks, they will not. It seems you already know this, what is that you feel is missing?

Sure. Just do not expose the site via traefik. In this case it will not be reachable. You can use traefik.enable=false for this.

This is of course not very useful, because presumably, you want to access the site. Unfortunately you do not give enough information to help you further. Without knowing more about your setup I can suggest setting up a separate isolated docker instance for stuff that you don't want to be accessible, and not expose this instance the way (which we still do not know) you expose your current one.

3

Thanks Zespri -- the instances are currently all attached to the same "traefik" instance through two different networks (public-net and private-net). The traefik instance has both a private and a public IP.

When I hit the private IP and pass in the name of one of the internal hosts by faking the host header like "Host: <some.internal.host>", the internal site is served on the external IP.