How to block port server from http request

Question

I have Nginx has a reversed proxy to connect client request to docker running container. The problem is you can access container by typing serverhost.fr:port_number. I want the client to only access the running container by a specific hostname. Here my docker-compose.yml file :

version: '3'
services:
    api:
        image: username/backendimgage:latest
        ports:
            - "8081:8000"
        restart: always
    front:
        depends_on:
            - api
        image: username/frontendimage:latest
        ports:
            - "8080:36073"
        restart: always

I've tried to block with ufw, it breaks everything. I've tried to send a 401 code on Nginx using if statement like

if ( $host = serverhost.fr:port_number ){ return 401; } 

OR

if ( $host ~* portnumber ){ return 401; }

But it doesn't work. I don't have a big ops background so I'm kind of lost.

Answer 1

If you're running the nginx proxy outside of Docker, you must connect to the published ports: from your containers.

By default when you publish ports: they're published on all interfaces of the host system. However, you can specify an alternate bind address. If you set a backend service to only publish on the 127.0.0.1 localhost interface, it won't be reachable from off host.

version: '3'
services:
    api:
        image: username/backendimgage:latest
        ports:
            - "127.0.0.1:8081:8000"
            #  ^^^^^^^^^

(If you're trying to connect from one container to another by using its host port – something like http://host.docker.internal:8081 on MacOS/Windows platforms – this will interfere with that, but you should be able to use Docker-native inter-container communication there.)