Timothy Pulliam
Timothy Pulliam

Reputation: 142

Gunicorn Docker container only listens on `0.0.0.0`

I am trying to set up an nginx reverse proxy to a gunicorn app server serving up my flask app. The gunicorn container listens on port 5000, and nginx listens on port 80. The problem is that I can still access the app through the browser by visiting localhost:5000, even though I have set gunicorn to listen to localhost of the docker container only, and all requests should pass through the nginx container to the gunicorn container through port 80. This is my set up.

docker-compose.yml

version: "3.3"
services:
  web_app:
    build:
      context: .
      dockerfile: Dockerfile.web
    restart: always
    ports:
      - "5000:5000"
    volumes:
      - data:/home/microblog
    networks:
      - web

  web_proxy:
    container_name: web_proxy
    image: nginx:alpine
    restart: always
    ports:
      - "80:80"
    volumes:
      - data:/flask:ro
      - ./nginx/config/nginx.conf:/etc/nginx/nginx.conf:ro
    networks:
      - web

networks:
  web:

volumes:
  data:

Dockerfile.web

FROM python:3.6-alpine

# Environment Variables
ENV FLASK_APP=microblog.py
ENV FLASK_ENVIRONMENT=production
ENV FLASK_RUN_PORT=5000
# Don't copy .pyc files to cointainer
ENV PYTHONDONTWRITEBYTECODE=1

# Security / Permissions (1/2)
RUN adduser -D microblog
WORKDIR /home/microblog

# Virtual Environment
COPY requirements.txt requirements.txt
RUN python -m venv venv
RUN venv/bin/pip install -U pip
RUN venv/bin/pip install -r requirements.txt
RUN venv/bin/pip install gunicorn pymysql

# Install App
COPY app app
COPY migrations migrations
COPY microblog.py config.py boot.sh ./
RUN chmod +x boot.sh

# Security / Permissions (2/2)
RUN chown -R microblog:microblog ./
USER microblog

# Start Application
EXPOSE 5000
ENTRYPOINT ["./boot.sh"]

boot.sh

#!/bin/sh
source venv/bin/activate
flask db upgrade
exec gunicorn --bind 127.0.0.1:5000 --access-logfile - --error-logfile - microblog:app

Even though I have set gunicorn --bind 127.0.0.1:5000', in stdout of docker-compose` I see

web_app_1    | [2021-03-02 22:54:14 +0000] [1] [INFO] Starting gunicorn 20.0.4
web_app_1    | [2021-03-02 22:54:14 +0000] [1] [INFO] Listening at: http://0.0.0.0:5000 (1)

And I am still able to see the website from port 5000 in my browser. I'm not sure why it is listening on 0.0.0.0 when I have explicitly set it to 127.0.0.1.

Upvotes: 1

Views: 2753

Answers (1)

hobbs
hobbs

Reputation: 240531

Your docker-compose has

ports:
  - "5000:5000"

which tells the docker-proxy to listen on port 5000 on the host machine and forward requests to the container. If you don't want port 5000 to be externally available, remove this.

Also, it's good that you didn't succeed in making gunicorn listen only to 127.0.0.1; if you did, the web_proxy container wouldn't be able to connect to it. So you may as well undo your attempt to do that.

Upvotes: 6

Related Questions