Reputation: 142
I am trying to set up an nginx reverse proxy to a gunicorn app server serving up my flask app. The gunicorn container listens on port 5000, and nginx listens on port 80. The problem is that I can still access the app through the browser by visiting localhost:5000
, even though I have set gunicorn to listen to localhost of the docker container only, and all requests should pass through the nginx container to the gunicorn container through port 80. This is my set up.
docker-compose.yml
version: "3.3"
services:
web_app:
build:
context: .
dockerfile: Dockerfile.web
restart: always
ports:
- "5000:5000"
volumes:
- data:/home/microblog
networks:
- web
web_proxy:
container_name: web_proxy
image: nginx:alpine
restart: always
ports:
- "80:80"
volumes:
- data:/flask:ro
- ./nginx/config/nginx.conf:/etc/nginx/nginx.conf:ro
networks:
- web
networks:
web:
volumes:
data:
Dockerfile.web
FROM python:3.6-alpine
# Environment Variables
ENV FLASK_APP=microblog.py
ENV FLASK_ENVIRONMENT=production
ENV FLASK_RUN_PORT=5000
# Don't copy .pyc files to cointainer
ENV PYTHONDONTWRITEBYTECODE=1
# Security / Permissions (1/2)
RUN adduser -D microblog
WORKDIR /home/microblog
# Virtual Environment
COPY requirements.txt requirements.txt
RUN python -m venv venv
RUN venv/bin/pip install -U pip
RUN venv/bin/pip install -r requirements.txt
RUN venv/bin/pip install gunicorn pymysql
# Install App
COPY app app
COPY migrations migrations
COPY microblog.py config.py boot.sh ./
RUN chmod +x boot.sh
# Security / Permissions (2/2)
RUN chown -R microblog:microblog ./
USER microblog
# Start Application
EXPOSE 5000
ENTRYPOINT ["./boot.sh"]
boot.sh
#!/bin/sh
source venv/bin/activate
flask db upgrade
exec gunicorn --bind 127.0.0.1:5000 --access-logfile - --error-logfile - microblog:app
Even though I have set gunicorn --bind 127.0.0.1:5000', in stdout of
docker-compose` I see
web_app_1 | [2021-03-02 22:54:14 +0000] [1] [INFO] Starting gunicorn 20.0.4
web_app_1 | [2021-03-02 22:54:14 +0000] [1] [INFO] Listening at: http://0.0.0.0:5000 (1)
And I am still able to see the website from port 5000 in my browser. I'm not sure why it is listening on 0.0.0.0
when I have explicitly set it to 127.0.0.1
.
Upvotes: 1
Views: 2753
Reputation: 240531
Your docker-compose has
ports:
- "5000:5000"
which tells the docker-proxy to listen on port 5000 on the host machine and forward requests to the container. If you don't want port 5000 to be externally available, remove this.
Also, it's good that you didn't succeed in making gunicorn listen only to 127.0.0.1; if you did, the web_proxy
container wouldn't be able to connect to it. So you may as well undo your attempt to do that.
Upvotes: 6