By default, when one publishes a port for a container, all interfaces (IP addresses) listen for traffic on that port. There may be instances where we only want to publish the port on a specific IP address.
In the many Docker Compose snippets I usually see, the ports section of the configuration looks something like the following:
ports:
- 8080:3000
- 2432:2432
- 2222:22With the above configuration, all IP addresses (localhost, LAN IP addresses, etc) would be listening for traffic on ports 8080, 2432, or 2222.
While this is desirable for most use cases, there are times we just want to bind, for example, port 2432 to a specific IP address, such as 127.0.0.1 (localhost). We can update the above configuration bit to the following where we add an IP address to the source half for that port:
ports:
- 8080:3000
- "127.0.0.1:2432:2432"
- 2222:22A Use Case: Self-hosted Git Forge
An example use case of this is a self-hosted Git forge such as Forgejo or Gitea. One of the ways one can push/fetch a repository is using SSH
Out of the box, the ports section looks like the following
ports:
- '3000:3000'
- '222:22'Web interface (port 3000) aside, notice that port 222 published to port 22 inside the container. This is because most Linux servers have an SSH server running on them and SSH’s port is 22.
If we keep the configuration as is, our git clone URIs would look like the following
git clone git@forgejo.localdomain:222:username/repo.gitWhat if we wanted to drop the port specification from the URI? With some modifications to our SSH server and the Docker Compose ports section, we can bind port 22 to an IP address to the container.
In order to accomplish this, the server needs to have access to an additional IP address. In the following example, 192.168.10.56 is the IP address of the VM while 192.168.10.59 is the IP address we have allocated for Forgejo.
Reconfigure OpenSSH
Out of the box, OpenSSH is configured to listen on all interfaces. One approach is to change the listening port, but that is undesirable (and misses the point). Instead, we will reconfigure the SSH server to listen on port 22 on a specific IP address (in my case 192.168.10.56).
We add/update the OpenSSH configuration with the following such that it is only listening on 192.168.10.56:
ListenAddress 192.168.10.56Additionally, we need to also override the Systemd ssh.socket unit such that it only listens on 192.168.10.56. To override the ssh.socket unit, run systemctl edit ssh.socket to bring up an editor such that we can override the unit with the following:
[Socket]
ListenStream=
ListenStream=192.168.10.56:22Once that is done, we reload Systemd with systemctl daemon-reload and then restart SSH with systemctl restart ssh.
Reconfigure (Docker) container
Last but not least, we update our Docker Compose config such that we publish port 22 on our second IP address (192.168.10.59)
ports:
- '3000:3000'
- '192.168.10.59:22:22'Now, we should be able to recreate the container such that 192.168.10.59:22 is published to port 22 inside the container. Now our Git URIs get to look like the following (assuming that the DNS record for forgejo.localdomain exists and is pointing at the [second] IP address)
git clone git@forgejo.localdomain:username/repo.gitNote: We can do the same thing to the web interface assuming that we want to simply use what is there and not expose it through a reverse proxy such as Traefik or Nginx.