0

I am building a docker service which includes a squid and an icap service. Squid runs on port 3128 and this port is public. The ICAP service runs on port 1344, which I do not want to be public, as this will contain decrypted web traffic. I want this accessible only to squid, which is the icap client.

My question is, how do I set this up so that port 1344 on the e2guardian service is running on a private network that is accessible by squid, but not published where anyone on the "customer" network can use it?

I am including my docker compose file.

The "squidnet" network is really kind of a leftover. I wonder if I can make squidnet private and then share 1344 on squidnet only, but still have 3128 public for the squid service public on the local LAN. How would I change the docker compose file to accommodate this?

Thanks

version: "3"
services:
  squid:
    # replace username/repo:tag with your name and image details
    image: jusschwa/docker-squid-sslbump-rpi   
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
    volumes:
      - "/workspace/etc/squid/squid.conf:/usr/local/squid/etc/squid.conf"
      - "/workspace/certs:/usr/local/squid/ssl"
    ports:
      - "3128:3128"
    networks:
      - squidnet
  e2guardian:
    image: jusschwa/e2guardian-rpi       
    ports:
      - "1344:1344"
    volumes:
      - "/workspace/etc/e2guardian:/etc/e2guardian"
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
    networks:
      - squidnet 
networks:
  squidnet:
jusschwa
  • 31
  • 3

1 Answers1

1

Use expose if you dont want to publish the ports to host machine. When you use ports it is publishing the ports to host machine. Read more

Mapping container's 3306 to host machine 3306

ports:
 - 3306:3306

Exposing container's 3306 to network

expose:
 - 3306
Ntwobike
  • 2,406
  • 1
  • 21
  • 27
  • 1
    `expose:` doesn’t do much on modern Docker. The port will be reachable from other containers on the same Docker-private network whether you expose it or not. It will not be reachable from non-Docker unless it’s listed in `ports:`. – David Maze Jul 01 '19 at 13:12
  • Interesting, so in this case, if I wanted to access it from the other docker container, would I just point it to 127.0.0.1:1344 or would I have to use some internal docker IP? Thanks for your input! – jusschwa Jul 01 '19 at 15:12
  • each container has their own `127.0.01`, so use `http://e2guardian:1344`. You can refer the other services by the name of the service. – Ntwobike Jul 01 '19 at 15:16