3

I am following the instructions in order to secure shinyproxy as per https://shinyproxy.io/security/. Is it possible to run shinyproxy in a container and bind to 127.0.0.1 so that my nginx reverse proxy can forward the request via proxy_pass to 127.0.0.1:8080?

So something like sudo docker run -d -p 127.0.0.1:8080:8080 --net sp-example-net -v /var/run/docker.sock:/var/run/docker.sock shinyproxy_base:localhost where bind-address: 127.0.0.1 in application.yml.

This works if i remove bind-address:127.0.0.1 and change -p 8080:8080 so that shinyproxy is listening on 0.0.0.0 but that is not suggested.

Is the above possible or should I keep the docker container listening on 0.0.0.0?

RickTastic
  • 292
  • 3
  • 9

1 Answers1

3

If a process is set with a bind address of 127.0.0.1, it will be unreachable from outside of its own container (it binds to a container-private localhost interface). Since a container usually only runs one process, this makes the process unreachable.

Setting containerized processes to listen on 0.0.0.0 ("all interfaces") is usually safe. They can be reached from other containers on the same Docker network, but they can't be reached from outside Docker unless you publish that port with a docker run -p option.

For what you're describing, it's reasonable to set the proxy to bind-address: 0.0.0.0, and then limit where it's published using the docker run -p 127.0.0.1:8080:8080 option. Here the address in -p is the address of one of the host's interfaces.

David Maze
  • 130,717
  • 29
  • 175
  • 215