Docker nginx-proxy : proxy between containers

Question

I am currently running a development stack using Docker-Compose in my company, to provide to developers everything they need to code our applications.

It includes in

Answer 1

BMitch, the odds were good, it was indeed a iptables rules problem, and not a misconfiguration of nginx-proxy.

The default policy of chain INPUT for the table filter was DROP, and no rules was made to ACCEPT requests from the container IPs (127.20.X.X).

So for the record, I give some details of the situation if other people face the same problem.

To access containers from the outside world, Docker put rules on PREROUTING and FORWARD rules to allow external IPs to be DNATed from the host IP to the container IPs. Theses default rules allow any external IPs, and that is why limiting access to containers requires some advanced iptables customizations.

See this link for an example : http://rudijs.github.io/2015-07/docker-restricting-container-access-with-iptables/

But if your containers need to access host resources (services runing on the host, or in my case, a nginx-proxy container listening to HTTP/HTTPS host port and proxying to containers), you need to take care about the iptables rules of the INPUT chain.

In fact, a request coming from the container and addressed to the host will be routed to the host network stack by the Docker daemon, but will then need to pass the INPUT chain (as the request src IP is the host one). So if you want to protect host resources and let containers access them, do not remember to add something like this :

iptables -A INPUT -s 127.20.X.X/24 -j ACCEPT

Where 127.20.X.X/24 is the virtual network on which your containers are running.

Thank you a lot for your help.