searx-docker icon indicating copy to clipboard operation
searx-docker copied to clipboard

Published 20 hours ago verified publisher icon searx

Remove unnecessary published ports

Open SuperSandro2000 opened this issue 5 years ago • 2 comments

Why are the ports of some services published to the host despite not needing them? Caddy needs them for sure but why do filtron or morty need them?

SuperSandro2000 avatar Jun 11 '20 10:06 SuperSandro2000

caddy is bound to the host network: https://github.com/searx/searx-docker/blob/92cdb70360d19711250af6035390f84e5c5ae66f/docker-compose.yaml#L11

The reason: filtron needs the orginal IP address, and Docker won't send the original IPv6 address if caddy is not bound to the host network (it works with IPv4 addresses). See https://github.com/moby/moby/issues/17666

You can have a look to this PR https://github.com/searx/searx-docker/pull/26 (and for a workaround https://github.com/robbertkl/docker-ipv6nat ).

So in this configuration, the filtron and morty ports are exposed.

dalf avatar Jun 11 '20 19:06 dalf

Just disable dockers userland proxy which will become a default in the future.

So in this configuration, the filtron and morty ports are exposed.

Which I think is a really bad default because docker bypasses ufw by default.

SuperSandro2000 avatar Jun 12 '20 07:06 SuperSandro2000