Can I set up the Docker containers so that some are only accessible inside the network and some outside?
Don't add the domains to your DNS. For your intranet containers use a domain such as myservice.myintranet.local
, which won't be resolvable from the outside.
If you want extra security, you can create another entrypoint with an IP whitelist. Or you can use labels (read the last 2 rows of that table) if you prefer.
Can I setup traefik to handle routing of the traffic to the correct containers and also handle that some are "external" and som are internal only?
Traefik serves your container based on the Host
header, so you only have to set up IP filtering (and not creating public DNS records) to protect intranet containers/domains from the outside while still allowing traffic to your public containers/domains.
Can I setup traefik's Let's encrypt integration to handle encryption of all "external" ardresses and keep my own CA's self signed wildcard certificate for my internal services?
I never tested this, but you could create another entrypoint and use that in your configuration of acme. Ex:
[entryPoints]
...
[entryPoints.httpsle]
address = ":443"
[entryPoints.httpsle.tls]
[acme]
...
entryPoint = "httpsle"
And use that entrypoint with labels for your public sub-domains, to be signed automatically with Let's Encrypt.
How would I simplest set this up?
Is using a virtual interface on my server (running Ubuntu) or using another dedicated ethernet port (it has two) the best way?
I think the better approach would be to assign your server 2 IPs in your LAN, one for each ethernet port.
How would I setup traefik to handle traffic on multiple interfaces?
You don't have to setup anything. Giving your server 2 IPs (one for public hosting and one for personal traffic/intranet), it will receive request to both of them. Traefik will then route the requests to the correct container, based on the Host
header.
ufw
shows only the ufw configuration and any rules inserted directly in your firewall configuration (with iptables
directly or another tool such as docker) without going through ufw are NOT displayed.
Firewall rules in Linux are applied in the order they are listed. When you start a docker container docker will insert the rules your docker containers need before existing rules and the rule-set you maintain with ufw.
In other words Docker exposing a port takes precedence over a subsequent ufw rules closing a particular port.
Check for instance with [sudo] iptables-save
what your effective rule set is.
As to why -p 127.0.0.1:8181:8080
works differently?
The firewall rule docker creates will still take precedence to your ufw rules, but rather than exposing the port on all interfaces, including to the public, you now instruct docker to be much more restrictive and only expose the port on localhost
.
Best Answer
Looks like "for now" it is impossible with Traefik: https://github.com/containous/traefik/pull/4454
So you need something like fail2ban.