We have a docker bridge containing several docker containers. The main docker is an nginx server which acts as web host and forwards all data to the other containers.
Now a requirement is that the connections are limited to only a specified list of ip adresses. To do this I've editted the nginx server file:
server {
allow 127.0.0.0/8;
deny all;
...
Which should allow the loopback 127.0.0.1 to connect.
This however fails, and looking at the access.log shows why:
All rows start with:
172.25.0.1 - - [10/Apr/2018:08:22:46 +0000] "GET
172.25.0.1 is the docker bridge network gateway; thus the docker "forgets" the external ips and I can't filter on that anymore.
How can I filter on ips? Or forward the source ips to the docker?
Best Answer
This is expected and is the way docker networking works. By default you end up with something a bit like a virtual network on your docker host. Connections forwarded through from the outside will come to each container via docker0 and NAT.
To overcome that, the simple answer is to use host networking on the nginx container. i.e.
--network hostoption todocker runcommand. See: host networkingAlso, read through the docker networking documentation. It's explained more thoroughly there. https://docs.docker.com/network/