Question

Make docker container accessible from apache only over subdomain

Posted October 22, 2020 608 views
ApacheNode.jsDocker

I have 2 docker containers (1x db and 1x node app) configured:

version: "3.7"
services:
  db:
    image: postgres:alpine
    command: -p 5435
    ports:
      - 127.0.0.1:5435:5435
    environment:
      POSTGRES_USER: ${DB_USER}
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      PG_PORT: ${DB_PORT}
      POSTGRES_DB: ${DB_NAME}
    volumes:
      - pgdata:/var/lib/postgresql/nodeapp/data
    restart: always
    networks:
      - nodeapp-network
    container_name: nodeapp-db

  web:
    build:
      context: .
      dockerfile: Dockerfile
    depends_on:
      - db
    ports:
      - 13333:3333
    volumes:
      - webapp:/home/node/app
      - /home/node/app/node_modules
    env_file:
      - .env
    environment:
      NODE_ENV: prod
    networks:
      - nodeapp-network
    container_name: nodeapp-app
    hostname: nodeapp-app

volumes:
  pgdata:
  webapp:

networks:
  nodeapp-network:
    driver: bridge

The problem: if I make a request to https://mywebsite.com/13333 I get the exact same content as https://api.mywebsite.com/13333. I want to restrict it and make possible ONLY with subdomain.

My apache configuration is below:

httpd.conf:

ServerRoot "/etc/httpd"

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin hi@mywebsite.com

ServerName www.mywebsite.com:80

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

# Load config files in the "/etc/httpd/conf.d" directory, if any.
Include conf.d/*.conf
Include sites-enabled/*.conf

mywebsite-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName www.mywebsite.com
    ServerAlias mywebsite.com
    DocumentRoot /var/www/mywebsite.com/html
    ErrorLog /var/www/mywebsite.com/log/error.log
    CustomLog /var/www/mywebsite.com/log/requests.log combined
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/mywebsite.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mywebsite.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/mywebsite.com/chain.pem
</VirtualHost>
</IfModule>

mywebsite.conf

<VirtualHost *:80>
    ServerName www.mywebsite.com
    ServerAlias mywebsite.com
    DocumentRoot /var/www/mywebsite.com/html
    ErrorLog /var/www/mywebsite.com/log/error.log
    CustomLog /var/www/mywebsite.com/log/requests.log combined 

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =mywebsite.com [OR]
    RewriteCond %{SERVER_NAME} =www.mywebsite.com    
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

myapp.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName api.mywebsite.com
        <Proxy *>
            Allow from *
        </Proxy>
        ProxyPass / https://172.22.0.3:3333
    </VirtualHost>
</IfModule>

Already tried more solutions with redirecting but nothing worked.

Even deleting this mywebsite.conf the api continues to be served at domain and subdomain.

How I can solve this?

Thanks in advance!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hello,

The Apache setup looks correct. What you could do is not to expose the 13333 port, that way the app would be accessible only via the local Docker network on port 3333.

That way only when someone accesses https://api.mywebsite.com they would be able to see the content, otherwise, the 13333 will be unavailable and the port will be accessible from the docker network itself and not the outside world anymore.

Alternatively, you could enable a firewall like UFW for example, and close down the 13333 port, that way you will not have to make changes to your Docker setup, but instead, you will lock down the port so people would not be able to access it.

Regards,
Bobby