-
-
Notifications
You must be signed in to change notification settings - Fork 622
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
disable listening on 0.0.0.0:3000 after enabled custom domain #947
Comments
I think literally disabling the port after adding a domain would not be the right thing to do, I think it would be more sensible to have a toggle or something like that to disable port 3000. |
@Siumauricio I agree with your suggestion that a toggle or configuration option to control whether port 3000 is exposed would be a more flexible approach. Switching the listening address to 127.0.0.1:3000 after a custom domain is configured would significantly reduce the attack surface without compromising functionality for most users. As it stands, exposing 0.0.0.0:3000 creates a considerable security risk. A quick search using public asset mapping systems reveals 3,618 Dokploy server IPs with open ports that are accessible over the internet.(Unfortunately I can't disclose the relevant search method in an issue without a security policy configured in this repo) While I understand the need for flexibility, I believe the following steps should be considered to enhance security:
|
Current working solution is to remove the published host port binding of the dokploy service. Access through Traefik still works after this. docker service update --publish-rm "published=3000,target=3000,mode=host" dokploy Check the current exposed ports with: docker service inspect dokploy --format '{{.Spec.EndpointSpec}}' |
The solution @DrJume provides works well and won't be overwritten when updating/restarting Dokploy. Thanks! I think this solution should be mentioned in the official document or just implement the ability to disable listening on 0.0.0.0:3000 directly in the app. |
I will close this issue as completed. Thanks @DrJume for the solution and hope this issue may help someone afterwards. |
What problem will this feature address?
When configuring a custom domain in the Dokploy panel, the application still listens on 0.0.0.0:3000 through Docker, exposing the service to the public internet. This behavior could lead to unauthorized access, posing a security risk.
Once a custom domain is enabled, external requests should be handled solely through traefik, without directly exposing the Docker container's port. I propose a mechanism to disable Docker's listening on 0.0.0.0:3000 after a custom domain is configured.
Describe the solution you'd like
After configuring a custom domain:
The application should no longer listen on 0.0.0.0:3000/There is a button to disable.
All external traffic should be handled via the reverse proxy, allowing access only through the custom domain.
Describe alternatives you've considered
Automatically change Docker's listening address from 0.0.0.0 to 127.0.0.1 after a custom domain is configured, with all external requests handled by the reverse proxy.
Additional context
No response
Will you send a PR to implement it?
Yes
The text was updated successfully, but these errors were encountered: