Feature Request: Support for Specifying Bind IP Address for Containers

[MyFriendlyUserName]

Description:

It would be helpful to have the ability to specify a bind IP address for the containers. This feature would allow greater control over container network interfaces and improve flexibility in networking configurations. In my environments, I have several different IP Adresses on the same network to distinguish between different services.

Use Case:

In scenarios where multiple network interfaces are present, or specific IPs are required for security, routing, or isolation purposes, being able to explicitly bind containers to a particular IP address would ensure that the containers are reachable only through the intended network.

Proposed Solution:

Introduce an option for a corresponding setting in the dialogue, that allows users to specify the IP address to which the containers should bind.
Example: "Which IP address do you want to bind Alfresco services? Default: 0.0.0.0"

Thank you!

[aborroy]

Do you mean only for the Web Proxy service or for each service (alfresco, share, postgres...)?

[MyFriendlyUserName]

Do you mean only for the Web Proxy service or for each service (alfresco, share, postgres...)?

For each service, which has a port bind to the outside world.

Btw. from my point of view, many port-bindings are not really necessary, as communication between services should run through container internal networks.

For example, it is not necessary, that the postgres database is reachable from outside. This would also improve security. If one needs access to a service directly for debugging purposes, he could attach to the container, or - if really necessary - could create the port-binding manually.

Thank you!

[aborroy]

Not sure how to implement this request. By default, only postgres and proxy are exposing ports, so I guess that two new environment variables for the binding ip should be added.

services:
  postgres:
    image: postgres:${POSTGRES_TAG}
    ports:
      - "${BIND_IP_POSTGRES:-0.0.0.0}:5432:5432"
  proxy:
    image: nginx:stable-alpine
    ports:
      - "${BIND_IP_NGINX:-0.0.0.0}:80:80"

Is that customization the one you are asking for?

[MyFriendlyUserName]

Hi Angel,

thank you for your response!

Some additions from my side:

alfresco service adds ports as well, when using ftp:

ports:
  - 2121:2121
  - 2433:2433
  - 2434:2434

solr6 service exposes also a port (from my point of view, this port should not be accessible from outside):

ports:
  - 8983:8983

activemq service also exposes a port (from my point of view, this port should not be accessible from outside):

ports:
  - 8161:8161

phpldapadmin exposes a port (maybe it would be a good idea, to make this only accessible via ingress (nginx/traefik), then one could add more security to this sensible service. In most cases, it should be reachable only for administrators):

ports:
  - 8088:80

Your proposal is perfect for those ports, which should be accessible from outside! As mentioned in my previous post: I wouldn't expose the database to the outside world for security reasons.

Thank you!

/Thomas

[aborroy]

Then a summary of the request would be:

• Provide an option to restrict the nginx to bind only to a specific IP address
• Provide an option to restrict ftp ports to bind only to a specific IP address
• Remove port mappings for databases, solr6 and activemq
• Remove the port mapping for phpldapadmin in Docker Compose and configure it behind nginx instead

Is that right?

[MyFriendlyUserName]

Yeah, that would be great! Thank you!