restrict IP binding

padhi-homelab · Dec 21, 2024 · ebcd0fb · ebcd0fb
1 parent b51ffb1
commit ebcd0fb
Show file tree

Hide file tree

Showing 10 changed files with 22 additions and 17 deletions.
diff --git a/airdcpp/docker-compose.ports.yml b/airdcpp/docker-compose.ports.yml
@@ -1,4 +1,4 @@
 services:
   openvpn:
     ports:
-    - 15432:5432 # SOCKS proxy
+    - ${SERVER_LAN_BINDING_IP:?}:15432:5432 # SOCKS proxy
diff --git a/certbot/docker-compose.ports.yml b/certbot/docker-compose.ports.yml
@@ -1,4 +1,4 @@
 services:
   certbot:
     ports:
-    - 80:80
+    - ${SERVER_WAN_BINDING_IP:?}:80:80
diff --git a/indexarr/docker-compose.ports.yml b/indexarr/docker-compose.ports.yml
@@ -1,4 +1,4 @@
 services:
   openvpn:
     ports:
-    - 25432:5432 # SOCKS proxy
+    - ${SERVER_LAN_BINDING_IP:?}:25432:5432 # SOCKS proxy
diff --git a/influxdb/docker-compose.ports.yml b/influxdb/docker-compose.ports.yml
@@ -1,4 +1,4 @@
 services:
   influxdb:
     ports:
-    - 8086:8086
+    - ${SERVER_LAN_BINDING_IP:?}:8086:8086
diff --git a/kodi_db/docker-compose.ports.yml b/kodi_db/docker-compose.ports.yml
@@ -1,4 +1,4 @@
 services:
   mariadb:
     ports:
-    - 3306:3306
+    - ${SERVER_LAN_BINDING_IP:?}:3306:3306
diff --git a/qbittorrent/docker-compose.ports.yml b/qbittorrent/docker-compose.ports.yml
@@ -1,4 +1,4 @@
 services:
   openvpn:
     ports:
-    - 35432:5432 # SOCKS proxy
+    - ${SERVER_LAN_BINDING_IP:?}:35432:5432 # SOCKS proxy
diff --git a/static.global.env b/static.global.env
@@ -1,9 +1,11 @@
+SERVER_LAN_BINDING_IP=0.0.0.0
 SERVER_LAN_FQDN=my.host.lan
 SERVER_LAN_HTTP_PORT=9080
 SERVER_LAN_HTTPS_PORT=9443
 
 SERVER_LETS_ENCRYPT_ACME_EMAIL=[email protected]
 SERVER_LETS_ENCRYPT_ACME_CA_SERVER_USE_STAGING=YES
 
+SERVER_WAN_BINDING_IP=0.0.0.0
 SERVER_WAN_FQDN=my.host.wan
 SERVER_WAN_HTTPS_PORT=443
diff --git a/teslamate/docker-compose.ports.yml b/teslamate/docker-compose.ports.yml
@@ -1,4 +1,7 @@
 services:
   mqtt:
     ports:
+    # FIXME: For accessing from other containers (hass) on the SAME machine,
+    # SERVER_IP needs to be explicitly specified.
+    # see https://stackoverflow.com/a/69994721/554436
     - ${SERVER_IP:?}:1883:1883
diff --git a/traefik/docker-compose.ports.yml b/traefik/docker-compose.ports.yml
@@ -1,7 +1,7 @@
 services:
   traefik:
     ports:
-    - 34443:34443
-    - ${SERVER_WAN_HTTPS_PORT:?}:${SERVER_WAN_HTTPS_PORT:?}
-    - ${SERVER_LAN_HTTP_PORT:?}:${SERVER_LAN_HTTP_PORT:?}
-    - ${SERVER_LAN_HTTPS_PORT:?}:${SERVER_LAN_HTTPS_PORT:?}
+    - ${SERVER_LAN_BINDING_IP:?}:34443:34443
+    - ${SERVER_WAN_BINDING_IP:?}:${SERVER_WAN_HTTPS_PORT:?}:${SERVER_WAN_HTTPS_PORT:?}
+    - ${SERVER_LAN_BINDING_IP:?}:${SERVER_LAN_HTTP_PORT:?}:${SERVER_LAN_HTTP_PORT:?}
+    - ${SERVER_LAN_BINDING_IP:?}:${SERVER_LAN_HTTPS_PORT:?}:${SERVER_LAN_HTTPS_PORT:?}
diff --git a/unifi/docker-compose.ports.yml b/unifi/docker-compose.ports.yml
@@ -1,10 +1,10 @@
 services:
   unifi:
     ports:
-    - "3478:3478/udp"   # STUN
-   #- "6789:6789/tcp"   # Speed test
-    - "8080:8080/tcp"   # Device/ controller comm.
-    - "8443:8443/tcp"   # Controller GUI/API as seen in a web browser
-   #- "8880:8880/tcp"   # HTTP portal redirection
-   #- "8843:8843/tcp"   # HTTPS portal redirection
-    - "10001:10001/udp" # Layer 2 discovery
+    - ${SERVER_LAN_BINDING_IP:?}:3478:3478/udp   # STUN
+   #- ${SERVER_LAN_BINDING_IP:?}:6789:6789/tcp   # Speed test
+    - ${SERVER_LAN_BINDING_IP:?}:8080:8080/tcp   # Device/ controller comm.
+    - ${SERVER_LAN_BINDING_IP:?}:8443:8443/tcp   # Controller GUI/API as seen in a web browser
+   #- ${SERVER_LAN_BINDING_IP:?}:8880:8880/tcp   # HTTP portal redirection
+   #- ${SERVER_LAN_BINDING_IP:?}:8843:8843/tcp   # HTTPS portal redirection
+    - ${SERVER_LAN_BINDING_IP:?}:10001:10001/udp # Layer 2 discovery