Secure Your Docker Port Mappings

Secure Your Docker Port Mappings#

When using Docker, a standard port mapping like 3000:3000 links the host machine’s port to the container’s port. This makes your application accessible to anyone on your network via the host’s IP (e.g., http://192.168.44.123:3000).

Restricting Access with a Reverse Proxy#

If you use a reverse proxy to provide a clean URL like https://application.your-domain.com, you likely want to disable direct IP access for better security.

To prevent outside traffic from bypassing your proxy, restrict the port mapping to the local loopback address. Change your mapping from: 3000:3000 to: 127.0.0.1:3000:3000

This ensures the port is only reachable by the host machine (and your proxy), effectively blocking external requests to the raw IP and port.

Docker Compose Example#

services:
  web-app:
    image: your-application
    ports:
      # Restricts access to the local host only
      - "127.0.0.1:3000:3000" 

Why this works#

By default, Docker binds ports to 0.0.0.0 (all available network interfaces). Specifying 127.0.0.1 forces the container to listen only on the local loopback address.

The Result:

• Reverse Proxy: Can still “see” the app because it lives on the same host.
• External Users: Cannot connect via IP:3000 because the port is closed to the outside network.
• Security: Your SSL and authentication rules on the proxy can no longer be bypassed.