docs: Add documentation for IP:HOST_PORT:CONTAINER_PORT syntax #22511
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -36,7 +36,57 @@ Now, any traffic sent to port `8080` on your host machine will be forwarded to p | |
|
|
||
| > [!IMPORTANT] | ||
| > | ||
| > When a port is published, it's published to all network interfaces by default. This means any traffic that reaches your machine can access the published application. Be mindful of publishing databases or any sensitive information. See [Binding to specific network interfaces](#binding-to-specific-network-interfaces) below, and [learn more about published ports here](/engine/network/#published-ports). | ||
|
|
||
| ### Binding to specific network interfaces | ||
|
|
||
| By default, when you publish a port, Docker binds to all network interfaces (`0.0.0.0`). However, there are scenarios where you might want to restrict access to a specific network interface or IP address. You can do this by using the extended port syntax: | ||
|
|
||
| ```console | ||
| $ docker run -d -p IP:HOST_PORT:CONTAINER_PORT nginx | ||
| ``` | ||
|
|
||
| - `IP`: The specific IP address or network interface on your host to bind to | ||
| - `HOST_PORT`: The port number on your host machine | ||
| - `CONTAINER_PORT`: The port number within the container | ||
|
|
||
| For example, if you want to make your container accessible only on localhost (127.0.0.1), you can use: | ||
|
|
||
| ```console | ||
| $ docker run -d -p 127.0.0.1:8080:80 nginx | ||
| ``` | ||
|
|
||
| This restricts access to the container's port 80 to only local connections on your host's port 8080. External machines on your network would not be able to access this service. You can verify the binding with `docker ps`: | ||
|
|
||
| ```console | ||
| $ docker ps | ||
| CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES | ||
| a527355c9c53 nginx "/docker-entrypoint.…" 4 seconds ago Up 3 seconds 127.0.0.1:8080->80/tcp elegant_newton | ||
| ``` | ||
|
|
||
| #### Common use cases for IP binding | ||
|
|
||
| - **Security**: Binding to localhost (127.0.0.1) to prevent external access to services like databases | ||
| - **Multi-homed hosts**: Binding to specific network interfaces on servers with multiple IP addresses | ||
|
Member
There was a problem hiding this comment. This is not true — and this is where the claim that it can bind to a specific interface may instill a false sense of security. If a port is mapped to a specific IP address, and the host has multiple interfaces, that IP address will be accessible through all interfaces by default. This can be easily tested with the following commands on a host running the Engine (or from a dind container): The 'multi-homed host' here is a dind container that has its original IP address (e.g. You can then start a container targeting a specific HostIP: Finally, we can test whether If users don't want that behavior, they need to set up firewall rules. (I'm not sure if that's clearly documented though.) However, note that this is not true for loopback addresses (i.e. |
||
| - **Service isolation**: Limiting which network segments can access certain containers | ||
|
|
||
| #### In Docker Compose | ||
| You can also use the IP binding syntax in your Docker Compose files: | ||
|
|
||
| ```yaml | ||
| services: | ||
| webapp: | ||
| image: nginx | ||
| ports: | ||
| - "127.0.0.1:8080:80" | ||
|
|
||
| database: | ||
| image: postgres | ||
| ports: | ||
| - "127.0.0.1:5432:5432" | ||
| ``` | ||
|
|
||
| This configuration ensures your database is only accessible from the host machine itself, adding a layer of security to your application stack. You can also set a default bind address for all containers using the `host_binding_ipv4` configuration parameter. This allows you to change the default binding from `0.0.0.0` to a specific IP address. For more information, see [Setting the default bind address for containers](/engine/network/packet-filtering-firewalls/#setting-the-default-bind-address-for-containers). | ||
|
|
||
| ### Publishing to ephemeral ports | ||
|
|
||
|
|
@@ -125,6 +175,8 @@ If you’d like to dive in deeper on this topic, be sure to check out the follow | |
|
|
||
| * [`docker container port` CLI reference](/reference/cli/docker/container/port/) | ||
| * [Published ports](/engine/network/#published-ports) | ||
| * [Network drivers](/engine/network/drivers/) - Learn more about Docker's networking capabilities | ||
| * [Docker network command](/engine/reference/commandline/network/) - Reference for the `docker network` command | ||
|
|
||
| ## Next steps | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In terms of BSD socket API, binding to a specific interface isn't the same as binding on a specific IP address — both can be combined. This is done via SO_BINDTODEVICE.
I think we should not conflate both here. The Engine doesn't support binding to a specific interface, but it supports binding to a specific HostIP.