• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Exposing Docker container ports for localhost only

Michael Lux

New Pleskian
Hello everybody,

recently, we started using the Docker extension of Plesk.
Personally, I think that this extension is - in theory - a brilliant idea.
However, when it comes to the details of implementation, I think that some things have not really been thought through to the end.
This is because of the way Docker interacts with iptables:
By default, it exposes ports to the whole world, not just to localhost!
Even worse, the nat entries used for that seem to "bypass" the protection rules of firewalld (apart from other problems with firewalld and Docker).

Now, when I start a redis instance with the Docker extension, it takes only minutes until the instance is attacked from the outside.
According to Is there a way to bind a docker container to localhost only? this could be solved on the command line, but our "managed hosting" does only allow full access to Plesk, not to the (root) shell of the underlying OS.

Is the any planned feature for the Docker extension to limit the port exposing to localhost?
Is there maybe something the technical support (those have root access) could do to prevent Docker from interfering with iptables altogether?

Best,
Michael
 
Hi Michael,

We know about this limitation and plan to fix it in one of the next releases, but I have no any ETA for this update.
 
Good to hear that it's at least somehow on the agenda.
How do you plan to fix this?
In fact, an embarrassingly simple change allowing the specification of a binding IP with the port would be perfectly sufficient. The only problem is that the current filter won't let me do this and instead reply "invalid port specification: "127.0.0.1:6379"".
 
Hello everybody,

recently, we started using the Docker extension of Plesk.
Personally, I think that this extension is - in theory - a brilliant idea.
However, when it comes to the details of implementation, I think that some things have not really been thought through to the end.
This is because of the way Docker interacts with iptables:
By default, it exposes ports to the whole world, not just to localhost!
Even worse, the nat entries used for that seem to "bypass" the protection rules of firewalld (apart from other problems with firewalld and Docker).

Now, when I start a redis instance with the Docker extension, it takes only minutes until the instance is attacked from the outside.
According to Is there a way to bind a docker container to localhost only? this could be solved on the command line, but our "managed hosting" does only allow full access to Plesk, not to the (root) shell of the underlying OS.

Is the any planned feature for the Docker extension to limit the port exposing to localhost?
Is there maybe something the technical support (those have root access) could do to prevent Docker from interfering with iptables altogether?

Best,
Michael
Hi,
in my case I use some firewall rules and seems to be ok.

Issue seems to be related to Centos, because even without addtional firewall rules, containers ports are not accessible from the outside (I have tried with MariaDB and redis-server, and no way to login from another server) on my Ubuntu server
 
Hi,
in my case I use some firewall rules and seems to be ok.

Have you checked what happens when you restart dockerd and the container, or even the whole system?
Cause our support told me that the most likely reason for this "solution" to work is that the Plesk firewall seems to delete the nat entries of Docker.
So, did you verify that this is indeed a solution and not just a side-effect?
 
Issue seems to be related to Centos, because even without addtional firewall rules, containers ports are not accessible from the outside (I have tried with MariaDB and redis-server, and no way to login from another server) on my Ubuntu server

Interesting... because this not an issue, but the intended behavior according to the Docker extension docs, see [1]:
"Important: If port mapping is configured, Docker binds to the specified port on all network interfaces of the host system. Usually, this means that the application can be accessed from anywhere. Docker presumes that authentication is carried out by the application itself, but sometimes it is not so (for example, MySQL does not allow anonymous access by default, but redis does).
Plesk cannot determine what service is installed in a specific Docker container, and cannot control access to it. If you need to prohibit access to the application from outside Plesk, do it manually using the firewall on the host system."

[1] Using Docker
 
Interesting... because this not an issue, but the intended behavior according to the Docker extension docs, see [1]:
"Important: If port mapping is configured, Docker binds to the specified port on all network interfaces of the host system. Usually, this means that the application can be accessed from anywhere. Docker presumes that authentication is carried out by the application itself, but sometimes it is not so (for example, MySQL does not allow anonymous access by default, but redis does).
Plesk cannot determine what service is installed in a specific Docker container, and cannot control access to it. If you need to prohibit access to the application from outside Plesk, do it manually using the firewall on the host system."

[1] Using Docker

I haven't set any additional rules in Plesk firewall. Port mapping is configured on my two containers, 3307 -> 3306 for MySQL, 6380 -> 6379 for Redis but even by scanning those ports with nmap, ports are not accessibles from outside.
 
I haven't set any additional rules in Plesk firewall. Port mapping is configured on my two containers, 3307 -> 3306 for MySQL, 6380 -> 6379 for Redis but even by scanning those ports with nmap, ports are not accessibles from outside.
Are you using the Plesk firewall? If so, did you enable it before or after starting the containers?
Because starting the firewall appeared to solve the problem for me as well... until I had to restart dockerd, which recreated the nat entries and made the ports world-open again...
 
Hi, sorry to dig up this thread but I think it's better than reopening a new one, this concern is still present ...

Even worse actually, when applying the "hack" with the Plesk firewall, my container stops by itself, as if Docker notices that iptables modify a port of a container that belongs to it, and restarts then reopens his ports on its own , I do not know if it is specific to my container (linuxserver/bookstack) or to Docker, anyway it slows me down to use Plesk Docker extension, at least for now :/

I really hope the Docker extension for Plesk will be updated to fix this huge problem (And others that would be good too), add basic functions of Portainer for example, but above all add the support of Docker Compose this would be very great
 
Back
Top