Isolate containers from net, use proxy for access #10
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The idea is to disallow outside access from any of the immich containers. This won't work if you're running e.g. the ML container on a separate machine. This adds a new proxy container that runs nginx to provide access from outside to the immich web port and the postgres db port (for backups). Then we set the pod network to "none" meaning that containers in the pod only have the loopback interfaces. They can talk to each other, but not to the outside world. The outside world can access it through a systemd socket and the proxy.
jbtrystram
requested changes
Sep 5, 2024
There was a problem hiding this comment.
Thanks you for your suggestion.
However this will breaks some setups if running the machine-learning container. Maybe move that into a isolated directory and add a README there explaining the reasonning ?
edit : sorry for my reaction time ! I was away from computers for a while then haven't had the time to look until now
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The idea is to disallow outside access from any of the immich containers.
This won't work if you're running e.g. the ML container on a
separate machine.
This adds a new proxy container that runs nginx to provide access from
outside to the immich web port and the postgres db port (for backups).
Then we set the pod network to "none" meaning that containers in the pod
only have the loopback interfaces. They can talk to each other, but not
to the outside world.
The outside world can access it through a systemd socket and the proxy.