英文:
Container network exposing only one container
问题
以下是翻译好的部分:
我有一个docker-compose文件,它引用了两个镜像来构建容器和默认网络。
这两个镜像分别是一个React Web应用程序和一个Dotnet Core Web API。当我运行docker-compose文件时,正如您所知,它会创建两个容器,并连接到默认网络。
当docker-compose文件部署后,我可以访问这两个容器,可以看到React Web应用程序,并使用浏览器或Postman调用API。当然,React应用程序可以调用API。
我的问题是,有没有办法避免API从默认网络之外变得“公开”?我希望只有React应用程序可以调用API,而不是浏览器或Postman。
以下是docker-compose文件:
version: "3.9"
services:
front-app:
image: <image>
build: <image path>
ports:
- "3000:80"
links:
- back-app
back-app:
image: <image>
build: <image path>
ports:
- "5000:5000"
- "5001:5001"
environment:
- ASPNETCORE_HTTP_PORT=https://+:5001
- ASPNETCORE_URLS=http://+:5000
我是Docker世界的新手,我认为这是一个相当简单的docker-compose文件,但如果您发现有什么问题,请告诉我。
谢谢。
英文:
I have a docker-compose file, which refers to two images to build the container and the default network.
Those images are a react web app and a Dotnet core web API. When I run the docker-compose file, as you know, it creates two containers with the default network.
When the docker-compose file is deployed, I can access both containers, I can see the react web app, and use the browser or postman to do a call to the API. Of course, the react app is able to call the API.
My question is, is there a way to avoid the API being "public" from outside the default network? What I want is for only the react app can call the API, not a browser or postman.
Here is the docker-compose file
version: "3.9"
services:
front-app:
image: <image>
build: <image path>
ports:
- "3000:80"
links:
- back-app
back-app:
image: <image>
build: <image path>
ports:
- "5000:5000"
- "5001:5001"
environment:
- ASPNETCORE_HTTP_PORT=https://+:5001
- ASPNETCORE_URLS=http://+:5000
I am new in this world of docker, I think is a pretty simple docker-compose file, but if you see something wrong, please, let me know.
Thank you.
答案1
得分: 1
这是您要翻译的部分:
Is there a way to avoid the API being "public" from outside the default network? What I want is for only the react app can call the API, not a browser or postman.
这不太可能,无论是 Docker 还是其他方式。关键在于 React 应用程序在最终用户的浏览器中运行,而不是在容器中,在它调用 API 服务时,这些调用来自于 Docker 外部(在非开发环境中来自不同的主机)。这些调用确实来自浏览器,而您不能可靠地区分您的应用程序与其他调试工具(如 Postman 或 Curl)中的 JavaScript 代码。
将两部分都放在反向代理后面可以是一个良好的实践,这样浏览器应用程序可以请求仅包含路径的 URL,如 /api/...,而无需主机名(避免了跨源资源共享(CORS)的问题以及需要将主机名嵌入应用程序代码的问题)。如果您这样做,那么您可以删除其他 ports: 块。但是,您的 API 仍然必须通过该反向代理公开访问。
英文:
> Is there a way to avoid the API being "public" from outside the default network? What I want is for only the react app can call the API, not a browser or postman.
This isn't possible, Docker or otherwise. The important part is that the React application runs in the end user's browser, not a container, and when it makes calls to the API service those calls come from outside Docker (and in non-developer environments from a different host). Those calls are coming from a browser, and you can't reliably distinguish your application from other Javascript code from debugging tools like Postman or Curl.
Putting both parts behind a reverse proxy can be a good practice, and can allow the browser application to request path-only URLs like /api/... without a host name (avoiding problems both with CORS and with needing to embed a host name in the application code). If you do that then you can remove the other ports: blocks. Your API still must be publicly accessible via that reverse proxy, though.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论