Advise needed: How to secure rancher driven application itself so that it can ONLY be accessed thru rap?

[hanselke]

So this is more of a rancher question, but i wish to restrict access to all applications whichcurrently have domain names driven by rap so that it only ever goes thru the nginx-proxy.

Purpose is to be able to install nginx-lua into rap, so that i'm able to run lua scripts against every connection.

How would this be accomplished?

I was thinking that we do not define any ports at all for all applications within the application config.
This is probably the easiest way to stop rancher from opening those public ports.

then make rap.port mandatory so that rap will always know which ports are needed , and have rancher active proxy make a docker --link with every container that needs to be proxied?

[adi90x]

If there is no external mapped port for containers they will only be accessible via RAP no ?

[hanselke]

I dont think so. when there is no external port for container, i think RAP just doesnt do anything hansel

…

On 28 Feb 2018, 4:52 AM +0800, adi90x ***@***.***>, wrote: If there is no external mapped port for containers they will only be accessible via RAP no ? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[adi90x]

No external port for RAP containers or the others ? As main goal of RAP, is to route trafic from one input port(80/http most of the time) to several containers not exposing a port on the outside of rancher, lets say you have RAP exposing & listening on port 80 of host, then you can have unlimited number of Web containers exposing 80 but not listening on host port and RAP will route input trafic based on hostname Is it clearer ? Le 28 févr. 2018 04:59, "hansel" <notifications@github.com> a écrit :

…

I dont think so. when there is no external port for container, i think RAP just doesnt do anything hansel On 28 Feb 2018, 4:52 AM +0800, adi90x ***@***.***>, wrote: > If there is no external mapped port for containers they will only be accessible via RAP no ? > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub, or mute the thread. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#43 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AKpqdKfcCK3rFfBW1HkZ3g6BrAjfSUBKks5tZM86gaJpZM4R_esP> .