Restrict access to nginx server location to a specific Docker container with "allow" directive

Think differently :)

Do bind a nginx-server (vhost) on port 10080 in addition - that server does offer the status location and what you need.

Server on 80/443 is also there and ONLY that one is bound/exposed to host ( exposed to the outer world ).

Since datadog is part of your docker-network / service network, it can still access 10080 in the internal network, but nobody else from the outer network.

Bulletproof, easy - no strings attached.


Since we are running the service through docker-compose and our issue being we don't know the IP of the agent. So the simple solution is to know the IP before starting. And that means assigning our agent a specific IP

Here is a update docker-compose to do that

version: '2'
services:
  flask:
    restart: always
    image: me/flask-app
    command: /home/app/flask/start_app.sh
    expose:
      - "8080"

  nginx:
    restart: always
    build: ./nginx
    command: /runtime/start_nginx.sh
    ports:
      - "80:80"
      - "443:443"
    expose:
      - "81"
    volumes:
      - app-static:/app-static:ro
    links:
      - flask:flask
    networks:
      agent:
        ipv4_address: 172.25.0.101
      default:

  datadog-agent:
    image: me/datadog-agent
    env_file: ./datadog-agent/dev.env
    links:
        - flask
        - nginx
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /proc/mounts:/host/proc/mounts:ro
      - /sys/fs/cgroup:/host/sys/fs/cgroup:ro
    networks:
      agent:
        ipv4_address: 172.25.0.100
networks:
  agent:
    driver: bridge
    ipam:
      config:
      - subnet: 172.25.0.0/24

Now you can do two possible things

server {
  listen 172.25.0.101:81;

  location /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    allow 172.25.0.100;
    deny all;
  }
}

You can listen only on 172.25.0.101 which is accessible only container running on agent network. Also you can add allow 172.25.0.100 to only allow the agent container to be able to access this.