[SOLVED] Docker compose - restrict internet access, allow egress only through proxy

Docker compose - restrict internet access, allow egress only through proxy

I am trying to replicate restricted production environment on my local development environment using Docker compose.

Application containers shouldn't be able to access the internet from the inside. One of the containers shall be able to expose its web port to the host machine. Host machine shall be able to reach that web service.

Application containers shall be able to reach the proxy on e.g. 3128 port. Proxy container shall be able to reach the internet.

Is it possible to setup this using Docker compose?

Solution

Actually this is possible. Ingress (NginX) and egress (Squid) containers need to be both in internal and external networks, whereas application containers are only in the internal network.

# Base docker-compose, which is extended by more specific docker-compose files
version: "3.5"
services:
  appname-nginx:
    image: companyimage/nginx
    container_name: appname-nginx
    depends_on:
      - appname-web
    ports:
      - "127.0.0.1:443:443"
      - "127.0.0.1:80:80"
    networks:
      appname-network:
        aliases:
          - local.appname.com
      appname-external-network:
  appname-web:
    image: companyimage/web
    container_name: appname-web
    networks:
      - appname-network
  appname-outbound-proxy-squid:
    image: companyimage/squid
    container_name: appname-outbound-proxy-squid
    networks:
      - appname-external-network
      - appname-network
networks:
  appname-network:
    name: appname-network
    internal: true
  appname-external-network:
    name: appname-external-network