最後更新: 2019-01-17

介紹

The docker-proxy operates in userland, and simply receives any packets arriving at the host's specified port

( the kernel hasn't 'dropped' or forwarded, and redirects them to the container's port )

By default, containers don’t see which source IP address is connecting when they have a listening port,

so every logging, banning, filters and firewalls are just pointless.

(The IP address of the gateway address from Docker)

--userland-proxy

true by default

When disabled => NAT

Example

/usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip 172.29.0.2 -container-port 443
/usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.29.0.2 -container-port 80