如何只允许从docker容器访问一个URL

Question

我想只允许从特定的docker容器向指定的url发送http请求。有没有相对无痛的方法呢？

Answer 1

I don't think so. The only* way to implement this sort of per-URL restriction is if all requests were made through a proxy, so you would need to (a) set up a proxy, (b) configure the rules appropriately, (c) arrange for tools inside your container to use the proxy and (d) ensure that your container has no other outbound access.

So, maybe that would like...

• Create a proxy container on the default network
• Create an isolated internal network (docker network create --isolated mynetwork)
• Attach the isolated network to the proxy container (docker network connect...)
• Create your application container on the isolated network (docker run --net=mynetwork...)

I would not describe that as "relatively painless".

*Well, you might able to hack something together using iptables and string-matching inside packets, but just saying that makes me feel unclean.