[ggpsv]

Docker is great but it is easy to shoot yourself on the foot if you use it conveniently but don't actually understand it.

A common mistake is to publish the Docker ports unknowingly to all interfaces (e.g `5432:5432`), which makes your Docker container available to everyone. It is common to see this in Docker tutorials or pre-made Docker Compose files. Coupled with UFW, it may give you a false sense of security because Docker manages its own iptables rules.

[elashri]

I do make the habit of not expose ports and just use reverse proxy for the container. Of course, you will need a bridged network between the reverse proxy container and the target container, but that's fine. I'm sure there is more clever ways around that.

[ggpsv]

I prefer to run the webserver using systemd on the host so publishing the container port to 127.0.0.1 is enough for me.

[mfashby]

Yes I've made this mistake with docker and UFW before :( Such a footgun.