Nginx status page in Docker

I have a server which hosts several Docker containers including an Nginx reverse proxy to serve content. In order to get status of this server I have added the following location block:

location /nginx_status {
    stub_status on;
    access_log  off;
    allow       127.0.0.1;
    allow       172.0.0.0/8;
    deny        all;
}

Under normal circumstances I would only have opened up 127.0.0.1 but that means that the host machine would not have access (only the Nginx container itself would) so I opened up all of the 172 addresses. Is there a cleaner/more secure way of doing this or is my approach reasonable for a production environment?

  • Image Name, Container Name in Docker Syslog Tag in Docker-Compose
  • Running Portainer in a Docker Container with Apache 2.4 mod_proxy and basic auth
  • Jenkins auto build by Github webhook is not working
  • Accessing logs folder of running docker container
  • Using docker-compose in order to create a MySQL schema/database
  • nginx php-fpm crashes (maybe docker)
  • can we deploy a container into a specific node in a docker swarm
  • Building a Redis cluster using docker images on top of Vagrant: Cannot ping machines
  • Image in docker-compose with arguments
  • How to move docker installation to another machine?
  • Rake cannot run Rspec specs in Docker/Rails/Postgres setup (but web app works fine)
  • Different Docker 1.9 networks talk to each other?
  • One Solution collect form web for “Nginx status page in Docker”

    When docker starts it creates an interface docker0 that is an ethernet bridge, and assigns it an IP address. Docker tries to choose a smart default, and the 172.17.0.0/16 range is a good default. The host will route all traffic destined for that network to the docker0 bridge, and it’s not accessible externally unless you’ve mapped a port.

    In your question you’ve allowed 172.0.0.0/8, some of which is not RFC1918 private address space. You could restrict this further to either all of the addresses in the Docker network driver source I linked before, or simply 172.17.0.0/16 since that’s the first in the list and is usually used.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.