Tools

Tools: 🏗️ Building my home server P4: Docker, UFW and Nginx

2026-03-16 0 views admin
Tools: 🏗️ Building my home server P4: Docker, UFW and Nginx

🏗️ Building my home server: Part 4

🐳 Containers

🛡️ UFW

🤔 But... why?

🔧 Fixing the issue

🚦 Nginx

Adjust UFW

Outcome Containers, UFW and Nginx In my previous blog post, I discussed volume management. For the next step, I aimed to deploy a few apps and app stacks, such as File Browser and Transmission. To make deploying these and other apps quick and easy, I like to run them in containers, which are the go-to method these days for running portable, isolated, and environment-consistent applications. Fortunately, both File Browser and Transmission offer official container images, which made the process even smoother. To set up the containers, I followed the official installation guides for both apps: These guides provided clear, step-by-step instructions on how to deploy each app using Docker. Since each of these apps are single-container apps and don't require multiple services to interact with each other, using the docker run command instead of docker compose was a straightforward decision. Additionally, I wanted the flexibility to set variables dynamically, which was another factor that made docker run the better choice for this setup. To secure my containers, I used UFW (Uncomplicated Firewall) and exposed only the necessary ports. For File Browser, I opened port 8080 for the UI, and for Transmission, I opened port 9091 for the web interface. This way, I limited the exposure of the containers to only the essential services, reducing potential security risks. At least, that's what I thought... It turned out that, despite not allowing traffic to port 8080 via UFW initially, I was still able to access the File Browser web UI over my local network. Docker binds exposed ports to 0.0.0.0 by default, making services accessible from both local and external networks. Docker uses iptables (Linux's firewall management tool) to configure network routing. When you run containers and expose ports, Docker automatically adds iptables rules to manage traffic. These rules are added directly to the system's networking stack and can override UFW's settings in some cases. For example, Docker might automatically add rules like: UFW is essentially a frontend for iptables. If Docker's rules are inserted after UFW's (which is often the case), Docker's iptables rules will take precedence, allowing traffic that would otherwise be blocked by UFW. This can lead to situations where Docker containers are accessible even though UFW rules have been set to block traffic. That was a bit of a security surprise! 👻 To resolve this issue, I first needed to ensure that Docker wouldn't expose ports to 0.0.0.0 by default. To do this, I had to adjust the docker run commands slightly: By adding 127.0.0.1 to the exposed ports, I ensured that the services would only be accessible from the local network. Now that my containers were safe by default, I still had to make sure that I expose these ports to the local network. To achieve this I decided to use Nginx reverse-proxy. To install Nginx, I followed these steps (sourced from here): Update and upgrade the system: Enable Nginx to start on boot: Generate a self-signed SSL certificate: Set proper permission for the certificate: Create a Diffie-Hellman group to improve security:\

Learn more about Diffie-Hellman key exchange. Set proper permissions for the Diffie-Hellman group: Remove the default Nginx configuration: Create a new Nginx configuration file: Add the following configuration to the file: As a final step, I disabled access to ports 8080 and 9091 via UFW, then allowed full access for Nginx with the following command: With this setup, I can now access both apps on my local network at: Since mydomain.com is mapped in the /etc/hosts file (or DNS resolution for local network), the subdomains resolve correctly. I can be confident that only the services proxied via Nginx are accessible within my network. You can also read this post on my portfolio page. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

# File Browser -weight: 500;">docker run \ -v /path/to/srv:/srv \ -v /path/to/database:/database \ -v /path/to/config:/config \ -e PUID=$(id -u) \ -e PGID=$(id -g) \ -p 8080:80 \ filebrowser/filebrowser:s6 # File Browser -weight: 500;">docker run \ -v /path/to/srv:/srv \ -v /path/to/database:/database \ -v /path/to/config:/config \ -e PUID=$(id -u) \ -e PGID=$(id -g) \ -p 8080:80 \ filebrowser/filebrowser:s6 # File Browser -weight: 500;">docker run \ -v /path/to/srv:/srv \ -v /path/to/database:/database \ -v /path/to/config:/config \ -e PUID=$(id -u) \ -e PGID=$(id -g) \ -p 8080:80 \ filebrowser/filebrowser:s6 # Transmission -weight: 500;">docker run -d \ --name=transmission \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Etc/UTC \ -e TRANSMISSION_WEB_HOME= `#optional` \ -e USER= `#optional` \ -e PASS= `#optional` \ -e WHITELIST= `#optional` \ -e PEERPORT= `#optional` \ -e HOST_WHITELIST= `#optional` \ -p 9091:9091 \ -p 51413:51413 \ -p 51413:51413/udp \ -v /path/to/transmission/data:/config \ -v /path/to/downloads:/downloads `#optional` \ -v /path/to/watch/folder:/watch `#optional` \ ---weight: 500;">restart unless-stopped \ lscr.io/linuxserver/transmission:latest # Transmission -weight: 500;">docker run -d \ --name=transmission \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Etc/UTC \ -e TRANSMISSION_WEB_HOME= `#optional` \ -e USER= `#optional` \ -e PASS= `#optional` \ -e WHITELIST= `#optional` \ -e PEERPORT= `#optional` \ -e HOST_WHITELIST= `#optional` \ -p 9091:9091 \ -p 51413:51413 \ -p 51413:51413/udp \ -v /path/to/transmission/data:/config \ -v /path/to/downloads:/downloads `#optional` \ -v /path/to/watch/folder:/watch `#optional` \ ---weight: 500;">restart unless-stopped \ lscr.io/linuxserver/transmission:latest # Transmission -weight: 500;">docker run -d \ --name=transmission \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Etc/UTC \ -e TRANSMISSION_WEB_HOME= `#optional` \ -e USER= `#optional` \ -e PASS= `#optional` \ -e WHITELIST= `#optional` \ -e PEERPORT= `#optional` \ -e HOST_WHITELIST= `#optional` \ -p 9091:9091 \ -p 51413:51413 \ -p 51413:51413/udp \ -v /path/to/transmission/data:/config \ -v /path/to/downloads:/downloads `#optional` \ -v /path/to/watch/folder:/watch `#optional` \ ---weight: 500;">restart unless-stopped \ lscr.io/linuxserver/transmission:latest # Turn UFW on with the default set of rules -weight: 600;">sudo ufw -weight: 500;">enable # Check the -weight: 500;">status of UFW -weight: 600;">sudo ufw -weight: 500;">status verbose # Deny all incoming traffic -weight: 600;">sudo ufw default deny incoming # Allow incoming tcp traffic on port 8080 -weight: 600;">sudo ufw allow 8080/tcp # Allow incoming tcp traffic on port 9091 -weight: 600;">sudo ufw allow 9091/tcp # Turn UFW on with the default set of rules -weight: 600;">sudo ufw -weight: 500;">enable # Check the -weight: 500;">status of UFW -weight: 600;">sudo ufw -weight: 500;">status verbose # Deny all incoming traffic -weight: 600;">sudo ufw default deny incoming # Allow incoming tcp traffic on port 8080 -weight: 600;">sudo ufw allow 8080/tcp # Allow incoming tcp traffic on port 9091 -weight: 600;">sudo ufw allow 9091/tcp # Turn UFW on with the default set of rules -weight: 600;">sudo ufw -weight: 500;">enable # Check the -weight: 500;">status of UFW -weight: 600;">sudo ufw -weight: 500;">status verbose # Deny all incoming traffic -weight: 600;">sudo ufw default deny incoming # Allow incoming tcp traffic on port 8080 -weight: 600;">sudo ufw allow 8080/tcp # Allow incoming tcp traffic on port 9091 -weight: 600;">sudo ufw allow 9091/tcp ACCEPT tcp -- anywhere anywhere tcp dpt:8080 ACCEPT tcp -- anywhere anywhere tcp dpt:8080 -p 8080:80 -> -p 127.0.0.1:8080:8080 -p 9091:9091 -> -p 127.0.0.1:9091:9091 -p 8080:80 -> -p 127.0.0.1:8080:8080 -p 9091:9091 -> -p 127.0.0.1:9091:9091 -p 8080:80 -> -p 127.0.0.1:8080:8080 -p 9091:9091 -> -p 127.0.0.1:9091:9091 -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install nginx -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install nginx -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">start nginx -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">start nginx -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable nginx -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable nginx -weight: 600;">sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx--weight: 500;">docker.key -out /etc/ssl/certs/nginx--weight: 500;">docker.crt -weight: 600;">sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx--weight: 500;">docker.key -out /etc/ssl/certs/nginx--weight: 500;">docker.crt -weight: 600;">sudo chmod 600 /etc/ssl/private/nginx--weight: 500;">docker.key -weight: 600;">sudo chmod 600 /etc/ssl/private/nginx--weight: 500;">docker.key openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 -weight: 600;">sudo chmod 600 /etc/ssl/certs/dhparam.pem -weight: 600;">sudo chmod 600 /etc/ssl/certs/dhparam.pem -weight: 600;">sudo rm /etc/nginx/sites-enabled/default -weight: 600;">sudo rm /etc/nginx/sites-enabled/default -weight: 600;">sudo vi /etc/nginx/sites-enabled/-weight: 500;">docker.conf -weight: 600;">sudo vi /etc/nginx/sites-enabled/-weight: 500;">docker.conf server { listen 80; listen [::]:80; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name transmission.*; ssl_certificate /etc/ssl/certs/nginx--weight: 500;">docker.crt; #Swap these out with Lets Encrypt Path if using signed cert ssl_certificate_key /etc/ssl/private/nginx--weight: 500;">docker.key; #Swap these out with Lets Encrypt Path if using signed cert ssl_dhparam /etc/ssl/certs/dhparam.pem; client_max_body_size 128M; location / { proxy_pass http://127.0.0.1:9091; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 443 ssl http2; server_name filebrowser.*; ssl_certificate /etc/ssl/certs/nginx--weight: 500;">docker.crt; #Swap these out with Lets Encrypt Path if using signed cert ssl_certificate_key /etc/ssl/private/nginx--weight: 500;">docker.key; #Swap these out with Lets Encrypt Path if using signed cert ssl_dhparam /etc/ssl/certs/dhparam.pem; client_max_body_size 128M; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 80; listen [::]:80; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name transmission.*; ssl_certificate /etc/ssl/certs/nginx--weight: 500;">docker.crt; #Swap these out with Lets Encrypt Path if using signed cert ssl_certificate_key /etc/ssl/private/nginx--weight: 500;">docker.key; #Swap these out with Lets Encrypt Path if using signed cert ssl_dhparam /etc/ssl/certs/dhparam.pem; client_max_body_size 128M; location / { proxy_pass http://127.0.0.1:9091; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 443 ssl http2; server_name filebrowser.*; ssl_certificate /etc/ssl/certs/nginx--weight: 500;">docker.crt; #Swap these out with Lets Encrypt Path if using signed cert ssl_certificate_key /etc/ssl/private/nginx--weight: 500;">docker.key; #Swap these out with Lets Encrypt Path if using signed cert ssl_dhparam /etc/ssl/certs/dhparam.pem; client_max_body_size 128M; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart nginx -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart nginx ```bash -weight: 600;">sudo ufw allow 'Nginx Full' ``` ```bash -weight: 600;">sudo ufw allow 'Nginx Full' ``` ```bash -weight: 600;">sudo ufw allow 'Nginx Full' ``` - File Browser is a sleek, out-of-the-box file management interface that allows you to quickly set up a web-based file management system, complete with built-in access controls to secure your files. - Transmission is a minimalist, lightweight BitTorrent client that I appreciate for its speed, open-source nature, simplicity, and efficient performance. - File Browser - Transmission - Docker binds exposed ports to 0.0.0.0 by default, making services accessible from both local and external networks. - Docker uses iptables (Linux's firewall management tool) to configure network routing. When you run containers and expose ports, Docker automatically adds iptables rules to manage traffic. These rules are added directly to the system's networking stack and can override UFW's settings in some cases. For example, Docker might automatically add rules like: ACCEPT tcp -- anywhere anywhere tcp dpt:8080 - UFW is essentially a frontend for iptables. If Docker's rules are inserted after UFW's (which is often the case), Docker's iptables rules will take precedence, allowing traffic that would otherwise be blocked by UFW. This can lead to situations where Docker containers are accessible even though UFW rules have been set to block traffic. - Update and -weight: 500;">upgrade the system: -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade - Install Nginx: -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install nginx - Start Nginx: -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">start nginx - Enable Nginx to -weight: 500;">start on boot: -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable nginx - Generate a self-signed SSL certificate: -weight: 600;">sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx--weight: 500;">docker.key -out /etc/ssl/certs/nginx--weight: 500;">docker.crt - Set proper permission for the certificate: -weight: 600;">sudo chmod 600 /etc/ssl/private/nginx--weight: 500;">docker.key - Create a Diffie-Hellman group to improve security:\ Learn more about Diffie-Hellman key exchange. openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 - Set proper permissions for the Diffie-Hellman group: -weight: 600;">sudo chmod 600 /etc/ssl/certs/dhparam.pem - Remove the default Nginx configuration: -weight: 600;">sudo rm /etc/nginx/sites-enabled/default - Create a new Nginx configuration file: -weight: 600;">sudo vi /etc/nginx/sites-enabled/-weight: 500;">docker.conf Add the following configuration to the file: server { listen 80; listen [::]:80; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name transmission.*; ssl_certificate /etc/ssl/certs/nginx--weight: 500;">docker.crt; #Swap these out with Lets Encrypt Path if using signed cert ssl_certificate_key /etc/ssl/private/nginx--weight: 500;">docker.key; #Swap these out with Lets Encrypt Path if using signed cert ssl_dhparam /etc/ssl/certs/dhparam.pem; client_max_body_size 128M; location / { proxy_pass http://127.0.0.1:9091; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 443 ssl http2; server_name filebrowser.*; ssl_certificate /etc/ssl/certs/nginx--weight: 500;">docker.crt; #Swap these out with Lets Encrypt Path if using signed cert ssl_certificate_key /etc/ssl/private/nginx--weight: 500;">docker.key; #Swap these out with Lets Encrypt Path if using signed cert ssl_dhparam /etc/ssl/certs/dhparam.pem; client_max_body_size 128M; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } - Restart Nginx: -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart nginx - https://transmission.mydomain.com - https://filebrowser.mydomain.com

🏷️ Tags

toolsutilitiessecurity toolsbuildingserverdockernginxcontainers

More from Tools

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

2026-03-30 0
Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

2026-03-30 0
Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

2026-03-30 0
Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

2026-03-30 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views