From e0e962110530150aa6dc19494235ad8ae84a1c55 Mon Sep 17 00:00:00 2001 From: BernhardBaumrock Date: Sat, 9 Aug 2025 19:02:48 +0200 Subject: [PATCH 1/2] docs: add note about insecure ports --- docs/getting-started/installation.mdx | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/getting-started/installation.mdx b/docs/getting-started/installation.mdx index 5ae19ab..d7c0f95 100644 --- a/docs/getting-started/installation.mdx +++ b/docs/getting-started/installation.mdx @@ -62,6 +62,16 @@ The API will be available at [http://localhost:3000](http://localhost:3000). ::: +:::caution + +Publishing container ports is insecure by default: When you publish a container port it becomes reachable from outside the Docker host and it might be reachable from the public even if your host has a firewall like UFW set up! See the docker docs here: [Published ports](https://docs.docker.com/engine/network/#published-ports). + +To restrict access to the host only (for example when using gotenberg internally or behind a reverse proxy), binding to the loopback address might be a better option: + +```bash +docker run --rm -p "127.0.0.1:3000:3000" gotenberg/gotenberg:8 +``` + ## Docker Compose Incorporating Gotenberg into your Docker Compose services stack is as straightforward as: @@ -84,7 +94,7 @@ This means your other services can interact with Gotenberg using [gotenberg:3000 --- -If you want to expose the API to your *localhost*, consider adding a `ports` section: +If you want to expose the API on your host, consider adding a `ports` section: ```yaml title="compose.yaml" services: @@ -94,6 +104,8 @@ services: image: gotenberg/gotenberg:8 ports: - "3000:3000" + # or the more secure version (see note above) + # - "127.0.0.1:3000:3000" ``` :::info From d7252671ffea1946b10fff4a34e5971a71c5dab3 Mon Sep 17 00:00:00 2001 From: Bernhard Baumrock Date: Tue, 12 Aug 2025 15:49:50 +0200 Subject: [PATCH 2/2] Update installation.mdx as requested --- docs/getting-started/installation.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/getting-started/installation.mdx b/docs/getting-started/installation.mdx index d7c0f95..a8d7084 100644 --- a/docs/getting-started/installation.mdx +++ b/docs/getting-started/installation.mdx @@ -64,9 +64,9 @@ The API will be available at [http://localhost:3000](http://localhost:3000). :::caution -Publishing container ports is insecure by default: When you publish a container port it becomes reachable from outside the Docker host and it might be reachable from the public even if your host has a firewall like UFW set up! See the docker docs here: [Published ports](https://docs.docker.com/engine/network/#published-ports). +Publishing container ports is insecure by default. Meaning, when you publish a container's ports it becomes available not only to the Docker host, but to the outside world as well. -To restrict access to the host only (for example when using gotenberg internally or behind a reverse proxy), binding to the loopback address might be a better option: +If you include the localhost IP address (127.0.0.1, or ::1) with the publish flag, only the Docker host and its containers can access the published container port. ```bash docker run --rm -p "127.0.0.1:3000:3000" gotenberg/gotenberg:8