███████╗██╗ ██╗██╗██████╗ ██████╗ ██╗ ██╗███████╗
██╔════╝██║ ██║██║██╔══██╗╚════██╗██║ ██║╚════██║
███████╗███████║██║██████╔╝ █████╔╝███████║ ██╔╝
╚════██║██╔══██║██║██╔═══╝ ██╔═══╝ ╚════██║ ██╔╝
███████║██║ ██║██║██║ ███████╗ ██║ ██║
╚══════╝╚═╝ ╚═╝╚═╝╚═╝ ╚══════╝ ╚═╝ ╚═╝
Shipl. Buidl. Repetl.
By default, Coolify publishes container ports on 0.0.0.0 on the host. This is risky because Docker bypasses UFW by inserting its own iptables rules into the nat and filter tables, which are processed before UFW.
You can override Coolify’s bindings in /data/coolify/source by creating a Docker Compose override file (for example, docker-compose.custom.yml) with the following content:
services:
coolify:
ports: !override
- 127.0.0.1:8000:8080
soketi:
ports: !override
- 127.0.0.1:6001:6001
- 127.0.0.1:6002:6002
Then use proxy_pass in Nginx:
server {
server_name coolify.mydomain.xyz;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/coolify.mydomain.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/coolify.mydomain.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://127.0.0.1:8000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /app {
proxy_pass http://127.0.0.1:6001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /terminal/ws {
proxy_pass http://127.0.0.1:6002;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
if ($host = coolify.mydomain.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name coolify.mydomain.xyz;
return 404; # managed by Certbot
}
Credits go to:
