How could I make a service only available from my local network?

[LickABrick]

I’m running several services on a single Dokploy host, and some of them shouldn’t be publicly accessible from the internet.

My initial idea was to use a private DNS naming scheme, for example:

service1.mydokploy.private

However, this doesn’t actually secure anything. If someone manually adds a DNS record pointing that hostname to my Dokploy server, the service would still be reachable. While guessing the hostname isn’t trivial, it’s definitely not a reliable security measure.

What I’m trying to achieve:

Keep using ports 80/443 (no custom ports)

Avoid spinning up a separate Dokploy instance that’s completely internal

Restrict certain services so they are only accessible from internal networks (or otherwise protected)

What would be the best way to handle this setup?
Is there a recommended approach within Dokploy (or via a reverse proxy / middleware) to properly restrict access to specific services?

[dosubot[bot]]

You can restrict services to your local network using Traefik's ipAllowList middleware. Here's how:

1. Go to Traefik File System in Dokploy's menu
2. Edit dynamic/dokploy.yml
3. Add an IP allowlist middleware and apply it to your service's router:

http:
  routers:
    your-service-router-secure:
      rule: Host(`service1.mydokploy.private`)
      service: your-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      middlewares:
        - internal-only

  middlewares:
    internal-only:
      ipAllowList:
        sourceRange:
          - 192.168.0.0/16
          - 10.0.0.0/8

Important notes:

• Apply the middleware to the HTTPS router (-secure), not the HTTP one
• Docker labels for middleware are often ignored, so direct file editing is the reliable approach
• There's no UI for this yet—it's manual Traefik configuration

Alternative approaches:

• Tailscale VPN combined with your VPS firewall for a more robust solution
• Cloudflare Tunnel with Cloudflare Access for authentication-based restrictions

The ipAllowList approach will work on ports 80/443 without needing a separate Dokploy instance.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[LickABrick]

@dosu can I also do this for the whole *.mydokploy.private dns with a single middleware?

[dosubot[bot]]

Yes! You can use HostRegexp() to match all subdomains with a single router. In your dynamic/dokploy.yml:

http:
  routers:
    private-wildcard:
      rule: HostRegexp(`^.+\.mydokploy\.private$`)
      service: your-service
      entryPoints:
        - websecure
      tls: {}
      middlewares:
        - internal-only

  middlewares:
    internal-only:
      ipAllowList:
        sourceRange:
          - 192.168.0.0/16
          - 10.0.0.0/8

Important notes:

• Use HostRegexp() with regex syntax—Host() only supports exact matches
• Don't add these domains through Dokploy's UI after setting up the wildcard rule, as it creates conflicts
• If you need HTTPS with a wildcard certificate, you'll need to configure DNS Challenge instead of HTTP Challenge

Make sure you have a wildcard DNS record (*.mydokploy.private) pointing to your server as well.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[LickABrick]

@dosu I meant have multiple services using servicex.mydokploy.private and have them each be internal only. So service: is also dynamic.

[dosubot[bot]]

Unfortunately, Traefik doesn't support dynamic service selection from a single router—each router is bound to exactly one backend service. So you can't have one wildcard router that automatically figures out which container to send traffic to based on the subdomain.

What you can do: Define the ipAllowList middleware once and reference it in each service's router. If you're using Docker Compose labels, each service would look like:

# Service 1
labels:
  - traefik.http.routers.service1.rule=Host(`service1.mydokploy.private`)
  - traefik.http.routers.service1.middlewares=internal-only
  - traefik.http.routers.service1.service=service1

# Service 2
labels:
  - traefik.http.routers.service2.rule=Host(`service2.mydokploy.private`)
  - traefik.http.routers.service2.middlewares=internal-only
  - traefik.http.routers.service2.service=service2

# Define middleware once (on any service or in dynamic config)
  - traefik.http.middlewares.internal-only.ipallowlist.sourcerange=192.168.0.0/16,10.0.0.0/8

Or in dynamic/dokploy.yml, define the shared middleware once and have each router reference it:

http:
  middlewares:
    internal-only:
      ipAllowList:
        sourceRange:
          - 192.168.0.0/16
          - 10.0.0.0/8

It's a bit more repetitive than a single catch-all, but it keeps the IP restriction logic in one place while still routing each subdomain to its correct service.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}