fix(server): add explicit HostIp to Traefik port bindings#4106
fix(server): add explicit HostIp to Traefik port bindings#4106knowsuchagency wants to merge 1 commit intoDokploy:canaryfrom
Conversation
Traefik port bindings in initializeStandaloneTraefik omit HostIp, causing Docker to inherit the daemon default. If a user configures "ip": "127.0.0.1" in daemon.json (a common hardening step to prevent containers from binding to public interfaces), Traefik's ports 80/443 also become localhost-only, breaking all public access. Add a TRAEFIK_BIND_IP environment variable (defaults to "0.0.0.0" for backward compatibility) and set HostIp explicitly on all port bindings including the dashboard and additional ports. Refs Dokploy#2915 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dosubot
bot
added
the
size:S
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| export const TRAEFIK_HTTP3_PORT = | ||
| Number.parseInt(process.env.TRAEFIK_HTTP3_PORT!, 10) || 443; | ||
| export const TRAEFIK_VERSION = process.env.TRAEFIK_VERSION || "3.6.7"; | ||
| export const TRAEFIK_BIND_IP = process.env.TRAEFIK_BIND_IP || "0.0.0.0"; |
There was a problem hiding this comment.
TRAEFIK_BIND_IP
TRAEFIK_BIND_IP is passed directly from the environment into Docker's port binding HostIp field with no format validation. An invalid value (e.g. a hostname, a CIDR range, or a typo like 0.0.0.) will cause docker.createContainer() to throw a cryptic error rather than a user-friendly message.
Consider adding a basic sanity check or at least logging the resolved value at startup so operators can confirm the setting is applied as expected:
| export const TRAEFIK_BIND_IP = process.env.TRAEFIK_BIND_IP || "0.0.0.0"; | |
| export const TRAEFIK_BIND_IP = process.env.TRAEFIK_BIND_IP || "0.0.0.0"; | |
| // Basic guard so a misconfigured value surfaces early with a clear message. | |
| if (!/^(\d{1,3}\.){3}\d{1,3}$|^::$|^::1$/.test(TRAEFIK_BIND_IP)) { | |
| console.warn( | |
| `TRAEFIK_BIND_IP "${TRAEFIK_BIND_IP}" does not look like a valid IP address – falling back to 0.0.0.0`, | |
| ); | |
| } |
This is consistent with how operators discover misconfigured TRAEFIK_PORT / TRAEFIK_SSL_PORT values today (the pattern is not validated there either), so this is purely a hardening suggestion.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
1 participant
Description
Traefik port bindings in
initializeStandaloneTraefikcurrently omit theHostIpfield:This causes Docker to inherit the daemon's default bind IP. If a user sets
"ip": "127.0.0.1"in/etc/docker/daemon.json— a common hardening step to prevent containers from accidentally binding to public interfaces — Traefik's ports 80/443 also become localhost-only, breaking all public access.Changes
TRAEFIK_BIND_IPenvironment variable (defaults to0.0.0.0for backward compatibility)HostIpexplicitly on all port bindings ininitializeStandaloneTraefik:This makes Dokploy compatible with Docker daemon-level IP hardening while preserving existing behavior by default.
Checklist
canaryRelated Issues
Refs #2915 — this is a partial fix covering Traefik port bindings. The broader per-service IP binding requested in #2915 would be a separate change.
🤖 Generated with Claude Code
Greptile Summary
This PR fixes Traefik port bindings in
initializeStandaloneTraefikto be compatible with Docker daemons that have a restricted default bind IP (e.g."ip": "127.0.0.1"indaemon.json). It introduces aTRAEFIK_BIND_IPenvironment variable (defaulting to0.0.0.0) and sets it asHostIpon every port binding, overriding the daemon default and restoring public accessibility without requiring daemon reconfiguration.0.0.0.0preserves existing behavior for users who have not configured Docker IP hardening.initializeTraefikService(Swarm mode) is intentionally left unchanged and the PR description correctly scopes this as a partial fix.TRAEFIK_BIND_IP; an invalid IP will produce a cryptic Docker error at container creation time rather than a clear startup warning (see inline comment).Confidence Score: 5/5
Safe to merge — the change is minimal, backward-compatible, and correctly addresses the stated problem with no logic regressions.
All findings are P2 (no input validation on the new env var). The core logic is correct, the default value preserves backward compatibility, and the fix is applied consistently to every affected port binding site.
No files require special attention.
Important Files Changed
Reviews (1): Last reviewed commit: "fix(server): add explicit HostIp to Trae..." | Re-trigger Greptile
(4/5) You can add custom instructions or style guidelines for the agent here!