

3·
5 days agoIt is good you have solved you initial issue. However, as you say, your rules are too permissive. You should not publish ports from containers to the host. Your container ports should only be accessible over reverse-proxy network. Said otherwise <my domain>:3000 should not resolve to anything.
This can be simply acheive by not publishing any port on your service containers.
Here is an example of my VPS:
Exposed ports:
$ ss -ntlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=4084094,fd=3))
LISTEN 0 4096 0.0.0.0:443 0.0.0.0:* users:(("conmon",pid=3436659,fd=6))
LISTEN 0 4096 0.0.0.0:5355 0.0.0.0:* users:(("systemd-resolve",pid=723,fd=11))
LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("conmon",pid=3436659,fd=5))
LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=723,fd=19))
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=723,fd=17))
Redacted list of containers:
$ podman container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[...]
docker.io/tootsuite/mastodon-streaming:v4.3 node ./streaming 2 months ago Up 2 months (healthy) social_streaming
docker.io/eqalpha/keydb:alpine keydb-server /etc... 2 months ago Up 2 months (healthy) cloud_cache
localhost/podman-pause:4.4.1-1111111111 2 months ago Up 2 months 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp 1111111111-infra
docker.io/library/traefik:3.2 traefik 2 months ago Up 2 months 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp traefik
docker.io/library/nginx:1.27-alpine nginx -g daemon o... 3 weeks ago Up 3 weeks cloud_web
docker.io/library/nginx:1.27-alpine nginx -g daemon o... 3 weeks ago Up 3 weeks social_front
[...]
The only two important columns are “Local address: port” and “process”. The later is what process is listening whille the former is the interface that process is listening on and the port.
So you see that I don’t have any process listening on any port other than 80 and 443 iin the host and the regular ones.
That said, you containers will still listen on the ports you want but only on a virtual network interface.
Basically you only need to publish ports 80 amd 443 on the container or pod you have your reverse proxy on. Other containers need to only be attached to the same network as you already did.