I’m running an application consisting of a PostgreSQL/PostGIS database on Digital Ocean droplet A and three more components on droplet B (both connected within one VPC). The question relates only to what’s going on on droplet B.

Those three components each run within their own container on the same Docker host on said droplet:

• A webmap tile server (pg_tileserv) listening on port 7800,
• a backend built on node.js, listening on port 3001,
• and a front end built in Vite, served by nginx on port 80.

The whole setup works absolutely fine locally (of course – it always does), and I can also get it to work on the server after spinning up the three container instances.

My problem is: I don’t want the tile server to be exposed to the outside world, as there is some confidential and PII data on there. Accessing the droplet on port 7800 exposes that. The same goes for the backend on port 3001, although there I’m able to block the routes. So it’s mostly about securing the tile server.

I’m fairly new to web development and to distributed docker setups. I love what’s possible and am already quite content with getting the setup to run, but I can’t seem to wrap my head around how to prevent that kind of direct access to the tile server. My first idea was to establish a firewall (in my case UFW on Ubuntu), which opened the whole topic of how Docker and UFW (don’t) work together. Using the approach by chaifeng I had been able to secure it all and deny all access to everything but the frontend nginx (port 80), but that also seem to have broken the communication between the frontend and backend, as well as the backend and the tile server.

So now I’m wondering how I can get this set up. When referring to the backend from the frontend, to I use the local IP, the droplet’s internal IP or the external on? Likewise, when referring to the tile server, and how can I prevent access from the outside?

I hope my setup is kind of clear, or else I will attempt to describe it into greater detail. I can also provide the detailed setup if that helps. But I guess I’m looking more for general advice with regards to setting up such a multi-tiered web application whilst maintaining some levels of security – in my case at least to protect the file server from external access.

I set up Docker on a Digital Ocean droplet, loaded three images with tile server (exposed on port 7800), backend (3001) and frontend (80), which worked and the three containers were able to communicate. Nailing down external access to the tile server (7800) and the backend (3001) using UFW and uff-docker worked insofar as none of the two were accessible from the outside, but that also broke internal communications.