I'm currently running some test containers with docker and Traefik before getting everything else setup. Currently, I can proxy the containers on a bridge network with ports exposed on the host.
That is: -p 8001:8000
Is it possible to proxy containers without exposing a port to my LAN? These are what I need to either confirm or deny as possible:
As far as I know, this could be done using Traefik labels (not sure how though).
Could I use a different network type? If so, what and why?
Is there a way to isolate the container's network, such that I cannot access it via a port bridged to the host? It would be fine if it were to be accessible by port on another subnet perhaps.
How can I isolate these containers so they are only accessible by proxy regularly?