Merge pull request #899 from jc21/develop

Docs for a docker network

docs/advanced-config/README.md

@@ -1,5 +1,53 @@
 # Advanced Configuration
 
+## Best Practice: Use a docker network
+
+For those who have a few of their upstream services running in docker on the same docker
+host as NPM, here's a trick to secure things a bit better. By creating a custom docker network,
+you don't need to publish ports for your upstream services to all of the docker host's interfaces.
+
+Create a network, ie "scoobydoo":
+
+```bash
+docker network create scoobydoo
+```
+
+Then add the following to the `docker-compose.yml` file for both NPM and any other
+services running on this docker host:
+
+```yml
+networks:
+  default:
+    external:
+      name: scoobydoo
+```
+
+Let's look at a Portainer example:
+
+```yml
+version: '3'
+services:
+
+  portainer:
+    image: portainer/portainer
+    privileged: true
+    volumes:
+      - './data:/data'
+      - '/var/run/docker.sock:/var/run/docker.sock'
+    restart: always
+
+networks:
+  default:
+    external:
+      name: scoobydoo
+```
+
+Now in the NPM UI you can create a proxy host with `portainer` as the hostname,
+and port `9000` as the port. Even though this port isn't listed in the docker-compose
+file, it's "exposed" by the portainer docker image for you and not available on
+the docker host outside of this docker network. The service name is used as the
+hostname, so make sure your service names are unique when using the same network.
+
 ## Docker Secrets
 
 This image supports the use of Docker secrets to import from file and keep sensitive usernames or passwords from being passed or preserved in plaintext.