2.3 Service Exposure and Domain Management

External Access Patterns

Published Ports on Swarm:

• 80/tcp: HTTP → HTTPS redirect
• 443/tcp: HTTPS termination
• 8081/tcp: Traefik dashboard
• 5432/tcp: PostgreSQL direct access
• 3306/tcp: MariaDB direct access

SSL-Terminated Services: All web applications are accessed via HTTPS through Traefik with automatic certificate provisioning.

Internal Service Communication

Database Access Patterns:

# PostgreSQL clients
POSTGRES_HOST: postgres
POSTGRES_USER: admin
POSTGRES_PASSWORD: [SECRET]

# MariaDB clients  
DB_HOST: mariadb
DB_USERNAME: bookstack
DB_PASSWORD: [SECRET]

Redis Communication:

# Authentik Redis
AUTHENTIK_REDIS__HOST: authentik_redis

# Paperless Redis
PAPERLESS_REDIS: redis://paperless_redis:6379

# Nextcloud Redis
REDIS_HOST: redis

Port Management Strategy

Internal Port Assignments:

• Traefik: 8080 (dashboard), 80/443 (traffic)
• PostgreSQL: 5432
• MariaDB: 3306
• Authentik: 9000
• Paperless: 8000
• Nextcloud: 80
• Vikunja: 3456
• BookStack: 80
• Homarr: 3000
• Portainer: 9000
• Uptime Kuma: 3001
• Adminer: 8080

Conflict Resolution: Multiple services use port 80 and 8080 internally, resolved through:

• Docker overlay network isolation
• Service-specific port mapping
• Traefik load balancer configuration

Network Security Notes:

• No direct external access to internal ports (except databases)
• All HTTP traffic redirected to HTTPS
• Service isolation through overlay networks
• Authentication required for management interfaces