NeXuS enforces strict network isolation using Dockerβs networking features.
ββββββββββββββββββββββββββββββββββββββββββββ
β traefik-public β
β (external network) β
β β
β All public services connect here β
β Traefik routes HTTPS traffic β
ββββββββββββββββββββ¬ββββββββββββββββββββββββ
β
β dual-homed services
β
ββββββββββββββββββββΌββββββββββββββββββββββββ
β nexus-internal β
β (bridge, internal: true) β
β β
β Databases: PostgreSQL, MongoDB, β
β Redis, Memcached β
β β
β β No external routing allowed β
ββββββββββββββββββββββββββββββββββββββββββββ
All databases run exclusively on the nexus-internal network:
networks:
nexus-internal:
driver: bridge
internal: true # No external routing allowed
The internal: true flag means:
No container maps ports to the Docker host in production. All traffic flows through Traefik:
Client β Cloudflare (443) β Traefik (443) β Container (internal port)
Database containers have no Traefik labels, ensuring they are never accidentally exposed:
postgres:
networks:
- nexus-internal # β internal ONLY, not traefik-public
# NO traefik labels - databases are never public
environment:
POSTGRES_HOST_AUTH_METHOD: scram-sha-256
Uses SCRAM-SHA-256 authentication (no trust-based auth).
command: >
redis-server
--requirepass ${REDIS_PASSWORD}
--protected-mode yes
Password required for all connections, protected mode enabled.
environment:
MONGO_INITDB_ROOT_USERNAME: seb
MONGO_INITDB_ROOT_PASSWORD: ${MONGODB_PASSWORD}
Root authentication required.
Application services connect to both networks:
api:
networks:
- traefik-public # Receive external traffic
- nexus-internal # Access databases
This allows them to:
traefik-public)nexus-internal)All public DNS records should be proxied through Cloudflare (orange cloud) for: