Matthias' Blog
Containerization 1 min read

How to remove public access to your Dokploy UI and restrict it to SSH tunneling

How to remove public access to your Dokploy UI and restrict it to SSH tunneling
Photo by Immo Wegmann / Unsplash

This is going to be a short post, demonstrating how you can remove public exposure from your Dokploy management interface and only allow access via SSH tunneling.

馃挕
Update 11.12.2025: Unfortunately, the proposed change will break Autodeploy functionality with GitHub, so reconsider if this hardening suggestion is applicable in your case.

Change Traefik routing

First, SSH into your Dokploy host and modify the Traefik configuration and replace the existing dokploy.yaml with the following content. This will stop Traefik from exposing the Dokploy service to the world. 

http:
  routers:
    dokploy-router-app:
      rule: Host(`localhost`)
      service: dokploy-service-app
      entryPoints:
        - web
  services:
    dokploy-service-app:
      loadBalancer:
        servers:
          - url: http://dokploy:3000
            passHostHeader: true

/etc/dokploy/traefik/dynamic/dokploy.yaml

Adjust the list of allowed origins

Next, we need to change the ALLOWED_ORIGINS value so that logins from localhost are allowed. 

docker service update --env-rm ALLOWED_ORIGINS --env-add ALLOWED_ORIGINS=http://localhost:3000 dokploy

SSH & port forward to your Dokploy host

That's it. Now you can SSH & port forward to your Dokploy host and securely access the UI via http://localhost:3000

ssh user@host -L3000:localhost:3000

Happy hacking 馃槑

Share Share Share Share Share Email

Read next