Ports Reference
Use this when configuring firewalls, reverse proxies, or port forwards.
Server (dockmesh controller)
Section titled “Server (dockmesh controller)”| Port | Protocol | Direction | Required? | Purpose |
|---|---|---|---|---|
| 8080 | TCP | inbound | Yes | HTTP UI + API (default) |
| 8443 | TCP | inbound | Yes (if multi-host) | Agent mTLS connections |
| 80 | TCP | inbound | Only for ACME | Let’s Encrypt HTTP-01 challenge |
| 443 | TCP | inbound | If public HTTPS | HTTPS UI via embedded Caddy |
| 25 / 587 / 465 | TCP | outbound | Only for email alerts | SMTP |
The server does not need any inbound port beyond 8080 and 8443 for basic operation. The reverse proxy (embedded Caddy) handles 80/443 when enabled.
Agent (remote host)
Section titled “Agent (remote host)”| Port | Protocol | Direction | Required? | Purpose |
|---|---|---|---|---|
| (none) | TCP | inbound | No | Agents connect outbound only |
| 8443 (server) | TCP | outbound | Yes | mTLS to dockmesh server |
| 443 (registries) | TCP | outbound | Yes | Image pulls from Docker Hub, ghcr.io, etc. |
No inbound ports on agent hosts. This is the fundamental dockmesh design.
Docker daemon
Section titled “Docker daemon”dockmesh talks to the local Docker daemon via Unix socket by default:
| Path / Port | Purpose |
|---|---|
/var/run/docker.sock | Default, recommended |
tcp://:2375 | Docker HTTP API (insecure — don’t expose) |
tcp://:2376 | Docker HTTPS API (requires mTLS) |
If you must use TCP: enable mTLS (DOCKMESH_DOCKER_TLS_VERIFY=true), restrict to loopback.
Embedded Caddy
Section titled “Embedded Caddy”When Reverse Proxy is enabled:
| Port | Purpose |
|---|---|
| 80 | HTTP → HTTPS redirect + ACME challenges |
| 443 | Public HTTPS for routed stacks |
| 2019 | Caddy admin API (localhost only, used by dockmesh internally) |
Embedded services
Section titled “Embedded services”| Port | Purpose |
|---|---|
| 9090 | Prometheus metrics (if scraper enabled, via /metrics path on 8080) |
| Configurable | Grype scanner has no listener — runs as a CLI-invoked binary |
Published container ports
Section titled “Published container ports”Containers you deploy publish ports as they like. dockmesh doesn’t reserve any range.
Typical self-host ports to avoid conflicting with (depending on what you deploy):
| Port | Common use |
|---|---|
| 22 | SSH (host) |
| 25, 587, 465 | SMTP |
| 53 | DNS (Pi-hole, Unbound) |
| 80, 443 | Web (Caddy) |
| 1883, 8883 | MQTT |
| 3000 | n8n, Grafana |
| 3306 | MySQL |
| 5432 | PostgreSQL |
| 5678 | n8n |
| 6379 | Redis |
| 8080 | dockmesh UI |
| 8123 | Home Assistant |
| 8443 | dockmesh agent |
| 9000 | MinIO, Portainer |
| 9090 | Prometheus |
| 9100 | node-exporter |
Firewall examples
Section titled “Firewall examples”UFW (simple)
Section titled “UFW (simple)”# On the dockmesh serverufw default deny incomingufw allow from <trusted-subnet> to any port 8080 proto tcpufw allow from <agent-subnet> to any port 8443 proto tcpufw allow 443/tcpufw allow 80/tcp # for ACMEufw enablenftables (modern)
Section titled “nftables (modern)”table inet filter { chain input { type filter hook input priority 0; policy drop; iifname lo accept ct state established,related accept
tcp dport { 80, 443 } accept ip saddr 10.0.0.0/8 tcp dport 8080 accept ip saddr 10.0.0.0/8 tcp dport 8443 accept }}cloud security groups
Section titled “cloud security groups”- Inbound
8080/tcpfrom your VPN subnet only - Inbound
8443/tcpfrom your VPC’s private subnet (where agents live) - Inbound
80/tcpand443/tcpfrom0.0.0.0/0(public apps) - Outbound allowed to Docker Hub, your registry, SMTP
See also
Section titled “See also”- Hardening — firewall recommendations
- Multi-Host — why agents need no inbound ports
- Installation — default port setup