local bricks logo
Menu
front face photo of alisha bajaj

Alisha Bajaj

Leasing and Off-Plan Specialist

Email:alishabajaj@example.com
Phone:9803239930
Location:Dubai

ctually, you should stop opening ports directly. Now that you are setting up Nginx, we are moving from "Direct IP access" to "Domain-based access," which is much more secure.

Here is the strategy you should follow:

1. The "Gatekeeper" Strategy

Instead of opening a new port for every app (3000, 3001, 3002, etc.), you only need to open the standard web ports. Nginx will act as the Gatekeeper. It listens on port 80/443 and decides which internal Docker container should receive the traffic based on the URL (recruiting.darkalphacapital.com vs just-era.com).

2. Update your Firewall

You only need to allow three things for a professional setup:

  • Port 80: Standard HTTP (which Nginx uses to redirect to HTTPS).
  • Port 443: Secure HTTPS (once you run Certbot).
  • Port 22: So you can still SSH into your server.

Run these commands:

Bash

# Allow the web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Deny the direct docker ports (optional but safer)
# Once your Nginx is working, you don't want people bypassing it
sudo ufw delete allow 3000/tcp
sudo ufw delete allow 3001/tcp

3. Why this is better

  1. Security: If you keep port 3001 open, anyone can visit your site via http://YOUR_IP:3001 and bypass your SSL/HTTPS and any security rules you set in Nginx.
  2. Professionalism: Users should never have to type :3001 in their browser.
  3. Scalability: You can have 50 apps running on your VPS, and you will still only have ports 80 and 443 open.

4. How the traffic flows now

  1. User types recruiting.darkalphacapital.com.
  2. Request hits your VPS on Port 80/443.
  3. Nginx sees the name "recruiting.darkalphacapital.com".
  4. Nginx sends that request internally to localhost:3001.
  5. Docker delivers it to your HR-Automation container.

Your Next Step

Since you've already run the ufw allow commands earlier, you are fine for now. But as soon as you finish the Nginx config and Certbot (SSL) steps I gave you in the previous message, I recommend deleting the individual port rules (3000 and 3001) to lock down your server.

Have you already added the "A Record" to your DNS settings for the subdomain? If so, we can check if it has propagated yet.