Membership Required
You need to sign in and have a Premium subscription to access this content.
- 01 Use expose: instead of ports: in Docker Compose, let Coolify manage the network
- 02 If you must open a port, use 127.0.0.1:port:port format, never bind to 0.0.0.0
- 03 Don't embed databases in Docker Compose, use Coolify managed DB or an external service
- 04 Keep Coolify at v4.0.0-beta.450+ for build cache fixes and security patches
- 05 Prefer disk snapshots over container backups, running containers carry additional security risk
+ Do I need to open ports for inter-container communication?
No. Containers on the same Docker network can communicate without port mappings. If you're using Coolify managed network, simply remove the ports: section from your compose file and use expose: instead.
+ Does Hetzner Cloud Firewall block Docker ports?
No. Docker port publishing uses both DNAT and docker-proxy to bypass all host-level firewalls. Use Hetzner Cloud Firewall as defense-in-depth, but don't rely on it as primary protection.
+ How to keep databases secure on Coolify?
The safest approach is using a managed service (Neon, Supabase). If you must self-host: remove port mappings, use Docker internal network, disable 'Make it publicly available' toggle, and take regular disk snapshots.
+ Why does the build cache reset on every deployment?
Before Coolify v4.0.0-beta.450, automatically injected build arguments (SOURCE_COMMIT, COOLIFY_CONTAINER_NAME) changed on every build, invalidating the entire Docker layer cache. Update Coolify to fix this.