Firewall ports that genuinely need to be public?

[jspraul]

I'm trying to figure out which ports really need to be public vs. accessible to the CLI.

CapRover must use HTTP-01 for LetsEncrypt certs (tcp port 80), but not sure why anything else needs to be public vs. just accessible to the CLI (on VPN or firewalled to just one IP).

The recommendation was an addition flag: -e BY_PASS_PROXY_CHECK='TRUE' but then I got the following error:

user@host:~$ sudo docker run -p 80:80 -p 443:443 -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock -v /captain:/captain caprover/caprover -e BY_PASS_PROXY_CHECK='TRUE'
[eval]:1
BY_PASS_PROXY_CHECK=TRUE
^

ReferenceError: TRUE is not defined
    at [eval]:1:1
    at Script.runInThisContext (vm.js:134:12)
    at Object.runInThisContext (vm.js:310:38)
    at internal/process/execution.js:81:19
    at [eval]-wrapper:6:22
    at evalScript (internal/process/execution.js:80:60)
    at internal/main/eval_string.js:27:3

So I tried with 'true' instead of 'TRUE' and the container did not start, with no output.

user@host:~$ sudo docker run -p 80:80 -p 443:443 -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock -v /captain:/captain caprover/caprover -e BY_PASS_PROXY_CHECK='true'
user@host:~$

Did not seem to be working, so I wound up opening 443 and 3000 briefly at startup, and everything seems to be working fine.

[githubsaturn]

-e BY_PASS_PROXY_CHECK='TRUE' must be added as an arg... so it has to be before caprover/caprover.

sudo docker run -e BY_PASS_PROXY_CHECK='TRUE' -p 80:80 -p 443:443 -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock -v /captain:/captain caprover/caprover