In the docker-compose.yml file it has:

      # expose port to localhost too
      - "8000:8000"

I never used ufw-docker but normal behavior with Docker here would publish 8000 to the outside world allowing someone to bypass your proxy and directly visit http://example.com:8000. Does ufw-docker not do that? The comment hints that they probably want to use "127.0.0.1:8000:8000" instead of "8000:8000" to be explicit, or at the very least should call out that ufw-docker is doing something special to block it because by default using 8000:8000 is quite dangerous to use with Docker and iptables.

I'm also curious about this quote:

> Docker does not play well with iptables, so I use ufw-docker to set up the firewall.

I never had any issues using iptables with Docker. What doesn't play nicely?

There's no problem if you use only basic iptables rules but ufw use iptables in a very complicated way. If you want ufw and docker to play well together, you have to disable docker's iptables manipulations or use ufw-docker as the author. More about that at ufw-docker documentation https://github.com/chaifeng/ufw-docker