In our docker-compose.yaml samples, you see all kinds of ports being exposed.
This is great for local development - but not for a server - even it's "just" a staging system.
Our recommendation is to only expose ports that are really necessary to use your app.
And this should only be done through 1 single docker container, probably a proxy like NGINX.
This helps you to avoid losing control over what is exposed throughout your (bigger) yaml file.
If you expose a port, make sure to add an additional restriction if possible.
This sample would only expose the port 3306 MySQL for connections from the localhost (host system).
So you can do a default SSH connection to your host, and then a connection from there to your MySQL container. This is pretty much the basic workflow of such a scenario - only with Docker ;).