{"id":13580811,"url":"https://github.com/fluencelabs/docker-socket-proxy","last_synced_at":"2025-04-06T06:32:06.560Z","repository":{"id":47798015,"uuid":"209545844","full_name":"fluencelabs/docker-socket-proxy","owner":"fluencelabs","description":"Proxy over your Docker socket to restrict which requests it accepts","archived":false,"fork":true,"pushed_at":"2021-06-12T05:19:31.000Z","size":24,"stargazers_count":30,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-11-05T20:46:35.905Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"Tecnativa/docker-socket-proxy","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fluencelabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-09-19T12:17:59.000Z","updated_at":"2024-04-14T21:09:54.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fluencelabs/docker-socket-proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluencelabs%2Fdocker-socket-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluencelabs%2Fdocker-socket-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluencelabs%2Fdocker-socket-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluencelabs%2Fdocker-socket-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fluencelabs","download_url":"https://codeload.github.com/fluencelabs/docker-socket-proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247445649,"owners_count":20939952,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T15:01:55.273Z","updated_at":"2025-04-06T06:32:06.304Z","avatar_url":"https://github.com/fluencelabs.png","language":"Dockerfile","funding_links":[],"categories":["Dockerfile"],"sub_categories":[],"readme":"# Docker Socket Proxy\n\n[![](https://images.microbadger.com/badges/version/tecnativa/docker-socket-proxy:latest.svg)](https://microbadger.com/images/tecnativa/docker-socket-proxy:latest \"Get your own version badge on microbadger.com\")\n[![](https://images.microbadger.com/badges/image/tecnativa/docker-socket-proxy:latest.svg)](https://microbadger.com/images/tecnativa/docker-socket-proxy:latest \"Get your own image badge on microbadger.com\")\n[![](https://images.microbadger.com/badges/commit/tecnativa/docker-socket-proxy:latest.svg)](https://microbadger.com/images/tecnativa/docker-socket-proxy:latest \"Get your own commit badge on microbadger.com\")\n[![](https://images.microbadger.com/badges/license/tecnativa/docker-socket-proxy.svg)](https://microbadger.com/images/tecnativa/docker-socket-proxy \"Get your own license badge on microbadger.com\")\n\n## What?\n\nThis is a security-enhanced proxy for the Docker Socket.\n\n## Why?\n\nGiving access to your Docker socket could mean giving root access to your host,\nor even to your whole swarm, but some services require hooking into that socket\nto react to events, etc. Using this proxy lets you block anything you consider\nthose services should not do.\n\n## How?\n\nWe use the official [Alpine][]-based [HAProxy][] image with a small\nconfiguration file.\n\nIt blocks access to the Docker socket API according to the environment\nvariables you set. It returns a `HTTP 403 Forbidden` status for those dangerous\nrequests that should never happen.\n\n## Security recommendations\n\n- Never expose this container's port to a public network. Only to a Docker\n  networks where only reside the proxy itself and the service that uses it.\n- Revoke access to any API section that you consider your service should not\n  need.\n- This image does not include TLS support, just plain HTTP proxy to the host\n  Docker Unix socket (which is not TLS protected even if you configured your\n  host for TLS protection). This is by design because you are supposed to\n  restrict access to it through Docker's built-in firewall.\n- [Read the docs](#suppported-api-versions) for the API version you are using,\n  and **know what you are doing**.\n\n## Usage\n\n1.  Run the API proxy (`--privileged` flag is required here because it connects with the docker socket, which is a privileged connection in some SELinux/AppArmor contexts and would get locked otherwise):\n\n        $ docker container run \\\n            -d --privileged \\\n            --name dockerproxy \\\n            -v /var/run/docker.sock:/var/run/docker.sock \\\n            -p 127.0.0.1:2375:2375 \\\n            tecnativa/docker-socket-proxy\n\n2.  Connect your local docker client to that socket:\n\n        $ export DOCKER_HOST=tcp://localhost\n\n3.  You can see the docker version:\n\n        $ docker version\n        Client:\n         Version:      17.03.1-ce\n         API version:  1.27\n         Go version:   go1.7.5\n         Git commit:   c6d412e\n         Built:        Mon Mar 27 17:14:43 2017\n         OS/Arch:      linux/amd64\n\n        Server:\n         Version:      17.03.1-ce\n         API version:  1.27 (minimum version 1.12)\n         Go version:   go1.7.5\n         Git commit:   c6d412e\n         Built:        Mon Mar 27 17:14:43 2017\n         OS/Arch:      linux/amd64\n         Experimental: false\n\n4.  You cannot see running containers:\n\n        $ docker container ls\n        Error response from daemon: \u003chtml\u003e\u003cbody\u003e\u003ch1\u003e403 Forbidden\u003c/h1\u003e\n        Request forbidden by administrative rules.\n        \u003c/body\u003e\u003c/html\u003e\n\nThe same will happen to any containers that use this proxy's `2375` port to\naccess the Docker socket API.\n\n## Grant or revoke access to certain API sections\n\nYou grant and revoke access to certain features of the Docker API through\nenvironment variables.\n\nNormally the variables match the URL prefix (i.e. `AUTH` blocks access to\n`/auth/*` parts of the API, etc.).\n\nPossible values for these variables:\n\n- `0` to **revoke** access.\n- `1` to **grant** access.\n\n### Access granted by default\n\nThese API sections are mostly harmless and almost required for any service that\nuses the API, so they are granted by default.\n\n- `EVENTS`\n- `PING`\n- `VERSION`\n\n### Access revoked by default\n\n#### Security-critical\n\nThese API sections are considered security-critical, and thus access is revoked\nby default. Maximum caution when enabling these.\n\n- `AUTH`\n- `SECRETS`\n- `POST`: When disabled, only `GET` and `HEAD` operations are allowed, meaning\n  any section of the API is read-only. Note that this is a global \n- `DELETE`: Enables or disables all `DELETE` operations\n\n#### Not always needed\n\nYou will possibly need to grant access to some of these API sections, which \ncan expose some information that your service does not need.\n\n| GET            | POST                  | DELETE              |\n|:---------------|:----------------------|:--------------------|\n| `BUILD`        | `ALLOW_RESTARTS`      | `NETWORKS_DELETE`   |  \n| `COMMIT`       | `CONTAINERS_PRUNE`    | `CONTAINERS_DELETE` |    \n| `CONFIGS`      | `CONTAINERS_CREATE`   | `IMAGES_DELETE`     |\n| `CONTAINERS`   | `CONTAINERS_RESIZE`   | `VOLUMES_DELETE`    | \n| `DISTRIBUTION` | `CONTAINERS_START`    |                     |\n| `EXEC`         | `CONTAINERS_UPDATE`   |                     |\n| `IMAGES`       | `CONTAINERS_RENAME`   |                     |\n| `INFO`         | `CONTAINERS_PAUSE`    |                     |\n| `NETWORKS`     | `CONTAINERS_UNPAUSE`  |                     |\n| `NODES`        | `CONTAINERS_ATTACH`   |                     |\n| `PLUGINS`      | `CONTAINERS_WAIT`     |                     |\n| `SERVICES`     | `CONTAINERS_EXEC`     |                     |\n| `SESSION`      | `VOLUMES_CREATE`      |                     |\n| `SWARM`        | `VOLUMES_PRUNE`       |                     |\n| `SYSTEM`       | `NETWORKS_CREATE`     |                     |\n| `TASKS`        | `NETWORKS_PRUNE`      |                     |\n| `VOLUMES`      | `NETWORKS_CONNECT`    |                     |\n|                | `NETWORKS_DISCONNECT` |                     |\n|                | `IMAGES_CREATE`       |                     |\n|                | `IMAGES_PRUNE`        |                     |\n\n`ALLOW_RESTARTS` allows to `kill`, `stop` and `restart` containers\n\n## Logging\n\nYou can set the logging level or severity level of the messages to be logged with the\n environment variable `LOG_LEVEL`. Defaul value is info. Possible values are: debug, \n info, notice, warning, err, crit, alert and emerg.\n\n## Supported API versions\n\n- [1.27](https://docs.docker.com/engine/api/v1.27/)\n- [1.28](https://docs.docker.com/engine/api/v1.28/)\n- [1.29](https://docs.docker.com/engine/api/v1.29/)\n- [1.30](https://docs.docker.com/engine/api/v1.30/)\n- [1.37](https://docs.docker.com/engine/api/v1.37/)\n\n## Feedback\n\nPlease send any feedback (issues, questions) to the [issue tracker][].\n\n[Alpine]: https://alpinelinux.org/\n[HAProxy]: http://www.haproxy.org/\n[issue tracker]: https://github.com/Tecnativa/docker-socket-proxy/issues\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffluencelabs%2Fdocker-socket-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffluencelabs%2Fdocker-socket-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffluencelabs%2Fdocker-socket-proxy/lists"}