commit
17ff117058
@ -0,0 +1,35 @@ |
||||
FROM haproxy:1.7-alpine |
||||
MAINTAINER Tecnativa <info@tecnativa.com> |
||||
|
||||
EXPOSE 2375 |
||||
ENV AUTH=0 \ |
||||
BUILD=0 \ |
||||
COMMIT=0 \ |
||||
CONTAINERS=0 \ |
||||
EVENTS=1 \ |
||||
EXEC=0 \ |
||||
IMAGES=0 \ |
||||
INFO=0 \ |
||||
NETWORKS=0 \ |
||||
NODES=0 \ |
||||
PING=1 \ |
||||
PLUGINS=0 \ |
||||
POST=0 \ |
||||
SECRETS=0 \ |
||||
SERVICES=0 \ |
||||
SWARM=0 \ |
||||
SYSTEM=0 \ |
||||
TASKS=0 \ |
||||
VERSION=1 \ |
||||
VOLUMES=0 |
||||
COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg |
||||
|
||||
# Metadata |
||||
ARG VCS_REF |
||||
ARG BUILD_DATE |
||||
LABEL org.label-schema.schema-version="1.0" \ |
||||
org.label-schema.vendor=Tecnativa \ |
||||
org.label-schema.license=Apache-2.0 \ |
||||
org.label-schema.build-date="$BUILD_DATE" \ |
||||
org.label-schema.vcs-ref="$VCS_REF" \ |
||||
org.label-schema.vcs-url="https://github.com/Tecnativa/docker-tcp-proxy" |
@ -0,0 +1,202 @@ |
||||
|
||||
Apache License |
||||
Version 2.0, January 2004 |
||||
http://www.apache.org/licenses/ |
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION |
||||
|
||||
1. Definitions. |
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction, |
||||
and distribution as defined by Sections 1 through 9 of this document. |
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by |
||||
the copyright owner that is granting the License. |
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all |
||||
other entities that control, are controlled by, or are under common |
||||
control with that entity. For the purposes of this definition, |
||||
"control" means (i) the power, direct or indirect, to cause the |
||||
direction or management of such entity, whether by contract or |
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the |
||||
outstanding shares, or (iii) beneficial ownership of such entity. |
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity |
||||
exercising permissions granted by this License. |
||||
|
||||
"Source" form shall mean the preferred form for making modifications, |
||||
including but not limited to software source code, documentation |
||||
source, and configuration files. |
||||
|
||||
"Object" form shall mean any form resulting from mechanical |
||||
transformation or translation of a Source form, including but |
||||
not limited to compiled object code, generated documentation, |
||||
and conversions to other media types. |
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or |
||||
Object form, made available under the License, as indicated by a |
||||
copyright notice that is included in or attached to the work |
||||
(an example is provided in the Appendix below). |
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object |
||||
form, that is based on (or derived from) the Work and for which the |
||||
editorial revisions, annotations, elaborations, or other modifications |
||||
represent, as a whole, an original work of authorship. For the purposes |
||||
of this License, Derivative Works shall not include works that remain |
||||
separable from, or merely link (or bind by name) to the interfaces of, |
||||
the Work and Derivative Works thereof. |
||||
|
||||
"Contribution" shall mean any work of authorship, including |
||||
the original version of the Work and any modifications or additions |
||||
to that Work or Derivative Works thereof, that is intentionally |
||||
submitted to Licensor for inclusion in the Work by the copyright owner |
||||
or by an individual or Legal Entity authorized to submit on behalf of |
||||
the copyright owner. For the purposes of this definition, "submitted" |
||||
means any form of electronic, verbal, or written communication sent |
||||
to the Licensor or its representatives, including but not limited to |
||||
communication on electronic mailing lists, source code control systems, |
||||
and issue tracking systems that are managed by, or on behalf of, the |
||||
Licensor for the purpose of discussing and improving the Work, but |
||||
excluding communication that is conspicuously marked or otherwise |
||||
designated in writing by the copyright owner as "Not a Contribution." |
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity |
||||
on behalf of whom a Contribution has been received by Licensor and |
||||
subsequently incorporated within the Work. |
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of |
||||
this License, each Contributor hereby grants to You a perpetual, |
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable |
||||
copyright license to reproduce, prepare Derivative Works of, |
||||
publicly display, publicly perform, sublicense, and distribute the |
||||
Work and such Derivative Works in Source or Object form. |
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of |
||||
this License, each Contributor hereby grants to You a perpetual, |
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable |
||||
(except as stated in this section) patent license to make, have made, |
||||
use, offer to sell, sell, import, and otherwise transfer the Work, |
||||
where such license applies only to those patent claims licensable |
||||
by such Contributor that are necessarily infringed by their |
||||
Contribution(s) alone or by combination of their Contribution(s) |
||||
with the Work to which such Contribution(s) was submitted. If You |
||||
institute patent litigation against any entity (including a |
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work |
||||
or a Contribution incorporated within the Work constitutes direct |
||||
or contributory patent infringement, then any patent licenses |
||||
granted to You under this License for that Work shall terminate |
||||
as of the date such litigation is filed. |
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the |
||||
Work or Derivative Works thereof in any medium, with or without |
||||
modifications, and in Source or Object form, provided that You |
||||
meet the following conditions: |
||||
|
||||
(a) You must give any other recipients of the Work or |
||||
Derivative Works a copy of this License; and |
||||
|
||||
(b) You must cause any modified files to carry prominent notices |
||||
stating that You changed the files; and |
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works |
||||
that You distribute, all copyright, patent, trademark, and |
||||
attribution notices from the Source form of the Work, |
||||
excluding those notices that do not pertain to any part of |
||||
the Derivative Works; and |
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its |
||||
distribution, then any Derivative Works that You distribute must |
||||
include a readable copy of the attribution notices contained |
||||
within such NOTICE file, excluding those notices that do not |
||||
pertain to any part of the Derivative Works, in at least one |
||||
of the following places: within a NOTICE text file distributed |
||||
as part of the Derivative Works; within the Source form or |
||||
documentation, if provided along with the Derivative Works; or, |
||||
within a display generated by the Derivative Works, if and |
||||
wherever such third-party notices normally appear. The contents |
||||
of the NOTICE file are for informational purposes only and |
||||
do not modify the License. You may add Your own attribution |
||||
notices within Derivative Works that You distribute, alongside |
||||
or as an addendum to the NOTICE text from the Work, provided |
||||
that such additional attribution notices cannot be construed |
||||
as modifying the License. |
||||
|
||||
You may add Your own copyright statement to Your modifications and |
||||
may provide additional or different license terms and conditions |
||||
for use, reproduction, or distribution of Your modifications, or |
||||
for any such Derivative Works as a whole, provided Your use, |
||||
reproduction, and distribution of the Work otherwise complies with |
||||
the conditions stated in this License. |
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise, |
||||
any Contribution intentionally submitted for inclusion in the Work |
||||
by You to the Licensor shall be under the terms and conditions of |
||||
this License, without any additional terms or conditions. |
||||
Notwithstanding the above, nothing herein shall supersede or modify |
||||
the terms of any separate license agreement you may have executed |
||||
with Licensor regarding such Contributions. |
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade |
||||
names, trademarks, service marks, or product names of the Licensor, |
||||
except as required for reasonable and customary use in describing the |
||||
origin of the Work and reproducing the content of the NOTICE file. |
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or |
||||
agreed to in writing, Licensor provides the Work (and each |
||||
Contributor provides its Contributions) on an "AS IS" BASIS, |
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
||||
implied, including, without limitation, any warranties or conditions |
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A |
||||
PARTICULAR PURPOSE. You are solely responsible for determining the |
||||
appropriateness of using or redistributing the Work and assume any |
||||
risks associated with Your exercise of permissions under this License. |
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory, |
||||
whether in tort (including negligence), contract, or otherwise, |
||||
unless required by applicable law (such as deliberate and grossly |
||||
negligent acts) or agreed to in writing, shall any Contributor be |
||||
liable to You for damages, including any direct, indirect, special, |
||||
incidental, or consequential damages of any character arising as a |
||||
result of this License or out of the use or inability to use the |
||||
Work (including but not limited to damages for loss of goodwill, |
||||
work stoppage, computer failure or malfunction, or any and all |
||||
other commercial damages or losses), even if such Contributor |
||||
has been advised of the possibility of such damages. |
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing |
||||
the Work or Derivative Works thereof, You may choose to offer, |
||||
and charge a fee for, acceptance of support, warranty, indemnity, |
||||
or other liability obligations and/or rights consistent with this |
||||
License. However, in accepting such obligations, You may act only |
||||
on Your own behalf and on Your sole responsibility, not on behalf |
||||
of any other Contributor, and only if You agree to indemnify, |
||||
defend, and hold each Contributor harmless for any liability |
||||
incurred by, or claims asserted against, such Contributor by reason |
||||
of your accepting any such warranty or additional liability. |
||||
|
||||
END OF TERMS AND CONDITIONS |
||||
|
||||
APPENDIX: How to apply the Apache License to your work. |
||||
|
||||
To apply the Apache License to your work, attach the following |
||||
boilerplate notice, with the fields enclosed by brackets "[]" |
||||
replaced with your own identifying information. (Don't include |
||||
the brackets!) The text should be enclosed in the appropriate |
||||
comment syntax for the file format. We also recommend that a |
||||
file or class name and description of purpose be included on the |
||||
same "printed page" as the copyright notice for easier |
||||
identification within third-party archives. |
||||
|
||||
Copyright [yyyy] [name of copyright owner] |
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); |
||||
you may not use this file except in compliance with the License. |
||||
You may obtain a copy of the License at |
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0 |
||||
|
||||
Unless required by applicable law or agreed to in writing, software |
||||
distributed under the License is distributed on an "AS IS" BASIS, |
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
See the License for the specific language governing permissions and |
||||
limitations under the License. |
@ -0,0 +1,40 @@ |
||||
# Docker Socket Readonly Proxy |
||||
|
||||
[](https://microbadger.com/images/tecnativa/docker-socket-readonly:latest "Get your own version badge on microbadger.com") |
||||
[](https://microbadger.com/images/tecnativa/docker-socket-readonly:latest "Get your own image badge on microbadger.com") |
||||
[](https://microbadger.com/images/tecnativa/docker-socket-readonly:latest "Get your own commit badge on microbadger.com") |
||||
[](https://microbadger.com/images/tecnativa/docker-socket-readonly "Get your own license badge on microbadger.com") |
||||
|
||||
## What? |
||||
|
||||
This is a readonly proxy for the Docker Socket. |
||||
|
||||
## Why? |
||||
|
||||
Giving access to your Docker socket could mean giving root access to your host, |
||||
or even to your whole swarm, but some services require hooking into that socket to |
||||
react to events, etc. Using this proxy lets you block anything you consider those services should not do. |
||||
|
||||
## How? |
||||
|
||||
We use the official [Alpine][]-based [HAProxy][] image with a small |
||||
configuration file. |
||||
|
||||
It blocks access to the Docker socket [API][] according to the environment |
||||
variables you set. It returns a `HTTP 403 Forbidden` status for those dangerous |
||||
requests that should never happen. |
||||
|
||||
## Usage |
||||
|
||||
|
||||
## Feedback |
||||
|
||||
Please send any feedback (issues, questions) to the [issue tracker][]. |
||||
|
||||
[Alpine]: https://alpinelinux.org/ |
||||
[API]: https://docs.docker.com/engine/api/v1.27/ |
||||
[HAProxy]: http://www.haproxy.org/ |
||||
[issue tracker]: https://github.com/Tecnativa/docker-socket-proxy/issues |
||||
[Odoo]: https://www.odoo.com/ |
||||
[proxy mode]: https://www.odoo.com/documentation/10.0/reference/cmdline.html#cmdoption-odoo.py--proxy-mode |
||||
[worker mode]: https://www.odoo.com/documentation/10.0/setup/deploy.html#worker-number-calculation |
@ -0,0 +1,65 @@ |
||||
global |
||||
log 127.0.0.1 local2 |
||||
|
||||
pidfile /run/haproxy.pid |
||||
maxconn 4000 |
||||
|
||||
# Turn on stats unix socket |
||||
server-state-file /var/lib/haproxy/server-state |
||||
|
||||
defaults |
||||
mode http |
||||
log global |
||||
option httplog |
||||
option dontlognull |
||||
option http-server-close |
||||
option redispatch |
||||
retries 3 |
||||
timeout http-request 10s |
||||
timeout queue 1m |
||||
timeout connect 10s |
||||
timeout client 10m |
||||
timeout server 10m |
||||
timeout http-keep-alive 10s |
||||
timeout check 10s |
||||
maxconn 3000 |
||||
|
||||
# Allow seamless reloads |
||||
load-server-state-from-file global |
||||
|
||||
# Use provided example error pages |
||||
errorfile 400 /usr/local/etc/haproxy/errors/400.http |
||||
errorfile 403 /usr/local/etc/haproxy/errors/403.http |
||||
errorfile 408 /usr/local/etc/haproxy/errors/408.http |
||||
errorfile 500 /usr/local/etc/haproxy/errors/500.http |
||||
errorfile 502 /usr/local/etc/haproxy/errors/502.http |
||||
errorfile 503 /usr/local/etc/haproxy/errors/503.http |
||||
errorfile 504 /usr/local/etc/haproxy/errors/504.http |
||||
|
||||
backend dockerbackend |
||||
server dockersocket /var/run/docker.sock |
||||
|
||||
frontend dockerfrontend |
||||
bind :2375 |
||||
http-request deny unless METH_GET || { env(POST) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/auth } ! { env(AUTH) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/build } ! { env(BUILD) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/commit } ! { env(COMMIT) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/containers } ! { env(CONTAINERS) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/events } ! { env(EVENTS) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/exec } ! { env(EXEC) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/images } ! { env(IMAGES) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/info } ! { env(INFO) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/networks } ! { env(NETWORKS) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/nodes } ! { env(NODES) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/_ping } ! { env(PING) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/plugins } ! { env(PLUGINS) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/post } ! { env(POST) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/secrets } ! { env(SECRETS) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/services } ! { env(SERVICES) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/swarm } ! { env(SWARM) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/system } ! { env(SYSTEM) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/tasks } ! { env(TASKS) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/version } ! { env(VERSION) -m bool } |
||||
http-request deny if { path_reg ^(/v\d+.\d+)?/volumes } ! { env(VOLUMES) -m bool } |
||||
default_backend dockerbackend |
@ -0,0 +1,7 @@ |
||||
#!/bin/bash |
||||
set -ex |
||||
|
||||
docker build \ |
||||
--build-arg VCS_REF="$GIT_SHA1" \ |
||||
--build-arg BUILD_DATE="$(date --rfc-3339 ns)" \ |
||||
--tag "$IMAGE_NAME" . |
Loading…
Reference in new issue