Merge 9f9fed6c64 into 746c20f2c8

6 years ago · 2c16622bfd
parent 746c20f2c8 9f9fed6c64
commit 2c16622bfd
3 changed files with 30 additions and 16 deletions
--- a/9
+++ b/9
@ -1,7 +1,8 @@
 FROM haproxy:1.7-alpine
-MAINTAINER Tecnativa <info@tecnativa.com>
+LABEL maintainer="Tecnativa <info@tecnativa.com>"

 EXPOSE 2375
+VOLUME /run/docker-filtered
 ENV AUTH=0 \
    BUILD=0 \
    COMMIT=0 \
@ -21,13 +22,15 @@ ENV AUTH=0 \
    SYSTEM=0 \
    TASKS=0 \
    VERSION=1 \
-    VOLUMES=0
+    VOLUMES=0 \
+    SOCK_NETWORK=1 \
+    SOCK_DISK=1
 COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

 # Metadata
 ARG VCS_REF
 ARG BUILD_DATE
-LABEL org.label-schema.schema-version="1.0" \
+LABEL org.label-schema.schema-version="1.1" \
      org.label-schema.vendor=Tecnativa \
      org.label-schema.license=Apache-2.0 \
      org.label-schema.build-date="$BUILD_DATE" \
--- a/README.md
+++ b/README.md
@ -46,6 +46,7 @@ requests that should never happen.
            -d --privileged \
            --name dockerproxy \
            -v /var/run/docker.sock:/var/run/docker.sock \
+            -v /run/docker-filtered:/run/docker-filtered \
            -p 127.0.0.1:2375:2375 \
            tecnativa/docker-socket-proxy

@ -53,6 +54,10 @@ requests that should never happen.

        $ export DOCKER_HOST=tcp://localhost

+or
+
+        $ export DOCKER_HOST=unix:///run/docker-filtered/docker.sock
+
 3.  You can see the docker version:

        $ docker version
@ -138,6 +143,13 @@ does not need.
 - `TASKS`
 - `VOLUMES`

+## Grant or revoke access to API listener
+
+There are two listeners for the API and each of them can be disable the same way as the previous features:
+
+- `SOCK_NETWORK` for the port tcp/2375
+- `SOCK_DISK` for `/run/docker-filtered/docker.sock`
+
 ## Supported API versions

 - [1.27](https://docs.docker.com/engine/api/v1.27/)
--- a/haproxy.cfg
+++ b/haproxy.cfg
@ -27,20 +27,7 @@ defaults
    # Allow seamless reloads
    load-server-state-from-file global

-    # Use provided example error pages
-    errorfile 400 /usr/local/etc/haproxy/errors/400.http
-    errorfile 403 /usr/local/etc/haproxy/errors/403.http
-    errorfile 408 /usr/local/etc/haproxy/errors/408.http
-    errorfile 500 /usr/local/etc/haproxy/errors/500.http
-    errorfile 502 /usr/local/etc/haproxy/errors/502.http
-    errorfile 503 /usr/local/etc/haproxy/errors/503.http
-    errorfile 504 /usr/local/etc/haproxy/errors/504.http
-
 backend dockerbackend
-    server dockersocket /var/run/docker.sock
-
-frontend dockerfrontend
-    bind :2375
    http-request deny unless METH_GET || { env(POST) -m bool }
    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } ! { env(AUTH) -m bool }
    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } ! { env(BUILD) -m bool }
@ -62,4 +49,16 @@ frontend dockerfrontend
    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } ! { env(TASKS) -m bool }
    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } ! { env(VERSION) -m bool }
    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } ! { env(VOLUMES) -m bool }
+
+    server dockersocket /var/run/docker.sock
+
+frontend docker-network
+    bind :2375
+    http-request deny if ! { env(SOCK_NETWORK) -m bool }
    default_backend dockerbackend
+
+frontend docker-disk
+    bind /run/docker-filtered/docker.sock
+    http-request deny if ! { env(SOCK_DISK) -m bool }
+    default_backend dockerbackend
+