diff --git a/Dockerfile b/Dockerfile index a89cc77..d62c11e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,8 @@ FROM haproxy:1.7-alpine -MAINTAINER Tecnativa +LABEL maintainer="Tecnativa " EXPOSE 2375 +VOLUME /run/docker-filtered ENV AUTH=0 \ BUILD=0 \ COMMIT=0 \ @@ -21,13 +22,15 @@ ENV AUTH=0 \ SYSTEM=0 \ TASKS=0 \ VERSION=1 \ - VOLUMES=0 + VOLUMES=0 \ + SOCK_NETWORK=1 \ + SOCK_DISK=1 COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg # Metadata ARG VCS_REF ARG BUILD_DATE -LABEL org.label-schema.schema-version="1.0" \ +LABEL org.label-schema.schema-version="1.1" \ org.label-schema.vendor=Tecnativa \ org.label-schema.license=Apache-2.0 \ org.label-schema.build-date="$BUILD_DATE" \ diff --git a/README.md b/README.md index c7642bd..ddda480 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ requests that should never happen. -d --privileged \ --name dockerproxy \ -v /var/run/docker.sock:/var/run/docker.sock \ + -v /run/docker-filtered:/run/docker-filtered \ -p 127.0.0.1:2375:2375 \ tecnativa/docker-socket-proxy @@ -53,6 +54,10 @@ requests that should never happen. $ export DOCKER_HOST=tcp://localhost +or + + $ export DOCKER_HOST=unix:///run/docker-filtered/docker.sock + 3. You can see the docker version: $ docker version @@ -138,6 +143,13 @@ does not need. - `TASKS` - `VOLUMES` +## Grant or revoke access to API listener + +There are two listeners for the API and each of them can be disable the same way as the previous features: + +- `SOCK_NETWORK` for the port tcp/2375 +- `SOCK_DISK` for `/run/docker-filtered/docker.sock` + ## Supported API versions - [1.27](https://docs.docker.com/engine/api/v1.27/) diff --git a/haproxy.cfg b/haproxy.cfg index e63785b..e6cc2af 100644 --- a/haproxy.cfg +++ b/haproxy.cfg @@ -27,20 +27,7 @@ defaults # Allow seamless reloads load-server-state-from-file global - # Use provided example error pages - errorfile 400 /usr/local/etc/haproxy/errors/400.http - errorfile 403 /usr/local/etc/haproxy/errors/403.http - errorfile 408 /usr/local/etc/haproxy/errors/408.http - errorfile 500 /usr/local/etc/haproxy/errors/500.http - errorfile 502 /usr/local/etc/haproxy/errors/502.http - errorfile 503 /usr/local/etc/haproxy/errors/503.http - errorfile 504 /usr/local/etc/haproxy/errors/504.http - backend dockerbackend - server dockersocket /var/run/docker.sock - -frontend dockerfrontend - bind :2375 http-request deny unless METH_GET || { env(POST) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } ! { env(AUTH) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } ! { env(BUILD) -m bool } @@ -62,4 +49,16 @@ frontend dockerfrontend http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } ! { env(TASKS) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } ! { env(VERSION) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } ! { env(VOLUMES) -m bool } + + server dockersocket /var/run/docker.sock + +frontend docker-network + bind :2375 + http-request deny if ! { env(SOCK_NETWORK) -m bool } default_backend dockerbackend + +frontend docker-disk + bind /run/docker-filtered/docker.sock + http-request deny if ! { env(SOCK_DISK) -m bool } + default_backend dockerbackend +