docker.sock replacement with socket-proxy

2024-11-24 08:50:21 +00:00 · 2024-01-14 09:55:04 +01:00 · 2024-01-14 09:55:04 +01:00 · ba0af9159d
commit ba0af9159d
parent d02b15e7a2
3 changed files with 68 additions and 2 deletions
--- a/Traefik-Secure/README.md
+++ b/Traefik-Secure/README.md
@ -0,0 +1,33 @@
+## Traefik with seperate socket-proxy
+The benefit of using a Docker Socket Proxy with Traefik is to enhance security by restricting access to the Docker API. Instead of allowing Traefik full access to the Docker socket, the proxy enables the proxying of only the necessary API calls, thus reducing the exposure of the Docker socket to the public and potential security risks.
+
+## Use this Socket Proxy with othter Stacks / docker-compose Services
+The idear is, to create a internal Traefik Socket Proxy (with only the Permission to read Container Information with the API).
+If you would use this socket proxy, for other Stacks, see the example below.
+
+### Adjustment with the docker-compose.yml from Uptime-Kuma
+example: Uptime-Kuma
+
+``` docker-compose-uptime.yml
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma
+    volumes:
+      - /opt/dockerdata/uptime-kuma:/app/data
+      # - /var/run/docker.sock:/var/run/docker.sock:ro  # not necessarry - use the socket-proxy
+#   ...
+    networks:
+      - proxy
+      - socket-proxy
+
+networks:
+  socket-proxy:
+    name: socket-proxy-traefik    # use the socket proxy from the Traefik stack
+    external: true
+
+```
+
+### Adjust the Docker Host Deamon Uptime-Kuma Web-GUI:
+
+1. Uptime-Kuma Settings > Docker Hosts > Setup Docker Host
+2. Docker Daemon: change to `tcp://socket-proxy-traefik:2375`
--- a/Traefik-Secure/docker-compose.yaml
+++ b/Traefik-Secure/docker-compose.yaml
@ -1,6 +1,37 @@
 version: '3'

 services:
+# https://github.com/Tecnativa/docker-socket-proxy
+  socket-proxy-traefik:
+    networks:
+      socket-proxy-traefik:
+    restart: always
+    image: tecnativa/docker-socket-proxy
+    container_name: socket-proxy-traefik
+    ports:
+      - 127.0.0.1:2375:2375
+    environment:
+      INFO: 1
+      CONTAINERS: 1
+      BUILD: 0
+      COMMIT: 0
+      CONFIGS: 0
+      DISTRIBUTION: 0
+      EXEC: 0
+      GRPC: 0
+      IMAGES: 0
+      NETWORKS: 0
+      NODES: 0
+      PLUGINS: 0
+      SERVICES: 0
+      SESSION: 0
+      SWARM: 0
+      SYSTEM: 0
+      TASKS: 0
+      VOLUMES: 0
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
  traefik:
    image: traefik:latest
    container_name: traefik
@ -9,6 +40,7 @@ services:
      - no-new-privileges:true
    networks:
       proxy:
+       socket-proxy-traefik:
    ports:
      - 80:80
      - 81:81 # external http
@ -21,7 +53,7 @@ services:
      # be sure to use the correct one depending on if you are using a token or key
    volumes:
      - /etc/localtime:/etc/localtime:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      # - /var/run/docker.sock:/var/run/docker.sock:ro  # use the socket-proxy
      - /home/ubuntu/docker/traefik/traefik.yml:/traefik.yml:ro
      - /home/ubuntu/docker/traefik/acme.json:/acme.json
      - /home/ubuntu/docker/traefik/config.yml:/config.yml:ro
--- a/Traefik-Secure/traefik.yaml
+++ b/Traefik-Secure/traefik.yaml
@ -35,7 +35,8 @@ serversTransport:
  insecureSkipVerify: true
 providers:
  docker:
-    endpoint: "unix:///var/run/docker.sock"
+    # endpoint: "unix:///var/run/docker.sock"
+    endpoint: "tcp://socket-proxy-traefik:2375"
    exposedByDefault: false
  file:
    filename: /config.yml