README
¶
⛰️ socket-proxy
Access your docker socket safely as read-only
MAIN TAGS 🏷️
These are the main tags for the image. There is also a tag for each commit and its shorthand sha256 value.
SYNOPSIS 📖
What can I do with this? This image will run a proxy to access your docker socket read-only. The exposed proxy socket is run as 1000:1000, not as root, although the image starts the proxy process as root to interact with the actual docker socket as root. There is also a TCP endpoint started at 8080 that will also proxy to the actual docker socket if needed.
COMPOSE ✂️
name: "socket-proxy"
services:
socket-proxy:
image: "11notes/socket-proxy:1.0.0"
network_mode: "none" # removes all network capabillities from the container
volumes:
- "/run/docker.sock:/run/docker.sock:ro" # mount host docker socket, the :ro does not mean read-only for the socket, just for the actual file
- "socket-proxy:/socket-proxy/run" # this socket is run as 1000:1000, not as root!
restart: "always"
traefik:
image: "11notes/traefik:3.2.0"
depends_on:
socket-proxy:
condition: "service_healthy"
restart: true
command:
- "--global.checkNewVersion=false"
- "--global.sendAnonymousUsage=false"
- "--api.dashboard=true"
- "--api.insecure=true"
- "--log.level=INFO"
- "--log.format=json"
- "--providers.docker.exposedByDefault=false" # use docker provider but do not expose by default
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--serversTransport.insecureSkipVerify=true" # do not verify downstream SSL certificates
ports:
- "80:80/tcp"
- "443:443/tcp"
- "8080:8080/tcp"
networks:
frontend:
backend:
volumes:
- "socket-proxy:/var/run"
sysctls:
net.ipv4.ip_unprivileged_port_start: 80
restart: "always"
nginx:
image: "11notes/nginx:1.26.2"
labels:
- "traefik.enable=true"
- "traefik.http.routers.default.priority=1"
- "traefik.http.routers.default.rule=PathPrefix(`/`)"
- "traefik.http.routers.default.entrypoints=http"
- "traefik.http.routers.default.service=default"
- "traefik.http.services.default.loadbalancer.server.port=8443"
- "traefik.http.services.default.loadbalancer.server.scheme=https" # proxy from http to https since this image runs by default on https
networks:
backend: # allow container only to be accessed via traefik
restart: "always"
volumes:
socket-proxy:
networks:
frontend:
backend:
internal: true
DEFAULT SETTINGS 🗃️
| Parameter | Value | Description |
|---|---|---|
user |
docker | user name |
uid |
1000 | user identifier |
gid |
1000 | group identifier |
home |
/socket-proxy | home directory of user docker |
ENVIRONMENT 📝
| Parameter | Value | Default |
|---|---|---|
TZ |
Time Zone | |
DEBUG |
Will activate debug option for container image and app (if available) | |
SOCKET_PROXY |
path to the socket used as a proxy | /socket-proxy$/run/docker.sock |
SOCKET_PROXY_DOCKER_SOCKET |
path to the actual docker socket | /run/docker.sock |
SOURCE 💾
PARENT IMAGE 🏛️
${{ content_built }}
GENERAL TIPS 📌
- Use a reverse proxy like Traefik, Nginx, HAproxy to terminate TLS and to protect your endpoints
- Use Let’s Encrypt DNS-01 challenge to obtain valid SSL certificates for your services
ElevenNotes™️
This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the releases for breaking changes. If you have any problems with using this image simply raise an issue, thanks. If you have a question or inputs please create a new discussion instead of an issue. You can find all my other repositories on github.
created 19.3.2025, 13:40:36 (CET)
Directories