feat: rename traefik-docker-proxy to docker-api-proxy

.github/workflows/build-traefik-docker-proxy.yml → .github/workflows/build-docker-api-proxy.yml

@@ -1,14 +1,14 @@
 ---
-name: Build Traefik Docker Proxy image
+name: Build Docker API Proxy image
 on:
   push:
     branches:
       - main
     paths:
-      - 'traefik-docker-proxy/**'
-      - '!traefik-docker-proxy/README.md'
-      - '!traefik-docker-proxy/examples/**'
-      - '.github/workflows/build-traefik-docker-proxy.yml'
+      - 'docker-api-proxy/**'
+      - '!docker-api-proxy/README.md'
+      - '!docker-api-proxy/examples/**'
+      - '.github/workflows/build-docker-api-proxy.yml'
   workflow_dispatch:
   schedule:
     - cron: '35 4 * * 6' # Every Saturday at 04:35am
@@ -40,11 +40,11 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           platforms: linux/amd64
-          context: ./traefik-docker-proxy
-          file: ./traefik-docker-proxy/Dockerfile
+          context: ./docker-api-proxy
+          file: ./docker-api-proxy/Dockerfile
           push: true
           build-args: |
             CADDY_VERSION=${{ matrix.caddy_version }}
           tags: |
-            ghcr.io/f-bn/traefik-docker-proxy:${{ matrix.version }}
-            ghcr.io/f-bn/traefik-docker-proxy:latest
+            ghcr.io/f-bn/docker-api-proxy:${{ matrix.version }}
+            ghcr.io/f-bn/docker-api-proxy:latest

README.md

@@ -8,14 +8,14 @@ This repository contains my personal custom OCI containers images.
 - [blocky](./blocky/)
 - [coredns](./coredns/)
 - [distrobuilder](./distrobuilder/)
+- [docker-api-proxy](./docker-api-proxy/)
 - [feishin](./feishin/)
 - [ferretdb](./ferretdb/)
 - [minio](./minio/)
 - [navidrome](./navidrome/)
 - [pgbouncer](./pgbouncer/)
 - [postgresql](./postgresql/)
 - [traefik](./traefik/)
-- [traefik-docker-proxy](./traefik-docker-proxy/)
 - [valkey](./valkey/)
 - [watchtower](./watchtower/)
 

traefik-docker-proxy/Dockerfile → docker-api-proxy/Dockerfile

@@ -9,23 +9,23 @@ WORKDIR /build
 
 RUN go install github.com/caddyserver/xcaddy/cmd/[email protected]
 
-RUN xcaddy build "v${CADDY_VERSION}" --output traefik-docker-proxy
+RUN xcaddy build "v${CADDY_VERSION}" --output docker-api-proxy
 
 # --- Final stage ---
 FROM cgr.dev/chainguard/wolfi-base:latest
 
 COPY --from=build --chown=0:0 --chmod=0755 \
-  /build/traefik-docker-proxy /usr/bin/traefik-docker-proxy
+  /build/docker-api-proxy /usr/bin/docker-api-proxy
 
 COPY Caddyfile /etc/Caddyfile
 
-ENTRYPOINT [ "/usr/bin/traefik-docker-proxy" ]
+ENTRYPOINT [ "/usr/bin/docker-api-proxy" ]
 
 CMD [ "run", "--config", "/etc/Caddyfile" ]
 
 LABEL \
-  org.opencontainers.image.title="traefik-docker-proxy" \
+  org.opencontainers.image.title="docker-api-proxy" \
   org.opencontainers.image.source="https://github.com/f-bn/containers-images/traefik" \
-  org.opencontainers.image.description="Custom Caddy image for limiting Traefik access to the Docker API through the socket" \
+  org.opencontainers.image.description="Custom Caddy image for limiting applications access to the Docker API through the socket" \
   org.opencontainers.image.licenses="Apache-2.0" \
   org.opencontainers.image.authors="Florian Bobin <[email protected]>"

docker-api-proxy/README.md

@@ -0,0 +1,29 @@
+## General informations
+
+Custom Caddy image built from sources with specific configuration for proxying Docker socket to limit access of applications to Docker API.
+
+Built with Go 1.23.5
+
+## Why creating this image ?
+
+The image goal is to provide the most simple solution for limiting applications access to the Docker API through the socket.
+
+This allows some application such as Traefik or Prometheus to access the Docker API without requiring to mount the Docker API socket inside the container (that could lead to a pretty bad privilege escalation if application is compromised).
+
+For a more flexible solution, prefer [docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) from Tecnativa.
+
+## Image configuration
+
+This image come with a specific Caddy configuration for the use-case described above. The reverse proxy server listens on `http://localhost:2375` and will forward request to the Docker UNIX domain socket mounted inside this proxy container.
+
+Only `GET` method on a specific set of Docker API endpoints are allowed:
+- `/info`
+- `/events`
+- `/networks`
+- `/containers/json`
+- `/containers/<container id>/json`
+- `/version`
+
+For any other methods and/or endpoints called, a 403 error is returned. Moreover, endpoints required for Docker Swarm are not considered.
+
+You can find a basic [docker-compose.yml](./examples/traefik.yml) in the `examples` folder showing a barebone configuration using this container image (i.e absolutely not production-ready).

traefik-docker-proxy/examples/docker-compose.yml → docker-api-proxy/examples/traefik-example.yml

@@ -19,9 +19,9 @@ services:
       - '--providers.docker.exposedbydefault=false'
     cap_drop: ['ALL']
 
-  traefik-docker-proxy:
-    container_name: traefik-docker-proxy
-    image: ghcr.io/f-bn/traefik-docker-proxy:0.1.0
+  docker-api-proxy:
+    container_name: docker-api-proxy
+    image: ghcr.io/f-bn/docker-api-proxy:0.1.0
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     network_mode: container:traefik # note: join Traefik netns to strictly limit access of the proxy to the Traefik container
@@ -36,4 +36,4 @@ services:
       - traefik.http.routers.demo.rule=Host(`demo.domain.local`)
     depends_on:
       - traefik
-      - traefik-docker-proxy
+      - docker-api-proxy