Allow access from multiple services?

[theamazingnorad]

So I am pretty new to Git, and docker, so apologize if this is not the right way to ask a question. I ended up finding your version of a docker socket proxy since it works with newer versions of Traefik -- I've got it working, but would like to add Watchtower to the same proxy.

I've tried commenting out the --allowfrom= field, as well as leaving it blank, and get an "invalid RemoteAddr format" error. I've also tried updating the listenip to point to the subnet of my docker-proxynet without success. Looking at your commits for 1.1.0, it seems like these efforts are throwing an error in the handleHttpRequest function as my log output matches the error strings associated with lines 55-66.

Since this is something others may want to do, could you assist? This would be something valuable to put in the readme as well.

[wollomatic]

Hello Theamazingnorad,

thanks for reaching out. Your question is perfectly placed here in the discussions.

I would recommend using separate instances of socket-proxy for every application. That's because every application needs other rights on the Docker socket. For example, Traefik or Dozzle need read-only access, while Watchtower must also send commands to the Docker socket. So if (hypothetically) the Traefik container would be compromised, the attacker could do more damage than with read-only access.

Also, allowing more than one service could lead to very complex -allowGET/-allowPOST/etc. regular expressions.

So, one instance of socket-proxy in Traefik's docker-compose.yml (if you use Docker Compose) and another instance within Watchtower's docker-compose.yml.

But - in case you really want to allow multiple applications to use the same socket-proxy you could do this by allowing an IP network instead of the service names, so for example -allowfrom=192.168.1.0/24 (this was the only way to do this before socket-proxy 1.1.0). This could be difficult because, in this case, you need to set the docker networks by yourself instead of letting Docker do this, so I do not recommend it.

Instead of commenting out the -allowfrom-Parameter (which does not work because of the secure-by-default design), you could explicitly allow every IP address by setting -allowfrom=0.0.0.0/0. This is the behaviour most other docker-socket-proxies have.

Best regards,
Wolfgang

[wollomatic]

Hi @theamazingnorad, version 1.3.0 was released today which supports multiple allowed hostnames: https://github.com/wollomatic/socket-proxy?tab=readme-ov-file#setting-up-the-ip-address-or-hostname-allowlist