Traefik 2.0 — paranoid about mounting /var/run/docker.sock?

containeroo

Nov 12, 2019·1 min read

The Problem

If you have followed our previous guides, you mount the Docker Socket ( /var/run/docker.sock) into the Traefik container. If someone gets access into the Traefik container, they can gain full access to your host machine. This makes our paranoia level increase slightly…

The Solution

We found a nice little container (Socket-Proxy) which “filters” all requests to the Docker API. We can allow only get requests to the Docker API and restrict it to /containers/*.

The Socket Proxy uses the official Alpine-based HAProxy image. It blocks access to the Docker socket API according to the environment variables you set. It returns a HTTP 403 Forbidden status for those dangerous requests that should never happen.

Let’s create the socket-proxy container:

/opt/containers/docker-socket/docker-compose.yml

The environment variable CONTAINERS: 1 tells the proxy to grant get requests to /containers/* from the Docker API. Post requests are disabled by default.

All possible settings are described here.

Now we have to change the endpoint in the providers section of the traefik.yml file:

/opt/containers/traefik/data/traefik.yml

Restart the Traefik container and feel a little bit more safe ;-)

gi8 from Containeroo

Traefik 2.0 — paranoid about mounting /var/run/docker.sock?

The Problem

The Solution

containeroo

More from containeroo

More From Medium

Enable Services Auto-discovery in Docker Swarm in 15 minutes

Docker Tips: Rollout and Rollback In Docker Swarm

CI/CD for a Multi-Arch Golang Application Using GitHub Actions, Helm and Kubernetes

How to install Home Assistant Supervisor on Debian Server

Continuous Delivery With Argo

Set up Docker Registry and an UI

Centralize Your Docker Logging With Syslog

Unique Remote & Local Volume Paths with Docker Machine