How to Set Up a Docker Proxy Using tecnativa/docker-socket-proxy
Introduction
When running Docker in production, you typically don't want to expose the Docker daemon socket to external networks. This poses a challenge for tools and apps that need access to the Docker API.
One solution is to set up a proxy that controls and secures access to the Docker API. In this guide, we'll use the open source tecnativa/docker-socket-proxy project to set up a proxy for the Docker socket.
Prerequisites
Before we begin, you'll need:
- Docker installed and running on the host machine
- Docker Compose installed
This guide assumes you have a basic understanding of Docker and Docker Compose. If not quick refresh your knowledge with docker basics
Step 1 - Create Compose File
First, we'll create a docker-compose.yml
file to run the proxy:
version: '3.8'
services:
proxy:
image: tecnativa/docker-socket-proxy
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
environment:
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
- CONTAINERS: 1
- SERVICES: 1
- IAMGES: 1
- INF0: 1
- NETWORKS: 1
- TASKS: 1
- NODES: 0
This runs the tecnativa/docker-socket-proxy
image and mounts the host Docker socket into the container.
The environment
section specifies access controls - we've allowed access to containers, services, iamges, info, tasks and networks API endpoints. **(0 = no access, 1 = access) **
See the tecnativa/docker-socket-proxy README for full options.
Step 2 - Run the Proxy
Run the proxy with:
docker-compose up -d
The proxy is now running in the background, proxying requests to the Docker socket!
Step 3 - Test the Proxy
We can test it by accessing the proxy API:
curl http://localhost:2375/version
This should return the Docker version, confirming the proxy is working correctly.
Step 4 - Secure the Proxy
For production deployments, you'll want to add authentication and SSL encryption to secure the proxy.
The tecnativa/docker-socket-proxy project supports this via environment variables. See the project README for details on:
- Basic auth
Wrap Up
That's it! With a few simple steps we have a Docker socket proxy set up to securely manage API access.
The docker-socket-proxy container provides secure access to the Docker API from outside the host. This is useful for tools that need access to remotely control Docker, like CI/CD pipelines. The proxy container method is more secure than opening the port directly.
Let me know in the comments if you have any other tips for accessing Docker remotely!