I'm trying to tighten up the security on a pre-production build and have put in docker-socket-proxy.
I've managed to make it work by allowing access to all the api paths, but would like to start pulling out the ones traefik doesn't need.
Where can I find a list of API's that traefik requires access to? Someone mush have done this before I'd guess.
traefik.yml
version: '3.7'
services:
reverse-proxy:
image: traefik:v2.4
command:
- --api.insecure=true
- --providers.docker
- --providers.docker.swarmMode=true
- --accesslog=true
- --log.level=DEBUG
- --log.format=json
- --providers.docker.exposedbydefault=false
- --providers.docker.endpoint=tcp://socket-proxy:2375
- --entryPoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.acmeresolver.acme.email=nobody@domain.tld
- --certificatesresolvers.acmeresolver.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.acmeresolver.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.acmeresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- protocol: tcp
published: 443
target: 443
- protocol: tcp
published: 80
target: 80
- mode: host
published: 8080
target: 8080
volumes:
- traefik:/etc/traefik/acme
deploy:
replicas: 1
update_config:
parallelism: 1
delay: 15s
order: start-first
labels:
traefik.enable: "True"
traefik.docker.network: proxy
traefik.http.services.traefik.loadbalancer.server.port: 8080
traefik.http.routers.traefik.rule: Host(`traefik`)
traefik.http.routers.traefik.entryPoints: websecure
traefik.http.routers.traefik.tls: "true"
traefik.http.routers.traefik.middlewares: errorpages@docker
placement:
constraints:
- node.role == manager
networks:
- proxy
volumes:
traefik:
driver: local
driver_opts:
device: :/srv/nfs-volumes/traefik
o: addr=10.13.2.1,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14
type: nfs4
networks:
proxy:
external: yes
docker-socket-proxy
This is where I've granted access to all the paths.
version: '3.6'
services:
socket-proxy:
image: tecnativa/docker-socket-proxy
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
BUILD: 1
COMMIT: 1
CONFIGS: 1
CONTAINERS: 1
DISTRIBUTION: 1
EXEC: 1
IMAGES: 1
INFO: 1
NETWORKS: 1
NODES: 1
PLUGINS: 1
SERVICES: 1
SESSION: 1
SWARM: 1
SYSTEM: 1
TASKS: 1
VOLUMES: 1
networks:
- proxy
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
networks:
proxy:
external: true