Docker-socket-proxy

I'm trying to tighten up the security on a pre-production build and have put in docker-socket-proxy.

I've managed to make it work by allowing access to all the api paths, but would like to start pulling out the ones traefik doesn't need.

Where can I find a list of API's that traefik requires access to? Someone mush have done this before I'd guess.

traefik.yml

version: '3.7'

services:
  reverse-proxy:
    image: traefik:v2.4
    command: 
    - --api.insecure=true 
    - --providers.docker 
    - --providers.docker.swarmMode=true 
    - --accesslog=true 
    - --log.level=DEBUG 
    - --log.format=json 
    - --providers.docker.exposedbydefault=false
    - --providers.docker.endpoint=tcp://socket-proxy:2375
    - --entryPoints.web.address=:80
    - --entrypoints.websecure.address=:443
    - --certificatesresolvers.acmeresolver.acme.email=nobody@domain.tld
    - --certificatesresolvers.acmeresolver.acme.httpchallenge.entrypoint=web    
    - --certificatesresolvers.acmeresolver.acme.storage=/etc/traefik/acme/acme.json
    - --certificatesresolvers.acmeresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    ports:
    - protocol: tcp
      published: 443
      target: 443    
    - protocol: tcp
      published: 80
      target: 80
    - mode: host
      published: 8080
      target: 8080
    volumes:
      - traefik:/etc/traefik/acme
    deploy:
      replicas: 1
      update_config:
        parallelism: 1
        delay: 15s
        order: start-first
      labels:
        traefik.enable: "True"
        traefik.docker.network: proxy
        traefik.http.services.traefik.loadbalancer.server.port: 8080
        traefik.http.routers.traefik.rule: Host(`traefik`)
        traefik.http.routers.traefik.entryPoints: websecure
        traefik.http.routers.traefik.tls: "true"
        traefik.http.routers.traefik.middlewares: errorpages@docker        
      placement:
        constraints:
          - node.role == manager
    networks:
      - proxy

volumes:
  traefik:
    driver: local
    driver_opts:
      device: :/srv/nfs-volumes/traefik
      o: addr=10.13.2.1,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14
      type: nfs4    
      
networks:
  proxy:
    external: yes

docker-socket-proxy

This is where I've granted access to all the paths.

version: '3.6'

services:
  socket-proxy:
    image: tecnativa/docker-socket-proxy
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      BUILD: 1
      COMMIT: 1
      CONFIGS: 1
      CONTAINERS: 1
      DISTRIBUTION: 1
      EXEC: 1
      IMAGES: 1
      INFO: 1
      NETWORKS: 1
      NODES: 1
      PLUGINS: 1
      SERVICES: 1
      SESSION: 1
      SWARM: 1
      SYSTEM: 1
      TASKS: 1
      VOLUMES: 1
    networks:
      - proxy
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]

networks:
  proxy:
    external: true

Hi @paulb

Doesn't look like it needs a lot from this issue comment

Edit:
An HAProxy comment later on:

1 Like