Traefik+docker socket proxy / doesn't seems to work

eddy-san · April 6, 2024, 12:17pm

Take a look at "Usage" #2
connect your local docker client to that socket

try to execute some docker commands on the docker client

You'll see, it won't work

ThierryIT · April 6, 2024, 12:59pm

time=2024-04-06T12:54:26.132Z level=WARN msg="blocked request" reason="forbidden IP" method=GET URL=/v1.24/version client=172.25.0.3:57984 response=403

This is the log from your proxy. The problem is I do not have any 172.25.0.3 .... There should be one, I can ping it, but I didn't find it yet. I found it, it is the traefik container. It is strange because I have used the -allowfrom command

dockerproxy:
    image: wollomatic/socket-proxy:1.1.3
    container_name: dockerproxy
    command:
      - '-loglevel=debug'
      - '-allowfrom=traefik'
      - '-listenip=0.0.0.0'
      - '-allowGET=/v1\..{2}/(containers/.*|events)'
      - '-allowHEAD=/_ping'
      - '-watchdoginterval=3600'
      - '-stoponwatchdog'
      - '-shutdowngracetime=10'
    restart: unless-stopped
    read_only: true
    mem_limit: 64M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    user: 65534:995 # change gid from 998 to the gid of the docker group on your host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - socket

ThierryIT · April 6, 2024, 1:04pm

I have done this instead: DOCKER_OPTS="-H unix:///var/run/docker.sock

wollomatic · April 6, 2024, 1:33pm

So it seems the connection from socket-proxy to the docker socket works.

-allowfrom=traefik seems to be correct, but socket-proxy can not resolve the correct IP from your traefik container. Is Traefik's container name still traefik?

You could change allowfrom to -allowfrom=0.0.0.0/0, if the socket-proxy network is not exposed to everywhere else. Most other socket proxies allow this by default.

(That's the "problem" with secure-by-default configurations, it's more secure but harder to deploy)

ThierryIT · April 6, 2024, 1:46pm

Even if I change the -allowfrom same problem.
But I saw in my Portainer a docker network created by the compose file traefik_socket (172.25.0.0/16) ... In this network there is two dockers: traefik (172.25.0.3 and 192.168.xxx.xxx) and dockerproxy (172.25.0.2).
Yes the name of the docker is traefik.

wollomatic · April 6, 2024, 2:05pm

The first few lines of the log should look similar to this. If the "configuration info" looks different, there could be an issue with the configuration:

dockerproxy-1  | time=2024-04-06T14:02:03.154Z level=INFO msg="starting socket-proxy" version=1.1.3 os=linux arch=amd64 runtime=go1.22.2 URL=github.com/wollomatic/socket-proxy
dockerproxy-1  | time=2024-04-06T14:02:03.154Z level=INFO msg="configuration info" socketpath=/var/run/docker.sock listenaddress=0.0.0.0:2375 loglevel=DEBUG logjson=false allowfrom=0.0.0.0/0 shutdowngracetime=5
dockerproxy-1  | time=2024-04-06T14:02:03.154Z level=INFO msg="watchdog enabled" interval=3600 stoponwatchdog=true
dockerproxy-1  | time=2024-04-06T14:02:03.154Z level=INFO msg="configured allowed request" method=GET regex=^/v1\..{1,2}/(version|containers/.*|events.*)$
dockerproxy-1  | time=2024-04-06T14:02:03.154Z level=DEBUG msg="checking socket availability" origin=checkSocketAvailability

ThierryIT · April 6, 2024, 2:20pm

time=2024-04-06T14:19:56.365Z level=INFO msg="starting socket-proxy" version=1.1.3 os=linux arch=amd64 runtime=go1.22.2 URL=github.com/wollomatic/socket-proxy
time=2024-04-06T14:19:56.365Z level=INFO msg="configuration info" socketpath=/var/run/docker.sock listenaddress=0.0.0.0:2375 loglevel=DEBUG logjson=false allowfrom=0.0.0.0/0 shutdowngracetime=10
time=2024-04-06T14:19:56.365Z level=INFO msg="watchdog enabled" interval=3600 stoponwatchdog=true
time=2024-04-06T14:19:56.365Z level=INFO msg="configured allowed request" method=HEAD regex=^/_ping$
time=2024-04-06T14:19:56.365Z level=INFO msg="configured allowed request" method=GET regex=^/v1\..{2}/(containers/.*|events)$
time=2024-04-06T14:19:56.365Z level=DEBUG msg="checking socket availability" origin=checkSocketAvailability
time=2024-04-06T14:20:03.234Z level=WARN msg="blocked request" reason="path not allowed" method=GET URL=/v1.24/version client=172.25.0.3:44844 response=403

wollomatic · April 6, 2024, 3:14pm

Thanks for the reply.

Now I see - there is an issue in the allowGET-Regexp. For Traefik, it has to be - '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'.

allowHEAD is not needed for Traefik, you can remove the complete line.

(Did you get those two lines from the example for Dozzle?)

ThierryIT · April 6, 2024, 3:53pm

time=2024-04-06T15:52:26.784Z level=DEBUG msg="allowed request" method=GET URL=/v1.24/version client=172.25.0.3:57508
time=2024-04-06T15:52:26.800Z level=DEBUG msg="allowed request" method=GET URL=/v1.24/containers/json client=172.25.0.3:57508
time=2024-04-06T15:52:26.813Z level=DEBUG msg="allowed request" method=GET URL=/v1.24/containers/02f0790f05f8004aba0ceac3eb153561ca8e696f22f5df149327776bf91a7085/json client=172.25.0.3:57508
time=2024-04-06T15:52:26.818Z level=DEBUG msg="allowed request" method=GET URL=/v1.24/containers/f2a0885e58e937e5da57ed11ef0081f36bb7eeb44ea1de6ddd50a74897c5106a/json client=172.25.0.3:57508
time=2024-04-06T15:52:26.820Z level=DEBUG msg="allowed request" method=GET URL=/v1.24/containers/bfd1c32ae5c1e427987912d913ddac41949914100d058c40f7aa217b91590a77/json client=172.25.0.3:57508
time=2024-04-06T15:52:26.822Z level=DEBUG msg="allowed request" method=GET URL=/v1.24/containers/5ff094736c5d48df1bfe6b43bdad3bb81ed78fe69fa7c2ca5b7e257ba419f4c0/json client=172.25.0.3:5750

ThierryIT · April 6, 2024, 3:53pm

Seems to be working now ....
Are you available tomorrow ? I will have another stupid quiestion for you

wollomatic · April 6, 2024, 4:00pm

I can not guarantee to answer immediately, but I'll be there. Have a nice day, and thanks for the feedback!

ThierryIT · April 7, 2024, 5:56am

Hello,
I have check this morning, the socketproxy is still working .... So it is time for my stupid question ....
I have installed your socket proxy in traefik compose file. But how do I use this socket proxy with my others dockers ?? How to integrate it ?
Thx

wollomatic · April 7, 2024, 9:00am

Hi, that's great news

Which other services do you use that need a connection to the docker socket? I would recommend using separate instances of socket-proxy for every application. That's because every application needs other rights on the Docker socket. For example, Traefik or Dozzle need read-only access, while Watchtower must also send commands to the Docker socket. So if (hypothetically) the Traefik container would be compromised, the attacker could do more damage than with read-only access.

Before we get off-topic here, there was a related question in the socket-proxy Github discussions: Allow access from multiple services? · wollomatic/socket-proxy · Discussion #5 · GitHub

ThierryIT · April 8, 2024, 4:58am

Ok.
Thx all for your helps.
Moving to Github.
See you there

system · April 11, 2024, 4:58am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik V2 cannot find my socket-proxy Traefik v2 docker	3	918	September 19, 2024
Traefik cannot find the docker socket proxy Traefik v2 docker	10	2009	January 6, 2024
Traefik socket proxy connection timeout error Traefik v3 (latest) docker	17	1490	May 30, 2024
Traefik 3 - 404- api dashboard Traefik v3 (latest) docker , dashboard-api	1	49	February 27, 2025
Can't Connect to Docker, - level=error msg="Provider connection error panic in operation: %!s(<nil>), Traefik v2 docker	4	3406	December 16, 2019

Traefik+docker socket proxy / doesn't seems to work

Related topics