So you solved it already (post) 
I just wanted to note that
gives the impression of added security, but it does not do what it promises.
ro works for files, but not for sockets. The socket is used to send GET and POST and receive a responses, so it’s working two ways.
The potential security issue here is that a attacker inside your Traefik container can use GET to see more than Traefik needs to and POST do do whatever, export data, kill containers and run crypto-miners.
If you want to secure that attack vector, you would need to place some kind of docker-socket-proxy in between.
Note that I am personally a bit skeptical of the usual Tecnativa solution. You want to increase security, and introduce an additional image from a kind of unknown source - an additional attack vector. Recently, the latest image was a three year old version, so I am not sure how well they control their build pipeline.
You can also create your own docker-socket-proxy, I trust nginx more:
services:
dockersock:
image: nginx:alpine-slim
restart: unless-stopped
security_opt:
- no-new-privileges:true
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
cap_drop:
- ALL
networks:
- dockersock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
configs:
- source: nginx
target: /etc/nginx/nginx.conf
expose:
- 2375
configs:
nginx:
content: |
user root;
events { worker_connections 1024; }
http {
server {
listen 2375;
location ~ ^/v1\.24/(events|containers|services|version|networks|tasks) {
if ($$request_method != GET) { return 405; }
proxy_pass http://unix:/var/run/docker.sock;
proxy_set_header Host $$host;
proxy_set_header X-Real-IP $$remote_addr;
proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $$scheme;
proxy_read_timeout 3600s;
}
location / { return 405; }
}
}
But note that the inline config probably doesn't work like this in Swarm.