├── Dockerfile ├── LICENSE.txt ├── README.md ├── haproxy.cfg └── hooks └── build /Dockerfile: -------------------------------------------------------------------------------- 1 | ARG REPO=library 2 | FROM ${REPO}/haproxy:lts-alpine 3 | 4 | EXPOSE 2375 5 | ENV ALLOW_RESTARTS=0 \ 6 | AUTH=0 \ 7 | BUILD=0 \ 8 | COMMIT=0 \ 9 | CONFIGS=0 \ 10 | CONTAINERS=0 \ 11 | DISTRIBUTION=0 \ 12 | EVENTS=1 \ 13 | EXEC=0 \ 14 | IMAGES=0 \ 15 | INFO=0 \ 16 | LOG_LEVEL=info \ 17 | NETWORKS=0 \ 18 | NODES=0 \ 19 | PING=1 \ 20 | PLUGINS=0 \ 21 | POST=0 \ 22 | DELETE=0 \ 23 | SECRETS=0 \ 24 | SERVICES=0 \ 25 | SESSION=0 \ 26 | SWARM=0 \ 27 | SYSTEM=0 \ 28 | TASKS=0 \ 29 | VERSION=1 \ 30 | VOLUMES=0 \ 31 | CONTAINERS_CREATE=0 \ 32 | CONTAINERS_PRUNE=0 \ 33 | CONTAINERS_RESIZE=0 \ 34 | CONTAINERS_START=0 \ 35 | CONTAINERS_UPDATE=0 \ 36 | CONTAINERS_RENAME=0 \ 37 | CONTAINERS_PAUSE=0 \ 38 | CONTAINERS_UNPAUSE=0 \ 39 | CONTAINERS_ATTACH=0 \ 40 | CONTAINERS_WAIT=0 \ 41 | CONTAINERS_EXEC=0 \ 42 | VOLUMES_CREATE=0 \ 43 | VOLUMES_PRUNE=0 \ 44 | NETWORKS_CREATE=0 \ 45 | NETWORKS_PRUNE=0 \ 46 | NETWORKS_CONNECT=0 \ 47 | NETWORKS_DISCONNECT=0 \ 48 | NETWORKS_DELETE=0 \ 49 | CONTAINERS_DELETE=0 \ 50 | IMAGES_DELETE=0 \ 51 | VOLUMES_DELETE=0 52 | 53 | COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg 54 | 55 | # Metadata 56 | ARG VCS_REF 57 | ARG BUILD_DATE 58 | LABEL org.label-schema.schema-version="1.0" \ 59 | org.label-schema.vendor=Tecnativa \ 60 | org.label-schema.license=Apache-2.0 \ 61 | org.label-schema.build-date="$BUILD_DATE" \ 62 | org.label-schema.vcs-ref="$VCS_REF" \ 63 | org.label-schema.vcs-url="https://github.com/Tecnativa/docker-socket-proxy" 64 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Docker Socket Proxy 2 | 3 | [![](https://images.microbadger.com/badges/version/tecnativa/docker-socket-proxy:latest.svg)](https://microbadger.com/images/tecnativa/docker-socket-proxy:latest "Get your own version badge on microbadger.com") 4 | [![](https://images.microbadger.com/badges/image/tecnativa/docker-socket-proxy:latest.svg)](https://microbadger.com/images/tecnativa/docker-socket-proxy:latest "Get your own image badge on microbadger.com") 5 | [![](https://images.microbadger.com/badges/commit/tecnativa/docker-socket-proxy:latest.svg)](https://microbadger.com/images/tecnativa/docker-socket-proxy:latest "Get your own commit badge on microbadger.com") 6 | [![](https://images.microbadger.com/badges/license/tecnativa/docker-socket-proxy.svg)](https://microbadger.com/images/tecnativa/docker-socket-proxy "Get your own license badge on microbadger.com") 7 | 8 | ## What? 9 | 10 | This is a security-enhanced proxy for the Docker Socket. 11 | 12 | ## Why? 13 | 14 | Giving access to your Docker socket could mean giving root access to your host, 15 | or even to your whole swarm, but some services require hooking into that socket 16 | to react to events, etc. Using this proxy lets you block anything you consider 17 | those services should not do. 18 | 19 | ## How? 20 | 21 | We use the official [Alpine][]-based [HAProxy][] image with a small 22 | configuration file. 23 | 24 | It blocks access to the Docker socket API according to the environment 25 | variables you set. It returns a `HTTP 403 Forbidden` status for those dangerous 26 | requests that should never happen. 27 | 28 | ## Security recommendations 29 | 30 | - Never expose this container's port to a public network. Only to a Docker 31 | networks where only reside the proxy itself and the service that uses it. 32 | - Revoke access to any API section that you consider your service should not 33 | need. 34 | - This image does not include TLS support, just plain HTTP proxy to the host 35 | Docker Unix socket (which is not TLS protected even if you configured your 36 | host for TLS protection). This is by design because you are supposed to 37 | restrict access to it through Docker's built-in firewall. 38 | - [Read the docs](#suppported-api-versions) for the API version you are using, 39 | and **know what you are doing**. 40 | 41 | ## Usage 42 | 43 | 1. Run the API proxy (`--privileged` flag is required here because it connects with the docker socket, which is a privileged connection in some SELinux/AppArmor contexts and would get locked otherwise): 44 | 45 | $ docker container run \ 46 | -d --privileged \ 47 | --name dockerproxy \ 48 | -v /var/run/docker.sock:/var/run/docker.sock \ 49 | -p 127.0.0.1:2375:2375 \ 50 | tecnativa/docker-socket-proxy 51 | 52 | 2. Connect your local docker client to that socket: 53 | 54 | $ export DOCKER_HOST=tcp://localhost 55 | 56 | 3. You can see the docker version: 57 | 58 | $ docker version 59 | Client: 60 | Version: 17.03.1-ce 61 | API version: 1.27 62 | Go version: go1.7.5 63 | Git commit: c6d412e 64 | Built: Mon Mar 27 17:14:43 2017 65 | OS/Arch: linux/amd64 66 | 67 | Server: 68 | Version: 17.03.1-ce 69 | API version: 1.27 (minimum version 1.12) 70 | Go version: go1.7.5 71 | Git commit: c6d412e 72 | Built: Mon Mar 27 17:14:43 2017 73 | OS/Arch: linux/amd64 74 | Experimental: false 75 | 76 | 4. You cannot see running containers: 77 | 78 | $ docker container ls 79 | Error response from daemon:

403 Forbidden

80 | Request forbidden by administrative rules. 81 | 82 | 83 | The same will happen to any containers that use this proxy's `2375` port to 84 | access the Docker socket API. 85 | 86 | ## Grant or revoke access to certain API sections 87 | 88 | You grant and revoke access to certain features of the Docker API through 89 | environment variables. 90 | 91 | Normally the variables match the URL prefix (i.e. `AUTH` blocks access to 92 | `/auth/*` parts of the API, etc.). 93 | 94 | Possible values for these variables: 95 | 96 | - `0` to **revoke** access. 97 | - `1` to **grant** access. 98 | 99 | ### Access granted by default 100 | 101 | These API sections are mostly harmless and almost required for any service that 102 | uses the API, so they are granted by default. 103 | 104 | - `EVENTS` 105 | - `PING` 106 | - `VERSION` 107 | 108 | ### Access revoked by default 109 | 110 | #### Security-critical 111 | 112 | These API sections are considered security-critical, and thus access is revoked 113 | by default. Maximum caution when enabling these. 114 | 115 | - `AUTH` 116 | - `SECRETS` 117 | - `POST`: When disabled, only `GET` and `HEAD` operations are allowed, meaning 118 | any section of the API is read-only. Note that this is a global 119 | - `DELETE`: Enables or disables all `DELETE` operations 120 | 121 | #### Not always needed 122 | 123 | You will possibly need to grant access to some of these API sections, which 124 | can expose some information that your service does not need. 125 | 126 | | GET | POST | DELETE | 127 | |:---------------|:----------------------|:--------------------| 128 | | `BUILD` | `ALLOW_RESTARTS` | `NETWORKS_DELETE` | 129 | | `COMMIT` | `CONTAINERS_PRUNE` | `CONTAINERS_DELETE` | 130 | | `CONFIGS` | `CONTAINERS_CREATE` | `IMAGES_DELETE` | 131 | | `CONTAINERS` | `CONTAINERS_RESIZE` | `VOLUMES_DELETE` | 132 | | `DISTRIBUTION` | `CONTAINERS_START` | | 133 | | `EXEC` | `CONTAINERS_UPDATE` | | 134 | | `IMAGES` | `CONTAINERS_RENAME` | | 135 | | `INFO` | `CONTAINERS_PAUSE` | | 136 | | `NETWORKS` | `CONTAINERS_UNPAUSE` | | 137 | | `NODES` | `CONTAINERS_ATTACH` | | 138 | | `PLUGINS` | `CONTAINERS_WAIT` | | 139 | | `SERVICES` | `CONTAINERS_EXEC` | | 140 | | `SESSION` | `VOLUMES_CREATE` | | 141 | | `SWARM` | `VOLUMES_PRUNE` | | 142 | | `SYSTEM` | `NETWORKS_CREATE` | | 143 | | `TASKS` | `NETWORKS_PRUNE` | | 144 | | `VOLUMES` | `NETWORKS_CONNECT` | | 145 | | | `NETWORKS_DISCONNECT` | | 146 | | | `IMAGES_CREATE` | | 147 | | | `IMAGES_PRUNE` | | 148 | 149 | `ALLOW_RESTARTS` allows to `kill`, `stop` and `restart` containers 150 | 151 | ## Logging 152 | 153 | You can set the logging level or severity level of the messages to be logged with the 154 | environment variable `LOG_LEVEL`. Defaul value is info. Possible values are: debug, 155 | info, notice, warning, err, crit, alert and emerg. 156 | 157 | ## Supported API versions 158 | 159 | - [1.27](https://docs.docker.com/engine/api/v1.27/) 160 | - [1.28](https://docs.docker.com/engine/api/v1.28/) 161 | - [1.29](https://docs.docker.com/engine/api/v1.29/) 162 | - [1.30](https://docs.docker.com/engine/api/v1.30/) 163 | - [1.37](https://docs.docker.com/engine/api/v1.37/) 164 | 165 | ## Feedback 166 | 167 | Please send any feedback (issues, questions) to the [issue tracker][]. 168 | 169 | [Alpine]: https://alpinelinux.org/ 170 | [HAProxy]: http://www.haproxy.org/ 171 | [issue tracker]: https://github.com/Tecnativa/docker-socket-proxy/issues 172 | -------------------------------------------------------------------------------- /haproxy.cfg: -------------------------------------------------------------------------------- 1 | global 2 | log stdout format raw daemon "${LOG_LEVEL}" 3 | 4 | pidfile /run/haproxy.pid 5 | maxconn 4000 6 | 7 | # Turn on stats unix socket 8 | server-state-file /var/lib/haproxy/server-state 9 | 10 | defaults 11 | mode http 12 | log global 13 | option httplog 14 | option dontlognull 15 | option http-server-close 16 | option redispatch 17 | retries 3 18 | timeout http-request 10s 19 | timeout queue 1m 20 | timeout connect 10s 21 | timeout client 10m 22 | timeout server 10m 23 | timeout http-keep-alive 10s 24 | timeout check 10s 25 | maxconn 3000 26 | 27 | # Allow seamless reloads 28 | load-server-state-from-file global 29 | 30 | # Use provided example error pages 31 | errorfile 400 /usr/local/etc/haproxy/errors/400.http 32 | errorfile 403 /usr/local/etc/haproxy/errors/403.http 33 | errorfile 408 /usr/local/etc/haproxy/errors/408.http 34 | errorfile 500 /usr/local/etc/haproxy/errors/500.http 35 | errorfile 502 /usr/local/etc/haproxy/errors/502.http 36 | errorfile 503 /usr/local/etc/haproxy/errors/503.http 37 | errorfile 504 /usr/local/etc/haproxy/errors/504.http 38 | 39 | backend dockerbackend 40 | server dockersocket /var/run/docker.sock 41 | 42 | frontend dockerfrontend 43 | bind :2375 44 | http-request deny unless METH_GET || METH_POST { env(POST) -m bool } || METH_DELETE { env(DELETE) -m bool } 45 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool } 46 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool } 47 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } { env(COMMIT) -m bool } 48 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } { env(CONFIGS) -m bool } 49 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } { env(CONTAINERS) -m bool } 50 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } { env(DISTRIBUTION) -m bool } 51 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } { env(EVENTS) -m bool } 52 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } { env(EXEC) -m bool } 53 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } { env(IMAGES) -m bool } 54 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } { env(INFO) -m bool } 55 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } { env(NETWORKS) -m bool } 56 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } { env(NODES) -m bool } 57 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } { env(PING) -m bool } 58 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } { env(PLUGINS) -m bool } 59 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/post } { env(POST) -m bool } 60 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } { env(SECRETS) -m bool } 61 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } { env(SERVICES) -m bool } 62 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } { env(SESSION) -m bool } 63 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } { env(SWARM) -m bool } 64 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } { env(SYSTEM) -m bool } 65 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } { env(TASKS) -m bool } 66 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } { env(VERSION) -m bool } 67 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } { env(VOLUMES) -m bool } 68 | # POST requests 69 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } { env(CONTAINERS_CREATE) -m bool } 70 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/prune } { env(CONTAINERS_PRUNE) -m bool } 71 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool } 72 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/resize } { env(CONTAINERS_RESIZE) -m bool } 73 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start } { env(CONTAINERS_START) -m bool } 74 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/update } { env(CONTAINERS_UPDATE) -m bool } 75 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/rename } { env(CONTAINERS_RENAME) -m bool } 76 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/pause } { env(CONTAINERS_PAUSE) -m bool } 77 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/unpause } { env(CONTAINERS_UNPAUSE) -m bool } 78 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/attach } { env(CONTAINERS_ATTACH) -m bool } 79 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/wait } { env(CONTAINERS_WAIT) -m bool } 80 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/exec } { env(CONTAINERS_EXEC) -m bool } 81 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } { env(VOLUMES_CREATE) -m bool } 82 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/prune } { env(VOLUMES_PRUNE) -m bool } 83 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks/create } { env(NETWORKS_CREATE) -m bool } 84 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks/prune } { env(NETWORKS_PRUNE) -m bool } 85 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } { env(IMAGES_CREATE) -m bool } 86 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/prune } { env(IMAGES_PRUNE) -m bool } 87 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks/[a-zA-Z0-9_.-]+/connect } { env(NETWORKS_CONNECT) -m bool } 88 | http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks/[a-zA-Z0-9_.-]+/disconnect } { env(NETWORKS_DISCONNECT) -m bool } 89 | 90 | # DELETE requests 91 | http-request allow if METH_DELETE { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks/[a-zA-Z0-9_.-]+ } { env(NETWORKS_DELETE) -m bool } 92 | http-request allow if METH_DELETE { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+ } { env(CONTAINERS_DELETE) -m bool } 93 | http-request allow if METH_DELETE { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/[a-zA-Z0-9_.-]+ } { env(IMAGES_DELETE) -m bool } 94 | http-request allow if METH_DELETE { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/[a-zA-Z0-9_.-]+ } { env(VOLUMES_DELETE) -m bool } 95 | 96 | http-request deny 97 | default_backend dockerbackend 98 | -------------------------------------------------------------------------------- /hooks/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | 4 | # Extract arch repo from a docker tag suffix 5 | REPO="" 6 | case "$DOCKER_TAG" in 7 | *amd64) 8 | REPO="library" 9 | ;; 10 | *arm32v5) 11 | REPO="arm32v5" 12 | ;; 13 | *arm32v6) 14 | REPO="arm32v6" 15 | ;; 16 | *arm32v7) 17 | REPO="arm32v7" 18 | ;; 19 | *arm64v8) 20 | REPO="arm64v8" 21 | ;; 22 | *i386) 23 | REPO="i386" 24 | ;; 25 | *ppc64le) 26 | REPO="ppc64le" 27 | ;; 28 | *s390x) 29 | REPO="s390x" 30 | ;; 31 | *) 32 | REPO="library" 33 | ;; 34 | esac 35 | 36 | docker build \ 37 | --build-arg REPO="$REPO" \ 38 | --build-arg VCS_REF="$GIT_SHA1" \ 39 | --build-arg BUILD_DATE="$(date --rfc-3339 ns)" \ 40 | --tag "$IMAGE_NAME" . 41 | --------------------------------------------------------------------------------