Don't expose the Docker socket directly to an internet-accessible container #105

New issue

Open

opened 2022-11-10 17:19:04 +00:00 by samsapti · 4 comments

samsapti commented

2022-11-10 17:19:04 +00:00

Owner

Consider using docker-socket-proxy[1] for exposing the Docker socket to nginx-proxy, so that we can restrict what it has access to.

1: https://github.com/Tecnativa/docker-socket-proxy

Consider using docker-socket-proxy[1] for exposing the Docker socket to nginx-proxy, so that we can restrict what it has access to. 1: https://github.com/Tecnativa/docker-socket-proxy

samsapti commented

2022-11-10 17:44:52 +00:00

Author

Owner

From what I can see, the only access we would need for nginx-proxy to work properly would be CONTAINERS=1. Furthermore, we can allow only GET requests, so the socket will be read-only.

From what I can see, the only access we would need for nginx-proxy to work properly would be `CONTAINERS=1`. Furthermore, we can allow only `GET` requests, so the socket will be read-only.

samsapti added the

Security Hardening

label 2022-11-12 15:12:25 +00:00

reynir commented

2022-11-13 11:10:36 +00:00

Owner

Hmm. I wonder why it re-exposes the socket as a tcp socket. Can't we use unix domain sockets for the proxy?

Ideally, we would be able to furhter restrict the environment variables nginx-proxy can read as the environment variables are used for secrets as well.

Hmm. I wonder why it re-exposes the socket as a tcp socket. Can't we use unix domain sockets for the proxy? Ideally, we would be able to furhter restrict the environment variables nginx-proxy can read as the environment variables are used for secrets as well.

samsapti commented

2022-11-13 13:19:21 +00:00

Author

Owner

Hmm. I wonder why it re-exposes the socket as a tcp socket. Can't we use unix domain sockets for the proxy?

I haven't looked into it yet, but I don't think so. @valberg suggested this approach as an alternative: https://github.com/nginx-proxy/nginx-proxy#separate-containers

Ideally, we would be able to furhter restrict the environment variables nginx-proxy can read as the environment variables are used for secrets as well.

I thought about that too, unfortunately I don't think it's possible.

> Hmm. I wonder why it re-exposes the socket as a tcp socket. Can't we use unix domain sockets for the proxy? I haven't looked into it yet, but I don't think so. @valberg suggested this approach as an alternative: https://github.com/nginx-proxy/nginx-proxy#separate-containers > Ideally, we would be able to furhter restrict the environment variables nginx-proxy can read as the environment variables are used for secrets as well. I thought about that too, unfortunately I don't think it's possible.

samsapti commented

2022-11-15 19:48:52 +00:00

Author

Owner

The other approach with docker-socket-proxy still exposes the environment variables of all containers to an internet-accessible container, and as you said, we have our secrets there.

@reynir actually now that I think about it, it might be better to use the approach suggested by @valberg. This way, even if a container has full access to the Docker socket, it will not be the container that's accessible over the internet. The other approach with docker-socket-proxy still exposes the environment variables of all containers to an internet-accessible container, and as you said, we have our secrets there.

samsapti changed title from ~~Use docker-socket-proxy for enhanced security~~ to Don't expose the Docker socket directly to an internet-accessible container

2022-11-15 19:49:59 +00:00