Next Steps #81
Replies: 7 comments 3 replies
-
|
Hi @amanda-wee, Thank you for taking the time to share such thoughtful suggestions, and my apologies for the delayed response.
Thanks again for your input. I really appreciate it! Best regards, |
Beta Was this translation helpful? Give feedback.
-
|
Regarding presets, I've done some env variables (as I'm migrating over), which make it somewhat easier to configure - so something like SP__PREFIX="(/v[\d\.]+)?" # allow any api version
SP_EVENTS="$SP__PREFIX/events.*" # mostly harmless
SP_PING="$SP__PREFIX/_ping" # mostly harmless
SP_VERSION="$SP__PREFIX/version" # mostly harmless
SP_AUTH="$SP__PREFIX/auth" # security critical
SP_SECRETS="$SP__PREFIX/secrets" # security critical
SP_ALLOW_PAUSE="$SP__PREFIX/containers/[a-zA-Z0-9_.-]+/pause"
SP_ALLOW_RESTARTS="$SP__PREFIX/containers/[a-zA-Z0-9_.-]+/(stop|restart|kill)" # migrating wants the same behaviour
SP_ALLOW_START="$SP__PREFIX/containers/[a-zA-Z0-9_.-]+/start"
SP_ALLOW_STOP="$SP__PREFIX/containers/[a-zA-Z0-9_.-]+/stop"
SP_ALLOW_UNPAUSE="$SP__PREFIX/containers/[a-zA-Z0-9_.-]+/unpause"
SP_BUILD="$SP__PREFIX/build"
SP_COMMIT="$SP__PREFIX/commit"
SP_CONFIGS="$SP__PREFIX/configs"
SP_CONTAINERS="$SP__PREFIX/containers"
SP_DISTRIBUTION="$SP__PREFIX/distribution"
SP_EXEC="$SP__PREFIX/exec"
SP_GRPC="$SP__PREFIX/grpc"
SP_IMAGES="$SP__PREFIX/images"
SP_INFO="$SP__PREFIX/info"
SP_NETWORKS="$SP__PREFIX/networks"
SP_NODES="$SP__PREFIX/nodes"
SP_PLUGINS="$SP__PREFIX/plugins"
SP_SERVICES="$SP__PREFIX/services"
SP_SESSION="$SP__PREFIX/session"
SP_SWARM="$SP__PREFIX/swarm"
SP_SYSTEM="$SP__PREFIX/system"
SP_TASKS="$SP__PREFIX/tasks"
SP_VOLUMES="$SP__PREFIX/volumes" |
Beta Was this translation helpful? Give feedback.
-
|
https://socket-proxy-configurator.wollomatic.dev/ So it has come to this :) |
Beta Was this translation helpful? Give feedback.
-
|
That looks good, and I think it means presets would not be that useful now. I note that of the three example endpoints, only ping actually supports both GET and HEAD, whereas the other two only support GET. Perhaps it would be better to adjust the output to account for that? |
Beta Was this translation helpful? Give feedback.
-
|
@wollomatic That feels like a nice start - but there's a lot of fluff and duplicated examples for them - the default one can be cleaned up quite a bit using the regex I pasted above - Of note - the edit: Removed unnecessary anchors! |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @Rycochet and @amanda-wee for the feedback. I’ve just deployed a slightly improved version. A hard browser reload may be needed. |
Beta Was this translation helpful? Give feedback.
-
|
This may be off topic for this discussion specifically, but I was wondering if you could implement a change to Line 27 in Config.go: socket-proxy/internal/config/config.go Line 27 in 08dca43 As it stands currently, there is only a single allowed label prefix: "socket-proxy.allow". The change would be setting the prefix to be something like "{hostname}.allow" where "hostname" is a variable that reads in os.Hostname(). So you could have two socket-proxy containers: traefik-socket-proxy and gameserver-socket-proxy. Then you'd apply labels "traefik-sock-proxy.allow*" to the containers that you want Traefik to control and "gameserver-socket-proxy.allow*" labels to gameservers that an uptime instance monitors. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I am happy to see that what began as a proof-of-concept for an interesting idea (container labels to specify per-container allowlists) has been released as something usable that addresses what does appear to be a pain point for some folks. I'm still game to improve socket-proxy in other areas, though I'm also aware that @wollomatic stated his "idea is to keep socket-proxy simple and stupid". My current thoughts on what could be implemented next:
Automated tests for per-container allowlists. I tested the feature manually, but at the very least we might be able to reintroduce tests of the parts of the Docker SDK for Go that was used.
Implement concurrent yet optional IPv4, IPv6, and Unix socket listeners. This was discussed in issue [Bug]
defaultAllowFromshould also include::1#66 as it would fix the problem that was raised by OdinVex as a side effect.Implement a way for the per-container allowlists feature to work with a proxy that enables containers on external hosts to have restricted access the Docker socket. While the Dozzle creator who raised issue Support for TLS #14 already has a solution for Dozzle that is better in its own Dozzle-specific way, vnghia proposed a more general workaround involving a reverse proxy configured for mTLS. The trouble as I understand it is that N external host containers would require N socket-proxy containers each with their own reverse proxy. I believe the per-container allowlists feature would simplify it to having 1 socket-proxy container with N reverse proxy containers, but ideally socket-proxy could support 1 socket-proxy container with 1 reverse proxy container.
Figure out how to get socket-proxy to support Docker Swarm. I don't use Swarm myself though, so this is not particularly appealing to me as I won't be eating my own dog food. Nonetheless, there does appear to be some demand for this.
Implement allowlist presets. The idea is that having to detail a bunch of regex patterns can be intimidating for a new user, so having a minimal preset, a readonly preset, etc., could ease adoption. An argument against this is that careless users could end up with an overly permissive configuration, but that's true even now if new users try something like
'-allowGET=.*'and then neglect to make it more secure.Any opinions and suggestions?
Beta Was this translation helpful? Give feedback.
All reactions