Djeex/docudjeex
1
1
Fork 0
Code Issues Pull Requests Projects Wiki Activity

Socat Proxy

Browse Source
This commit is contained in:
Djeex
2025-10-05 17:08:56 +00:00
parent eaabf7db68
commit 104efa534c
2 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
content/5.nonsense/2.bash/3.socat-proxy.md Normal file
View File

@@ -0,0 +1,88 @@
---
navigation: true
title: Socat Proxy
main:
fluid: false
---
:ellipsis{left=0px width=40rem top=10rem blur=140px}
# Socat Proxy
---
This project addresses a common use case:
- I have [Beszel](https://beszel.dev/), a monitoring container running in host mode, which requires access to the Docker socket to collect container statistics.
- To avoid exposing the Docker socket fully to Beszel, I use [Docker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy), a container that sits between the Docker socket and the consuming container. It filters requests by setting appropriate permissions, preventing full exposure of the Docker socket.
The problem arises when **Beszel** runs in host mode. In that case, it must connect directly to **Docker Socket Proxy** on a host port, meaning the proxys port is exposed. This allows any container or application on the host to access it and use the Docker socket.
This is where [Socat Proxy](https://git.djeex.fr/Djeex/socat-proxy) comes in. It is a container that:
- Creates a UNIX socket
- Listens on this socket
- Forwards requests to Docker Socket Proxy and back
- Replaces the real Docker socket by exposing the proxy socket in the target container via a bind mount (in this case, Beszel)
With this setup, Docker Socket Proxy communicates with Socat Proxy in their isolated bridge network, while the UNIX socket bind-mounted on the host has restricted permissions, preventing access from other containers or applications.
In short:
![](/img/nonsense/socat-proxy.svg)
For example, with Beszel, the configuration would look like this:
```yaml
services:
socat-proxy:
image: git.djeex.fr/djeex/socat-proxy:latest
container_name: socat-proxy-beszel
environment:
- TARGET_HOST=${TARGET_HOST}
- TARGET_PORT=${TARGET_PORT}
- UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH}
- HOST_SOCKET_PATH=${HOST_SOCKET_PATH}
- UNIX_SOCKET_NAME=${UNIX_SOCKET_NAME}
volumes:
- ${HOST_SOCKET_PATH}:${UNIX_SOCKET_PATH}
restart: unless-stopped
depends_on:
- ${TARGET_HOST}
socket-proxy:
image: lscr.io/linuxserver/socket-proxy:latest
container_name: ${TARGET_HOST}
security_opt:
- no-new-privileges:true
environment:
- CONTAINERS=1
- INFO=1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
read_only: true
tmpfs:
- /run
beszel-agent:
image: henrygd/beszel-agent:latest
container_name: beszel-agent
restart: unless-stopped
network_mode: host
security_opt:
- no-new-privileges:true
volumes:
- ${HOST_SOCKET_PATH}/${UNIX_SOCKET_NAME}:/var/run/docker.sock:ro
environment:
- #... your Beszel environment variables
depends_on:
- socat-proxy
```
More information is available on the repository:
::card
#title
🐋 **Socat Proxy**
#description
[A lightweight bind-mount socket proxy](https://git.djeex.fr/Djeex/socat-proxy)
::

4
public/img/nonsense/socat-proxy.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 436 KiB