Compare commits
4 Commits
51f771e0d7
...
167e80c583
| Author | SHA1 | Date | |
|---|---|---|---|
| 167e80c583 | |||
| f98e5f0333 | |||
| 4714570953 | |||
| 4b0a28ef21 |
121
README.MD
121
README.MD
@@ -2,15 +2,27 @@
|
||||
|
||||
A lightweight Docker container that creates a UNIX socket proxy to TCP connections using socat and Alpine Linux.
|
||||
|
||||
## 📑 Table of Contents
|
||||
|
||||
- [🚀 Features](#-features)
|
||||
- [📋 Use Case](#-use-case)
|
||||
- [🛠️ Configuration](#️-configuration)
|
||||
- [Environment Variables](#environment-variables)
|
||||
- [🚢 Quick Start](#-quick-start)
|
||||
- [Using Docker Compose (Recommended)](#using-docker-compose-recommended)
|
||||
- [Using Docker Run](#using-docker-run)
|
||||
- [🔧 How It Works](#-how-it-works)
|
||||
- [💡 Example: Secure Docker Socket Access for Host-Mode Containers](#-example-secure-docker-socket-access-for-host-mode-containers)
|
||||
|
||||
## 🚀 Features
|
||||
|
||||
- **Configurable**: Environment variable driven configuration
|
||||
- **Socket Management**: Automatic UNIX socket creation and cleanup
|
||||
- **Production Ready**: Includes proper error handling and logging
|
||||
|
||||
## 📋 Use Cases example
|
||||
## 📋 Use Case
|
||||
|
||||
- Proxy Docker socket from a docker proxy to a container in host mode
|
||||
- Proxy Docker socket from a docker proxy to a container in host mode without directly exposing socket to host
|
||||
|
||||
## 🛠️ Configuration
|
||||
|
||||
@@ -23,45 +35,58 @@ A lightweight Docker container that creates a UNIX socket proxy to TCP connectio
|
||||
| `UNIX_SOCKET_NAME` | - | Name of the socket file | `docker.sock` |
|
||||
| `UNIX_SOCKET_PATH` | - | Path to UNIX socket inside container | `/socket` |
|
||||
| `HOST_SOCKET_PATH` | - | Host path for socket mounting | `/docker/beszel-agent/sock` |
|
||||
| `DEBUG_LEVEL` | - | Level of logs verbose | `0`,`1`,`2`,`3` |
|
||||
|
||||
## 🚢 Quick Start
|
||||
|
||||
### Using Docker Compose (Recommended)
|
||||
|
||||
1. Clone the repository:
|
||||
1. Create a `.env` file with your configuration:
|
||||
```bash
|
||||
git clone https://git.djeex.fr/Djeex/socat-proxy
|
||||
cd socat-proxy
|
||||
# .env
|
||||
TARGET_HOST=socket-proxy-beszel
|
||||
TARGET_PORT=2375
|
||||
UNIX_SOCKET_NAME=docker.sock
|
||||
UNIX_SOCKET_PATH=/socket
|
||||
HOST_SOCKET_PATH=/docker/beszel-agent/sock
|
||||
DEBUG_LEVEL=0
|
||||
```
|
||||
|
||||
2. Configure environment variables in `.env` file:
|
||||
```bash
|
||||
TARGET_HOST= # Target hostname/IP to proxy to
|
||||
TARGET_PORT= # Target port to proxy to
|
||||
UNIX_SOCKET_NAME= # Name of the socket file
|
||||
UNIX_SOCKET_PATH= # Path to UNIX socket inside container
|
||||
HOST_SOCKET_PATH= # Host path for socket mounting
|
||||
2. Create a `compose.yml` file:
|
||||
```yaml
|
||||
services:
|
||||
socat-proxy:
|
||||
image: git.djeex.fr/djeex/socat-proxy:latest
|
||||
environment:
|
||||
- TARGET_HOST=${TARGET_HOST}
|
||||
- TARGET_PORT=${TARGET_PORT}
|
||||
- UNIX_SOCKET_NAME=${UNIX_SOCKET_NAME}
|
||||
- UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH}
|
||||
- HOST_SOCKET_PATH=${HOST_SOCKET_PATH}
|
||||
- DEBUG_LEVEL=${DEBUG_LEVEL}
|
||||
volumes:
|
||||
- ${HOST_SOCKET_PATH}:${UNIX_SOCKET_PATH}
|
||||
restart: unless-stopped
|
||||
```
|
||||
|
||||
3. Start the service:
|
||||
```bash
|
||||
docker-compose up -d
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
### Using Docker Run
|
||||
|
||||
```bash
|
||||
docker build -t socat-proxy .
|
||||
|
||||
docker run -d \
|
||||
--name socat-proxy \
|
||||
-e TARGET_HOST=your-target-host \
|
||||
-e TARGET_PORT=your-target-port \
|
||||
-e UNIX_SOCKET_NAME=your-socket-name \
|
||||
-e UNIX_SOCKET_PATH=your-unix-socket-path \
|
||||
-e HOST_SOCKET_PATH=your-socket-host-path \
|
||||
-v /your-origin-socket-path:/socket \
|
||||
socat-proxy
|
||||
-e TARGET_HOST=socket-proxy-beszel \
|
||||
-e TARGET_PORT=2375 \
|
||||
-e UNIX_SOCKET_NAME=docker.sock \
|
||||
-e UNIX_SOCKET_PATH=/socket \
|
||||
-e HOST_SOCKET_PATH=/docker/beszel-agent/sock \
|
||||
-e DEBUG_LEVEL=1 \
|
||||
-v /docker/beszel-agent/sock:/socket \
|
||||
git.djeex.fr/djeex/socat-proxy:latest
|
||||
```
|
||||
|
||||
## 🔧 How It Works
|
||||
@@ -70,3 +95,55 @@ docker run -d \
|
||||
2. **Cleanup**: Removes existing socket file/folder if present
|
||||
3. **Socket Creation**: Creates new UNIX socket using `nc -lU`
|
||||
4. **Proxy Start**: Starts socat to proxy UNIX socket to TCP endpoint
|
||||
|
||||
## 💡 Example: Secure Docker Socket Access for Host-Mode Containers
|
||||
|
||||
[Beszel](https://beszel.dev/) is a monitoring tool that requires `network_mode: host` to function properly. This creates a security challenge: Beszel needs access to the Docker socket, but it cannot reach a containerized docker-socket-proxy due to the network isolation. Running docker-socket-proxy in host mode would be highly insecure.
|
||||
|
||||
**Socat-proxy solves this problem** by creating a secure bridge between host-mode containers and containerized socket proxies. It exposes a UNIX socket file on the host filesystem that Beszel can access, while securely forwarding all Docker API requests to the socket-proxy running on the bridge network.
|
||||
|
||||
```yaml
|
||||
services:
|
||||
socat-proxy:
|
||||
image: git.djeex.fr/djeex/socat-proxy:latest
|
||||
container_name: socat-proxy-beszel
|
||||
environment:
|
||||
- TARGET_HOST=${TARGET_HOST}
|
||||
- TARGET_PORT=${TARGET_PORT}
|
||||
- UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH}
|
||||
- HOST_SOCKET_PATH=${HOST_SOCKET_PATH}
|
||||
- UNIX_SOCKET_NAME=${UNIX_SOCKET_NAME}
|
||||
volumes:
|
||||
- ${HOST_SOCKET_PATH}:${UNIX_SOCKET_PATH}
|
||||
restart: unless-stopped
|
||||
|
||||
socket-proxy:
|
||||
image: lscr.io/linuxserver/socket-proxy:latest
|
||||
container_name: socket-proxy-beszel
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- INFO=1
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
restart: unless-stopped
|
||||
read_only: true
|
||||
tmpfs:
|
||||
- /run
|
||||
|
||||
beszel-agent:
|
||||
image: henrygd/beszel-agent:latest
|
||||
container_name: beszel-agent
|
||||
restart: unless-stopped
|
||||
network_mode: host
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
volumes:
|
||||
- ${HOST_SOCKET_PATH}/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- #... your Beszel environment var
|
||||
depends_on:
|
||||
- socat-proxy
|
||||
```
|
||||
|
||||
|
||||
@@ -9,6 +9,7 @@ TARGET_PORT=${TARGET_PORT}
|
||||
UNIX_SOCKET_NAME=${UNIX_SOCKET_NAME}
|
||||
UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH}
|
||||
HOST_SOCKET_PATH=${HOST_SOCKET_PATH}
|
||||
DEBUG_LEVEL=${DEBUG_LEVEL:-1} # Default to basic logging
|
||||
|
||||
# Remove trailing slashes to avoid double slashes
|
||||
UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH%/}
|
||||
@@ -70,7 +71,7 @@ if [ -e "$FULL_UNIX_SOCKET_PATH" ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
echo [~] Creating socket directory structure...
|
||||
echo "[~] Creating socket directory structure..."
|
||||
# Create directory if needed
|
||||
if mkdir -p "$UNIX_SOCKET_PATH"; then
|
||||
echo "[✓] Created directory $UNIX_SOCKET_PATH"
|
||||
@@ -80,11 +81,18 @@ else
|
||||
fi
|
||||
|
||||
echo "[~] Creating socket with netcat..."
|
||||
# Create socket with nc -lU in background and then kill it to create the socket file
|
||||
if timeout 1 nc -lU "$FULL_UNIX_SOCKET_PATH" 2>/dev/null || true; then
|
||||
echo "[✓] Socket created at $FULL_UNIX_SOCKET_PATH"
|
||||
# Create socket file by touching it, then remove it (this creates the path but leaves it clean for socat)
|
||||
touch "$FULL_UNIX_SOCKET_PATH"
|
||||
rm "$FULL_UNIX_SOCKET_PATH"
|
||||
echo "[✓] Socket path prepared at $FULL_UNIX_SOCKET_PATH"
|
||||
|
||||
# Debug: Check if socket file exists and its permissions
|
||||
if [ -S "$FULL_UNIX_SOCKET_PATH" ]; then
|
||||
echo "[✓] Socket file exists and is a socket"
|
||||
ls -la "$FULL_UNIX_SOCKET_PATH"
|
||||
else
|
||||
echo "[!] Socket creation with netcat had issues, but continuing..."
|
||||
echo "[!] Socket file does not exist or is not a socket"
|
||||
ls -la "$UNIX_SOCKET_PATH"
|
||||
fi
|
||||
|
||||
echo "[~] Testing connection to target..."
|
||||
@@ -111,11 +119,32 @@ cleanup() {
|
||||
trap cleanup SIGTERM SIGINT
|
||||
|
||||
echo "[~] Starting socat proxy..."
|
||||
# Start socat with verbose logging and redirect to stdout/stderr
|
||||
if socat -d -d UNIX-LISTEN:$FULL_UNIX_SOCKET_PATH,fork,unlink-early TCP:$TARGET_HOST:$TARGET_PORT & then
|
||||
# Start socat with configurable verbosity
|
||||
DEBUG_FLAGS=""
|
||||
if [ "$DEBUG_LEVEL" -eq 1 ]; then
|
||||
DEBUG_FLAGS="-d"
|
||||
elif [ "$DEBUG_LEVEL" -eq 2 ]; then
|
||||
DEBUG_FLAGS="-d -d"
|
||||
elif [ "$DEBUG_LEVEL" -eq 3 ]; then
|
||||
DEBUG_FLAGS="-d -d -d"
|
||||
fi
|
||||
|
||||
echo "[i] Using debug level: $DEBUG_LEVEL ($DEBUG_FLAGS)"
|
||||
|
||||
if socat $DEBUG_FLAGS UNIX-LISTEN:$FULL_UNIX_SOCKET_PATH,fork,unlink-early TCP:$TARGET_HOST:$TARGET_PORT & then
|
||||
SOCAT_PID=$!
|
||||
echo "[✓] Socat started with PID: $SOCAT_PID"
|
||||
echo "[i] Socat command: socat -d -d UNIX-LISTEN:$FULL_UNIX_SOCKET_PATH,fork,unlink-early TCP:$TARGET_HOST:$TARGET_PORT"
|
||||
echo "[~] Container is ready and running..."
|
||||
|
||||
# Debug: Check socket after socat starts
|
||||
sleep 2
|
||||
if [ -S "$FULL_UNIX_SOCKET_PATH" ]; then
|
||||
echo "[✓] Socat socket is active"
|
||||
ls -la "$FULL_UNIX_SOCKET_PATH"
|
||||
else
|
||||
echo "[!] Socat socket not found"
|
||||
fi
|
||||
else
|
||||
echo "[✗] Failed to start socat proxy"
|
||||
exit 1
|
||||
@@ -128,4 +157,3 @@ done
|
||||
|
||||
echo "[✗] Socat process has stopped"
|
||||
exit 1
|
||||
|
||||
|
||||
Reference in New Issue
Block a user