Djeex/socat-proxy
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Activity

Compare commits

base: Djeex:v1.0
Branches Tags
Djeex:main
Djeex:v1.0
..
compare: Djeex:45d87a26d08b42dab696ea6e5dbb9de1e0a0bdcf
Branches Tags
Djeex:main
Djeex:v1.0

2 Commits
v1.0 ... 45d87a26d0

Author SHA1 Message Date
Djeex
45d87a26d0 Merge branch 'main' of http://10.7.0.3:3000/Djeex/socat-proxy 2025-09-24 12:48:29 +02:00
Djeex
5de286e233 Fixed variable and log order + listen path 2025-09-24 12:43:45 +02:00
7 changed files with 91 additions and 207 deletions
Expand all files Collapse all files

2
.dockerignore
View File

@@ -3,7 +3,9 @@
.gitignore .gitignore
README.md README.md
LICENSE LICENSE
VERSION
*.log *.log
*.tmp *.tmp
.env .env
docker-compose.yaml docker-compose.yaml
Dockerfile.minimal

8
.env
View File

@@ -1,6 +1,4 @@
# Socat Proxy Configuration # Socat Proxy Configuration
TARGET_HOST= # Target hostname/IP to proxy to TARGET_HOST=
TARGET_PORT= # Target port to proxy to TARGET_PORT=
UNIX_SOCKET_NAME= # Name of the socket file SOCKET_PATH=
UNIX_SOCKET_PATH= # Path to UNIX socket inside container
HOST_SOCKET_PATH= # Host path for socket mounting

4
Dockerfile
View File

@@ -1,9 +1,11 @@
FROM alpine:latest FROM alpine:latest
# Install socat and netcat in a single RUN command and clean up cache
RUN apk add --no-cache socat netcat-openbsd \ RUN apk add --no-cache socat netcat-openbsd \
&& rm -rf /var/cache/apk/* /tmp/* && rm -rf /var/cache/apk/* /tmp/*
COPY entrypoint.sh VERSION / # Create socket directory and copy/set permissions in single layers
COPY entrypoint.sh /entrypoint.sh
RUN mkdir -p /socket \ RUN mkdir -p /socket \
&& chmod +x /entrypoint.sh && chmod +x /entrypoint.sh

126
README.MD
View File

@@ -2,27 +2,17 @@
A lightweight Docker container that creates a UNIX socket proxy to TCP connections using socat and Alpine Linux. A lightweight Docker container that creates a UNIX socket proxy to TCP connections using socat and Alpine Linux.
## 📑 Table of Contents
- [🚀 Features](#-features)
- [📋 Use Case](#-use-case)
- [🛠️ Configuration](#-configuration)
- [Environment Variables](#environment-variables)
- [🚢 Quick Start](#-quick-start)
- [Using Docker Compose (Recommended)](#using-docker-compose-recommended)
- [Using Docker Run](#using-docker-run)
- [🔧 How It Works](#-how-it-works)
- [💡 Example: Secure Docker Socket Access for Host-Mode Containers](#-example-secure-docker-socket-access-for-host-mode-containers)
## 🚀 Features ## 🚀 Features
- **Lightweight**: Based on Alpine Linux (~10-15MB image)
- **Configurable**: Environment variable driven configuration - **Configurable**: Environment variable driven configuration
- **Socket Management**: Automatic UNIX socket creation and cleanup - **Socket Management**: Automatic UNIX socket creation and cleanup
- **Production Ready**: Includes proper error handling and logging - **Production Ready**: Includes proper error handling and logging
- **Multi-variant**: Standard and minimal Docker images available
## 📋 Use Case ## 📋 Use Cases example
- Proxy Docker socket from a docker proxy to a container in host mode without directly exposing socket to host - Proxy Docker socket from a docker proxy to a container in host mode
## 🛠️ Configuration ## 🛠️ Configuration
@@ -32,61 +22,45 @@ A lightweight Docker container that creates a UNIX socket proxy to TCP connectio
|----------|---------|-------------|---------| |----------|---------|-------------|---------|
| `TARGET_HOST` | - | Target hostname/IP to proxy to | `socket-proxy-beszel` | | `TARGET_HOST` | - | Target hostname/IP to proxy to | `socket-proxy-beszel` |
| `TARGET_PORT` | - | Target port to proxy to | `2375` | | `TARGET_PORT` | - | Target port to proxy to | `2375` |
| `UNIX_SOCKET_NAME` | - | Name of the socket file | `docker.sock` | | `UNIX_SOCKET_PATH` | - | Path to UNIX socket inside container | `/socket/docker.sock` |
| `UNIX_SOCKET_PATH` | - | Path to UNIX socket inside container | `/socket` | | `SOCKET_PATH` | - | Host path for socket mounting | `/your/container/sock/` |
| `HOST_SOCKET_PATH` | - | Host path for socket mounting | `/docker/beszel-agent/sock` |
| `DEBUG_LEVEL` | - | Level of logs verbose | `0`,`1`,`2`,`3` |
## 🚢 Quick Start ## 🚢 Quick Start
### Using Docker Compose (Recommended) ### Using Docker Compose (Recommended)
1. Create a `.env` file with your configuration: 1. Clone the repository:
```bash ```bash
# .env git clone https://git.djeex.fr/Djeex/socat-proxy
TARGET_HOST=socket-proxy-beszel cd socat-proxy
TARGET_PORT=2375
UNIX_SOCKET_NAME=docker.sock
UNIX_SOCKET_PATH=/socket
HOST_SOCKET_PATH=/docker/beszel-agent/sock
DEBUG_LEVEL=0
``` ```
2. Create a `compose.yml` file: 2. Configure environment variables in `.env` file:
```yaml ```bash
services: TARGET_HOST= # Target hostname/IP to proxy to
socat-proxy: TARGET_PORT= # Target port to proxy to
image: git.djeex.fr/djeex/socat-proxy:latest UNIX_SOCKET_PATH= # Path to UNIX socket inside container
environment: HOST_SOCKET_PATH= # Host path for socket mounting
- TARGET_HOST=${TARGET_HOST}
- TARGET_PORT=${TARGET_PORT}
- UNIX_SOCKET_NAME=${UNIX_SOCKET_NAME}
- UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH}
- HOST_SOCKET_PATH=${HOST_SOCKET_PATH}
- DEBUG_LEVEL=${DEBUG_LEVEL}
volumes:
- ${HOST_SOCKET_PATH}:${UNIX_SOCKET_PATH}
restart: unless-stopped
``` ```
3. Start the service: 3. Start the service:
```bash ```bash
docker compose up -d docker-compose up -d
``` ```
### Using Docker Run ### Using Docker Run
```bash ```bash
docker build -t socat-proxy .
docker run -d \ docker run -d \
--name socat-proxy \ --name socat-proxy \
-e TARGET_HOST=socket-proxy-beszel \ -e TARGET_HOST=your-target-host \
-e TARGET_PORT=2375 \ -e TARGET_PORT=your-target-port \
-e UNIX_SOCKET_NAME=docker.sock \ -e UNIX_SOCKET_PATH=your-unix-socket-path \
-e UNIX_SOCKET_PATH=/socket \ -e HOST_SOCKET_PATH=your-socket-host-path \
-e HOST_SOCKET_PATH=/docker/beszel-agent/sock \ -v /your-origin-socket-path:/socket \
-e DEBUG_LEVEL=1 \ socat-proxy
-v /docker/beszel-agent/sock:/socket \
git.djeex.fr/djeex/socat-proxy:latest
``` ```
## 🔧 How It Works ## 🔧 How It Works
@@ -95,55 +69,3 @@ docker run -d \
2. **Cleanup**: Removes existing socket file/folder if present 2. **Cleanup**: Removes existing socket file/folder if present
3. **Socket Creation**: Creates new UNIX socket using `nc -lU` 3. **Socket Creation**: Creates new UNIX socket using `nc -lU`
4. **Proxy Start**: Starts socat to proxy UNIX socket to TCP endpoint 4. **Proxy Start**: Starts socat to proxy UNIX socket to TCP endpoint
## 💡 Example: Secure Docker Socket Access for Host-Mode Containers
[Beszel](https://beszel.dev/) is a monitoring tool that requires `network_mode: host` to function properly. This creates a security challenge: Beszel needs access to the Docker socket, but it cannot reach a containerized docker-socket-proxy due to the network isolation. Running docker-socket-proxy in host mode would be highly insecure.
**Socat-proxy solves this problem** by creating a secure bridge between host-mode containers and containerized socket proxies. It exposes a UNIX socket file on the host filesystem that Beszel can access, while securely forwarding all Docker API requests to the socket-proxy running on the bridge network.
```yaml
services:
socat-proxy:
image: git.djeex.fr/djeex/socat-proxy:latest
container_name: socat-proxy-beszel
environment:
- TARGET_HOST=${TARGET_HOST}
- TARGET_PORT=${TARGET_PORT}
- UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH}
- HOST_SOCKET_PATH=${HOST_SOCKET_PATH}
- UNIX_SOCKET_NAME=${UNIX_SOCKET_NAME}
volumes:
- ${HOST_SOCKET_PATH}:${UNIX_SOCKET_PATH}
restart: unless-stopped
socket-proxy:
image: lscr.io/linuxserver/socket-proxy:latest
container_name: socket-proxy-beszel
security_opt:
- no-new-privileges:true
environment:
- CONTAINERS=1
- INFO=1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
read_only: true
tmpfs:
- /run
beszel-agent:
image: henrygd/beszel-agent:latest
container_name: beszel-agent
restart: unless-stopped
network_mode: host
security_opt:
- no-new-privileges:true
volumes:
- ${HOST_SOCKET_PATH}/docker.sock:/var/run/docker.sock:ro
environment:
- #... your Beszel environment var
depends_on:
- socat-proxy
```

2
VERSION
View File

@@ -1 +1 @@
1.0.0 0.1

20
docker-compose.yaml
View File

@@ -1,13 +1,21 @@
--- version: '3.8'
services: services:
socat-proxy: socat-proxy:
build: . build: .
environment: environment:
- TARGET_HOST=${TARGET_HOST} - TARGET_HOST=${TARGET_HOST:}
- TARGET_PORT=${TARGET_PORT} - TARGET_PORT=${TARGET_PORT:}
- UNIX_SOCKET_NAME=${UNIX_SOCKET_NAME}
- UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH} - UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH}
- HOST_SOCKET_PATH=${HOST_SOCKET_PATH}
volumes: volumes:
- ${HOST_SOCKET_PATH}:${UNIX_SOCKET_PATH} - ${HOST_SOCKET_PATH:-/tmp/docker-proxy}:/socket
networks:
- proxy-network
restart: unless-stopped restart: unless-stopped
volumes:
socket_volume:
networks:
proxy-network:
external: false

134
entrypoint.sh
View File

@@ -1,152 +1,103 @@
#!/bin/sh #!/bin/sh
set -e set -e
CYAN="\033[1;36m" # Set default values if not provided
NC="\033[0m"
TARGET_HOST=${TARGET_HOST} TARGET_HOST=${TARGET_HOST}
TARGET_PORT=${TARGET_PORT} TARGET_PORT=${TARGET_PORT}
UNIX_SOCKET_NAME=${UNIX_SOCKET_NAME}
UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH} UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH}
UNIX_SOCKET_NAME=$(basename "$UNIX_SOCKET_PATH")
HOST_SOCKET_PATH=${HOST_SOCKET_PATH} HOST_SOCKET_PATH=${HOST_SOCKET_PATH}
DEBUG_LEVEL=${DEBUG_LEVEL:-1} # Default to basic logging
# Remove trailing slashes to avoid double slashes
UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH%/}
HOST_SOCKET_PATH=${HOST_SOCKET_PATH%/}
FULL_HOST_SOCKET_PATH="$HOST_SOCKET_PATH/$UNIX_SOCKET_NAME"
FULL_UNIX_SOCKET_PATH="$UNIX_SOCKET_PATH/$UNIX_SOCKET_NAME"
VERSION=$(cat VERSION)
echo -e "${CYAN}╭────────────────────────────────────────────────╮${NC}"
echo -e "${CYAN}${NC} Socat-proxy - Version ${VERSION}${NC} ${CYAN}${NC}"
echo -e "${CYAN}├────────────────────────────────────────────────┤${NC}"
echo -e "${CYAN}${NC} Source: https://git.djeex.fr/Djeex/socat-proxy ${CYAN}${NC}"
echo -e "${CYAN}${NC} Mirror: https://github.com/Djeex/socat-proxy ${CYAN}${NC}"
echo -e "${CYAN}╰────────────────────────────────────────────────╯${NC}"
# Validate required environment variables # Validate required environment variables
if [ -z "$TARGET_HOST" ]; then if [ -z "$TARGET_HOST" ]; then
echo "[✗] TARGET_HOST environment variable is required" echo "ERROR: TARGET_HOST environment variable is required"
exit 1 exit 1
fi fi
if [ -z "$TARGET_PORT" ]; then if [ -z "$TARGET_PORT" ]; then
echo "[✗] TARGET_PORT environment variable is required" echo "ERROR: TARGET_PORT environment variable is required"
exit 1
fi
if [ -z "$UNIX_SOCKET_NAME" ]; then
echo "[✗] UNIX_SOCKET_NAME environment variable is required"
exit 1 exit 1
fi fi
if [ -z "$UNIX_SOCKET_PATH" ]; then if [ -z "$UNIX_SOCKET_PATH" ]; then
echo "[✗] UNIX_SOCKET_PATH environment variable is required" echo "ERROR: UNIX_SOCKET_PATH environment variable is required"
exit 1 exit 1
fi fi
if [ -z "$HOST_SOCKET_PATH" ]; then if [ -z "$HOST_SOCKET_PATH" ]; then
echo "[✗] HOST_SOCKET_PATH environment variable is required" echo "ERROR: HOST_SOCKET_PATH environment variable is required"
exit 1 exit 1
fi fi
echo "[~] Starting socat proxy..." echo "Starting socat proxy..."
echo "[i] TCP target: $TARGET_HOST:$TARGET_PORT" echo "UNIX socket: $UNIX_SOCKET_PATH"
echo "[i] HOST path: $HOST_SOCKET_PATH" echo "TCP target: $TARGET_HOST:$TARGET_PORT"
echo "[i] Full host socket path: $FULL_HOST_SOCKET_PATH" echo "HOST path: $HOST_SOCKET_PATH"
echo "[i] Full socket path: $FULL_UNIX_SOCKET_PATH" echo "Socket name: $UNIX_SOCKET_NAME"
# Calculate full socket path
FULL_SOCKET_PATH="$HOST_SOCKET_PATH/$UNIX_SOCKET_NAME"
echo "Full socket path: $FULL_SOCKET_PATH"
# Check if socket file/folder exists and handle it # Check if socket file/folder exists and handle it
if [ -e "$FULL_UNIX_SOCKET_PATH" ]; then if [ -e "$FULL_SOCKET_PATH" ]; then
echo "[~] Socket file/folder $FULL_UNIX_SOCKET_PATH exists, removing it..." echo "Socket file/folder $FULL_SOCKET_PATH exists, removing it..."
if rm -rf "$FULL_UNIX_SOCKET_PATH"; then if rm -rf "$FULL_SOCKET_PATH"; then
echo "[✓] Removed existing socket $FULL_UNIX_SOCKET_PATH" echo "SUCCESS: Removed existing socket $FULL_SOCKET_PATH"
else else
echo "[✗] Failed to remove existing socket $FULL_UNIX_SOCKET_PATH" echo "ERROR: Failed to remove existing socket $FULL_SOCKET_PATH"
exit 1 exit 1
fi fi
fi fi
echo "[~] Creating socket directory structure..." echo "Creating socket directory structure..."
# Create directory if needed # Create directory if needed
if mkdir -p "$UNIX_SOCKET_PATH"; then if mkdir -p "$HOST_SOCKET_PATH"; then
echo "[✓] Created directory $UNIX_SOCKET_PATH" echo "SUCCESS: Created directory $HOST_SOCKET_PATH"
else else
echo "[✗] Failed to create directory $UNIX_SOCKET_PATH" echo "ERROR: Failed to create directory $HOST_SOCKET_PATH"
exit 1 exit 1
fi fi
echo "[~] Creating socket with netcat..." echo "Creating socket with netcat..."
# Create socket file by touching it, then remove it (this creates the path but leaves it clean for socat) # Create socket with nc -lU in background and then kill it to create the socket file
touch "$FULL_UNIX_SOCKET_PATH" if timeout 1 nc -lU "$FULL_SOCKET_PATH" 2>/dev/null || true; then
rm "$FULL_UNIX_SOCKET_PATH" echo "SUCCESS: Socket created at $FULL_SOCKET_PATH"
echo "[✓] Socket path prepared at $FULL_UNIX_SOCKET_PATH"
# Debug: Check if socket file exists and its permissions
if [ -S "$FULL_UNIX_SOCKET_PATH" ]; then
echo "[✓] Socket file exists and is a socket"
ls -la "$FULL_UNIX_SOCKET_PATH"
else else
echo "[!] Socket file does not exist or is not a socket" echo "WARNING: Socket creation with netcat had issues, but continuing..."
ls -la "$UNIX_SOCKET_PATH"
fi fi
echo "[~] Testing connection to target..." echo "Testing connection to target..."
# Test if we can reach the target before starting socat # Test if we can reach the target before starting socat
if ! nc -z "$TARGET_HOST" "$TARGET_PORT" 2>/dev/null; then if ! nc -z "$TARGET_HOST" "$TARGET_PORT" 2>/dev/null; then
echo "[!] Cannot connect to $TARGET_HOST:$TARGET_PORT - socat will retry automatically" echo "WARNING: Cannot connect to $TARGET_HOST:$TARGET_PORT - socat will retry automatically"
else else
echo "[✓] Connection to $TARGET_HOST:$TARGET_PORT is working" echo "SUCCESS: Connection to $TARGET_HOST:$TARGET_PORT is working"
fi fi
# Signal handler for graceful shutdown # Signal handler for graceful shutdown
cleanup() { cleanup() {
echo "[!] Received SIGTERM, shutting down gracefully..." echo "Received SIGTERM, shutting down gracefully..."
if [ ! -z "$SOCAT_PID" ]; then if [ ! -z "$SOCAT_PID" ]; then
echo "[~] Stopping socat process (PID: $SOCAT_PID)..." echo "Stopping socat process (PID: $SOCAT_PID)..."
kill "$SOCAT_PID" 2>/dev/null || true kill "$SOCAT_PID" 2>/dev/null || true
wait "$SOCAT_PID" 2>/dev/null || true wait "$SOCAT_PID" 2>/dev/null || true
fi fi
echo "[~] Cleanup completed, exiting..." echo "Cleanup completed, exiting..."
exit 0 exit 0
} }
# Set up signal trap # Set up signal trap
trap cleanup SIGTERM SIGINT trap cleanup SIGTERM SIGINT
echo "[~] Starting socat proxy..." echo "Starting socat proxy..."
# Start socat with configurable verbosity # Start socat with verbose logging and redirect to stdout/stderr
DEBUG_FLAGS="" if socat -d -d UNIX-LISTEN:$FULL_SOCKET_PATH,fork,unlink-early TCP:$TARGET_HOST:$TARGET_PORT & then
if [ "$DEBUG_LEVEL" -eq 1 ]; then
DEBUG_FLAGS="-d"
elif [ "$DEBUG_LEVEL" -eq 2 ]; then
DEBUG_FLAGS="-d -d"
elif [ "$DEBUG_LEVEL" -eq 3 ]; then
DEBUG_FLAGS="-d -d -d"
fi
echo "[i] Using debug level: $DEBUG_LEVEL ($DEBUG_FLAGS)"
if socat $DEBUG_FLAGS UNIX-LISTEN:$FULL_UNIX_SOCKET_PATH,fork,unlink-early TCP:$TARGET_HOST:$TARGET_PORT & then
SOCAT_PID=$! SOCAT_PID=$!
echo "[✓] Socat started with PID: $SOCAT_PID" echo "SUCCESS: Socat started with PID: $SOCAT_PID"
echo "[i] Socat command: socat -d -d UNIX-LISTEN:$FULL_UNIX_SOCKET_PATH,fork,unlink-early TCP:$TARGET_HOST:$TARGET_PORT" echo "Container is ready and running..."
echo "[~] Container is ready and running..."
# Debug: Check socket after socat starts
sleep 2
if [ -S "$FULL_UNIX_SOCKET_PATH" ]; then
echo "[✓] Socat socket is active"
ls -la "$FULL_UNIX_SOCKET_PATH"
else else
echo "[!] Socat socket not found" echo "ERROR: Failed to start socat proxy"
fi
else
echo "[✗] Failed to start socat proxy"
exit 1 exit 1
fi fi
@@ -155,5 +106,6 @@ while kill -0 "$SOCAT_PID" 2>/dev/null; do
sleep 1 sleep 1
done done
echo "[✗] Socat process has stopped" echo "Socat process has stopped"
exit 1 exit 1