Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 1f27f306a5 | |||
| b93ff1d89f | |||
| 3494e69c9f | |||
| 4ac6cd0634 |
1
.env
1
.env
@@ -1,4 +1,3 @@
|
||||
# Socat Proxy Configuration
|
||||
TARGET_HOST= # Target hostname/IP to proxy to
|
||||
TARGET_PORT= # Target port to proxy to
|
||||
UNIX_SOCKET_NAME= # Name of the socket file
|
||||
|
||||
65
README.MD
65
README.MD
@@ -2,17 +2,20 @@
|
||||
|
||||
A lightweight Docker container that creates a UNIX socket proxy to TCP connections using socat and Alpine Linux.
|
||||
|
||||
> [!NOTE]
|
||||
>_Github repo is a mirror of https://git.djeex.fr/Djeex/socat-proxy. You'll find full package, history and release note there._
|
||||
|
||||
## 📑 Table of Contents
|
||||
|
||||
- [🚀 Features](#-features)
|
||||
- [🔧 How It Works](#-how-it-works)
|
||||
- [📋 Use Case](#-use-case)
|
||||
- [🛠️ Configuration](#️-configuration)
|
||||
- [Environment Variables](#environment-variables)
|
||||
- [🚢 Quick Start](#-quick-start)
|
||||
- [Using Docker Compose (Recommended)](#using-docker-compose-recommended)
|
||||
- [Using Docker Run](#using-docker-run)
|
||||
- [🔧 How It Works](#-how-it-works)
|
||||
- [💡 Example: Secure Docker Socket Access for Host-Mode Containers](#-example-secure-docker-socket-access-for-host-mode-containers)
|
||||
- [💡 Deployment example for Beszel](#-example-secure-docker-socket-access-for-host-mode-containers)
|
||||
|
||||
## 🚀 Features
|
||||
|
||||
@@ -20,9 +23,22 @@ A lightweight Docker container that creates a UNIX socket proxy to TCP connectio
|
||||
- **Socket Management**: Automatic UNIX socket creation and cleanup
|
||||
- **Production Ready**: Includes proper error handling and logging
|
||||
|
||||
## 🔧 How It Works
|
||||
|
||||
1. **Socket Check**: Verifies if UNIX socket exists at startup
|
||||
2. **Cleanup**: Removes existing socket file/folder if present
|
||||
3. **Socket Creation**: Creates new UNIX socket using `nc -lU`
|
||||
4. **Proxy Start**: Starts socat to proxy UNIX socket to TCP endpoint
|
||||
|
||||
## 📋 Use Case
|
||||
|
||||
- Proxy Docker socket from a docker proxy to a container in host mode without directly exposing socket to host
|
||||
Proxy Docker socket from a docker proxy to a container in host mode without directly exposing socket to host. For example:
|
||||
|
||||
[Beszel](https://beszel.dev/) is a monitoring tool that requires `network_mode: host` to function properly. This creates a security challenge: Beszel needs access to the Docker socket, but it cannot reach a containerized docker-socket-proxy due to the network isolation. Running docker-socket-proxy in host mode or exposing port to host would also be highly insecure.
|
||||
|
||||
**Socat-proxy solves this problem** by creating a secure bridge between host-mode containers and containerized socket proxies. It exposes a UNIX socket file on the host filesystem that Beszel can access, while securely forwarding all Docker API requests to the socket-proxy running on the bridge network.
|
||||
|
||||
|
||||
|
||||
## 🛠️ Configuration
|
||||
|
||||
@@ -43,13 +59,12 @@ A lightweight Docker container that creates a UNIX socket proxy to TCP connectio
|
||||
|
||||
1. Create a `.env` file with your configuration:
|
||||
```bash
|
||||
# .env
|
||||
TARGET_HOST=socket-proxy-beszel
|
||||
TARGET_PORT=2375
|
||||
UNIX_SOCKET_NAME=docker.sock
|
||||
UNIX_SOCKET_PATH=/socket
|
||||
HOST_SOCKET_PATH=/docker/beszel-agent/sock
|
||||
DEBUG_LEVEL=0
|
||||
TARGET_HOST= #your target host
|
||||
TARGET_PORT= #your target host port
|
||||
UNIX_SOCKET_NAME= #your socket file name
|
||||
UNIX_SOCKET_PATH= #your socket folder path inside socat-proxy
|
||||
HOST_SOCKET_PATH= #your socket folder path inside your host
|
||||
DEBUG_LEVEL=1
|
||||
```
|
||||
|
||||
2. Create a `compose.yml` file:
|
||||
@@ -79,28 +94,18 @@ docker compose up -d
|
||||
```bash
|
||||
docker run -d \
|
||||
--name socat-proxy \
|
||||
-e TARGET_HOST=socket-proxy-beszel \
|
||||
-e TARGET_PORT=2375 \
|
||||
-e UNIX_SOCKET_NAME=docker.sock \
|
||||
-e UNIX_SOCKET_PATH=/socket \
|
||||
-e HOST_SOCKET_PATH=/docker/beszel-agent/sock \
|
||||
-e TARGET_HOST= #your target host \
|
||||
-e TARGET_PORT= #your target host port \
|
||||
-e UNIX_SOCKET_NAME= #your socket file name \
|
||||
-e UNIX_SOCKET_PATH= #your socket folder path inside socat-proxy \
|
||||
-e HOST_SOCKET_PATH= #your socket folder path inside your host\
|
||||
-e DEBUG_LEVEL=1 \
|
||||
-v /docker/beszel-agent/sock:/socket \
|
||||
-v ${HOST_SOCKET_PATH}:${UNIX_SOCKET_PATH}$ \
|
||||
git.djeex.fr/djeex/socat-proxy:latest
|
||||
```
|
||||
|
||||
## 🔧 How It Works
|
||||
|
||||
1. **Socket Check**: Verifies if UNIX socket exists at startup
|
||||
2. **Cleanup**: Removes existing socket file/folder if present
|
||||
3. **Socket Creation**: Creates new UNIX socket using `nc -lU`
|
||||
4. **Proxy Start**: Starts socat to proxy UNIX socket to TCP endpoint
|
||||
|
||||
## 💡 Example: Secure Docker Socket Access for Host-Mode Containers
|
||||
|
||||
[Beszel](https://beszel.dev/) is a monitoring tool that requires `network_mode: host` to function properly. This creates a security challenge: Beszel needs access to the Docker socket, but it cannot reach a containerized docker-socket-proxy due to the network isolation. Running docker-socket-proxy in host mode would be highly insecure.
|
||||
|
||||
**Socat-proxy solves this problem** by creating a secure bridge between host-mode containers and containerized socket proxies. It exposes a UNIX socket file on the host filesystem that Beszel can access, while securely forwarding all Docker API requests to the socket-proxy running on the bridge network.
|
||||
## 💡 Deployment example for Beszel
|
||||
|
||||
```yaml
|
||||
services:
|
||||
@@ -116,10 +121,12 @@ services:
|
||||
volumes:
|
||||
- ${HOST_SOCKET_PATH}:${UNIX_SOCKET_PATH}
|
||||
restart: unless-stopped
|
||||
depends_on:
|
||||
- ${TARGET_HOST}
|
||||
|
||||
socket-proxy:
|
||||
image: lscr.io/linuxserver/socket-proxy:latest
|
||||
container_name: socket-proxy-beszel
|
||||
container_name: ${TARGET_HOST}
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
environment:
|
||||
@@ -140,7 +147,7 @@ services:
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
volumes:
|
||||
- ${HOST_SOCKET_PATH}/docker.sock:/var/run/docker.sock:ro
|
||||
- ${HOST_SOCKET_PATH}/${UNIX_SOCKET_NAME}:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- #... your Beszel environment var
|
||||
depends_on:
|
||||
|
||||
@@ -4,14 +4,7 @@ set -e
|
||||
CYAN="\033[1;36m"
|
||||
NC="\033[0m"
|
||||
|
||||
TARGET_HOST=${TARGET_HOST}
|
||||
TARGET_PORT=${TARGET_PORT}
|
||||
UNIX_SOCKET_NAME=${UNIX_SOCKET_NAME}
|
||||
UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH}
|
||||
HOST_SOCKET_PATH=${HOST_SOCKET_PATH}
|
||||
DEBUG_LEVEL=${DEBUG_LEVEL:-1} # Default to basic logging
|
||||
|
||||
# Remove trailing slashes to avoid double slashes
|
||||
DEBUG_LEVEL=${DEBUG_LEVEL:-1}
|
||||
UNIX_SOCKET_PATH=${UNIX_SOCKET_PATH%/}
|
||||
HOST_SOCKET_PATH=${HOST_SOCKET_PATH%/}
|
||||
|
||||
|
||||
4
illustration/socat-proxy.svg
Normal file
4
illustration/socat-proxy.svg
Normal file
File diff suppressed because one or more lines are too long
|
After Width: | Height: | Size: 436 KiB |
Reference in New Issue
Block a user