You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+25-12Lines changed: 25 additions & 12 deletions
Original file line number
Diff line number
Diff line change
@@ -42,6 +42,17 @@ This is meant to be an additional layer of security. It does not replace other s
42
42
43
43
Socket-proxy listens per default only on `127.0.0.1`. Depending on what you need, you may want to set another listener address with the `-listenip` parameter. In almost every use case, `-listenip=0.0.0.0` will be the correct configuration when using socket-proxy in a docker image.
44
44
45
+
#### Using a unix socket instead of a TCP listener
46
+
47
+
> [!CAUTION]
48
+
> This is a new feature introduced in version 1.5.0. If you experience any issues, please feel free to open an GitHub issue.
49
+
50
+
If you want to proxy/filter the unix socket to a new unix socket instead to a TCP listener,
51
+
you need to set the `-proxysocketendpoint` parameter or the `SP_PROXYSOCKETENDPOIN` env variable to the socket path of the new unix socket.
52
+
This will also disable the TCP listener.
53
+
54
+
For example `-proxysocketendpoint=/tmp/filtered-socket.sock`
55
+
45
56
#### Setting up the IP address or hostname allowlist
46
57
47
58
Per default, only `127.0.0.1/32` is allowed to connect to socket-proxy. You may want to set another allowlist with the `-allowfrom` parameter, depending on your needs.
@@ -162,18 +173,20 @@ To log the API calls of the client application, set the log level to `DEBUG` and
162
173
163
174
socket-proxy can be configured via command line parameters or via environment variables. If both command line parameter and environment variables are set, the environment variable will be ignored.
|`-allowfrom`|`SP_ALLOWFROM`|`127.0.0.1/32`| Specifies the IP addresses of the clients or the hostname of one specific client allowed to connect to the proxy. The default value is `127.0.0.1/32`, which means only localhost is allowed. This default configuration may not be useful in most cases, but it is because of a secure-by-default design. To allow all IPv4 addresses, set `-allowfrom=0.0.0.0/0`. Alternatively, hostnames (comma-separated) can be set, for example `-allowfrom=traefik`, or `-allowfrom=traefik,dozzle`. Please remember that socket-proxy should never be exposed to a public network, regardless of this extra security layer. |
168
-
|`-allowhealthcheck`|`SP_ALLOWHEALTHCHECK`| (not set) | If set, it allows the included health check binary to check the socket connection via TCP port 55555 (socket-proxy then listens on `127.0.0.1:55555/health`) |
169
-
|`-listenip`|`SP_LISTENIP`|`127.0.0.1`| Specifies the IP address the server will bind on. Default is only the internal network. |
170
-
|`-logjson`|`SP_LOGJSON`| (not set) | If set, it enables logging in JSON format. If unset, docker-proxy logs in plain text format. |
|`-proxyport`|`SP_PROXYPORT`|`2375`| Defines the TCP port the proxy listens to. |
173
-
|`-shutdowngracetime`|`SP_SHUTDOWNGRACETIME`|`10`| Defines the time in seconds to wait before forcing the shutdown after sigtern or sigint (socket-proxy first tries to graceful shut down the TCP server) |
174
-
|`-socketpath`|`SP_SOCKETPATH`|`/var/run/docker.sock`| Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. |
175
-
|`-stoponwatchdog`|`SP_STOPONWATCHDOG`| (not set) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. |
176
-
|`-watchdoginterval`|`SP_WATCHDOGINTERVAL`|`0`| Check for socket availabibity every x seconds (disable checks, if not set or value is 0) |
|`-allowfrom`|`SP_ALLOWFROM`|`127.0.0.1/32`| Specifies the IP addresses of the clients or the hostname of one specific client allowed to connect to the proxy. The default value is `127.0.0.1/32`, which means only localhost is allowed. This default configuration may not be useful in most cases, but it is because of a secure-by-default design. To allow all IPv4 addresses, set `-allowfrom=0.0.0.0/0`. Alternatively, hostnames (comma-separated) can be set, for example `-allowfrom=traefik`, or `-allowfrom=traefik,dozzle`. Please remember that socket-proxy should never be exposed to a public network, regardless of this extra security layer. |
179
+
|`-allowhealthcheck`|`SP_ALLOWHEALTHCHECK`| (not set/false) | If set, it allows the included health check binary to check the socket connection via TCP port 55555 (socket-proxy then listens on `127.0.0.1:55555/health`) |
180
+
|`-listenip`|`SP_LISTENIP`|`127.0.0.1`| Specifies the IP address the server will bind on. Default is only the internal network. |
181
+
|`-logjson`|`SP_LOGJSON`| (not set/false) | If set, it enables logging in JSON format. If unset, docker-proxy logs in plain text format. |
|`-proxyport`|`SP_PROXYPORT`|`2375`| Defines the TCP port the proxy listens to. |
184
+
|`-shutdowngracetime`|`SP_SHUTDOWNGRACETIME`|`10`| Defines the time in seconds to wait before forcing the shutdown after sigtern or sigint (socket-proxy first tries to graceful shut down the TCP server) |
185
+
|`-socketpath`|`SP_SOCKETPATH`|`/var/run/docker.sock`| Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. |
186
+
|`-stoponwatchdog`|`SP_STOPONWATCHDOG`| (not set/false) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. |
187
+
|`-watchdoginterval`|`SP_WATCHDOGINTERVAL`|`0`| Check for socket availabibity every x seconds (disable checks, if not set or value is 0) |
188
+
|`-proxysocketendpoint`|`SP_PROXYSOCKETENDPOINT`| (not set) | Proxy to the given unix socket instead of a TCP port |
189
+
|`-proxysocketendpointfilemode`|`SP_PROXYSOCKETENDPOINTFILEMODE`|`0400`| Explicitly set the file mode for the filtered unix socket endpoint (only useful with `-proxysocketendpoint`) |
0 commit comments