Docker Socket Proxy

Docker Socket Proxy is a security-enhanced proxy for the Docker socket.

• It sits between clients and the Docker daemon and blocks access to sensitive API endpoints based on per-endpoint allow/deny rules driven by environment variables.
• The proxy runs as an Alpine-based HAProxy container and uses a small configuration to enforce the ACLs, returning HTTP 403 Forbidden for disallowed requests.

Key Features

• ACL-driven access control via environment variables that map to Docker API prefixes (eg. /auth, /containers, /images, /volumes, etc.).
• Default allowances for safe endpoints (eg. EVENTS, PING, VERSION) with fine-grained revocation for security-critical areas.
• Simple deployment model: run a privileged container that mounts the host Docker socket and exposes a proxy port.
• Socket-location flexibility via SOCKET_PATH to support non-standard Docker socket paths.
• Configurable logging through a LOG_LEVEL setting.
• Clear security guidance: avoid exposing the proxy publicly and rely on Docker network isolation.
• Image tagging supports versioned releases, latest, and edge builds for development.

Use Cases

• Expose Docker API to a single service or CI tool with restricted permissions, reducing blast radius if the service is compromised.
• Place the proxy behind a network firewall or within a private network segment to limit access to the Docker daemon.
• Point clients to the proxy (via DOCKER_HOST=tcp://host:2375) instead of the raw Docker socket to enforce ACLs without changing client code.

Limitations and Considerations

• TLS support is not included; the proxy provides a plain HTTP front for the host Docker socket. Plan to terminate TLS at a separate layer or keep the proxy on a secured network.
• The container must run privileged because it connects to the Docker socket, which carries security implications.
• Some workflows may require enabling additional API sections; review and adjust environment variables to match your needs.

Conclusion

Docker Socket Proxy offers a straightforward ACL-based barrier between clients and the Docker daemon, enabling safer integrations where Docker access is necessary but tightly controlled. It is quick to deploy in a containerized environment, but requires careful network and permission configurations to maintain security.