Is this a new feature request?
Wanted change
Add an optional environment variable (e.g. BIND_CONFIG) that controls the address HAProxy binds to, instead of always listening on all interfaces (:2375 / [::]:2375).
Reason for change
When the socket-proxy runs in a shared network (e.g. a Podman pod sharing a network namespace with other containers), the proxy is reachable by every container on that network, even though typically only one specific container needs it. Since the Podman pod controlls networking for the whole pod, it is not possible to add an additional internal-only network if one container needs to access other containers (e.g. a reverse proxy). Being able to bind the socket-proxy to 127.0.0.1 (loopback inside the netns, Podman pods share a loopback-adress) would limit access to co-located containers in the same pod / network namespace and reduce the attack surface, without requiring a separate isolated network just for the proxy.
Tecnativa/docker-socket-proxy already supports this (although undocumented) via the BIND_CONFIG environment variable (introduced in this commit).
Proposed code change
In root/docker-entrypoint.sh, allow BIND_CONFIG to override the default:
if [ -z "${BIND_CONFIG}" ]; then
if [ "${DISABLE_IPV6}" = 1 ]; then
BIND_CONFIG=":2375"
else
BIND_CONFIG="[::]:2375 v4v6"
fi
fi
sed "s|@@BIND_PROTO@@|${BIND_CONFIG}|g" /templates/haproxy.cfg > /run/haproxy/haproxy.cfg
Usage example:
environment:
- BIND_CONFIG=127.0.0.1:2375
Default behavior stays unchanged when the variable is unset.
Is this a new feature request?
Wanted change
Add an optional environment variable (e.g.
BIND_CONFIG) that controls the address HAProxy binds to, instead of always listening on all interfaces(:2375 / [::]:2375).Reason for change
When the socket-proxy runs in a shared network (e.g. a Podman pod sharing a network namespace with other containers), the proxy is reachable by every container on that network, even though typically only one specific container needs it. Since the Podman pod controlls networking for the whole pod, it is not possible to add an additional internal-only network if one container needs to access other containers (e.g. a reverse proxy). Being able to bind the socket-proxy to 127.0.0.1 (loopback inside the netns, Podman pods share a loopback-adress) would limit access to co-located containers in the same pod / network namespace and reduce the attack surface, without requiring a separate isolated network just for the proxy.
Tecnativa/docker-socket-proxy already supports this (although undocumented) via the BIND_CONFIG environment variable (introduced in this commit).
Proposed code change
In root/docker-entrypoint.sh, allow BIND_CONFIG to override the default:
Usage example:
Default behavior stays unchanged when the variable is unset.