Allow query parameter in allow*

[budel]

Is your feature request related to a problem? Please describe.
I tried to setup traefik with the socket-proxy and want to rotate the traefik and access logs. To keep it simple I tried the alpine docker, which should send the USR1 signal to traefik after logrotating. Unfortunately, I cannot get the proxy to allow only the USR1 signal.

Here's the example I tried:

services:
  dockerproxy:
    image: wollomatic/socket-proxy:1
    command:
      - '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)' # this regexp allows readonly access only for requests that traefik needs
      - '-allowHEAD=/_ping'
      - '-shutdowngracetime=5'
      - '-watchdoginterval=600'
      - '-stoponwatchdog'
      - '-loglevel=debug'
      - '-allowfrom=tmp-logrotate'
      # - '-allowPOST=/v1\..{1,2}/(containers/private-traefik/kill\?signal=USR1)'
      - '-allowPOST=/v1\..{1,2}/(containers/private-traefik/kill)'
      - '-listenip=0.0.0.0'
    restart: unless-stopped
    read_only: true
    mem_limit: 64M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    user: 0:0
    volumes:
      - /run/user/1000/docker.sock:/var/run/docker.sock:ro
    networks:
      - tmp-proxy

  logrotate:
    image: alpine:latest
    container_name: tmp-logrotate
    command: >
      sh -c "
        apk add --no-cache docker &&
        docker -H tcp://dockerproxy:2375 kill --signal='USR1' private-traefik
      "
    networks:
      - tmp-proxy

networks:
  tmp-proxy:

Allowing "kill" works, but not if I specify the signal query.

For now, I can live with "kill-only" as it will maximally just kill the specified traefik container. But I wonder if I configured something wrong, or if supporting query parameters would be a sensible addition to the project.

Thanks for your work!

[wollomatic]

Hi @budel,
thanks for reporting this. The Regexp looks good and should work as expected. I'll look into it soon.