Skip to content

Feature/99 use allow multiple times #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wollomatic merged 17 commits into from
May 3, 2026
Merged

Feature/99 use allow multiple times #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
8a32d3b
feat: support use allow* multiple times in env, flag and docker labels
qianlongzt Feb 13, 2026
8b94aa8
doc: remove useless example
qianlongzt Feb 13, 2026
e64698d
doc: remove redundant newline
qianlongzt Feb 13, 2026
0882d69
doc: fix typo on docker labels
qianlongzt Feb 13, 2026
484decb
fix: docker labels allow* method error
qianlongzt Feb 13, 2026
f6fee10
chore: remove redundant test
qianlongzt Feb 13, 2026
4900b7c
chore(config): move getAllowFromEnv out for loop
qianlongzt Feb 28, 2026
a6187d8
test(config): rename test name
qianlongzt Feb 28, 2026
381964f
doc: fix markdown table
qianlongzt Feb 28, 2026
caa268a
test(config): replace reflect.DeepEqual with regexMapsEqual for regex…
qianlongzt Feb 28, 2026
efea0f9
Merge pull request #86 from qianlongzt/main
wollomatic Mar 1, 2026
c62f958
prepare 1.12.0 release
wollomatic Apr 18, 2026
3fa4eae
Merge branch 'main' into feature/99-use-allow-multiple-times
wollomatic Apr 18, 2026
9a2e50e
minor fix in new examples
wollomatic Apr 18, 2026
844457f
refactor `InitConfig` and related methods for improved maintainabilit…
wollomatic Apr 26, 2026
a06be88
fix table
wollomatic May 3, 2026
821fb3c
remove unused code
wollomatic May 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# socket-proxy

## Latest image
- `wollomatic/socket-proxy:1.11.4` / `ghcr.io/wollomatic/socket-proxy:1.11.4`
- `wollomatic/socket-proxy:1.12.0` / `ghcr.io/wollomatic/socket-proxy:1.12.0`
- `wollomatic/socket-proxy:1` / `ghcr.io/wollomatic/socket-proxy:1`

> [!IMPORTANT]
Expand Down Expand Up @@ -93,17 +93,22 @@ Use Go's regexp syntax to create the patterns for these parameters. To avoid ins
Examples (command-line):
+ `'-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'` could be used for allowing access to the docker socket for Traefik v2.
+ `'-allowHEAD=.*'` allows all HEAD requests.
+ `'-allowGET=/version -allowGET=/_ping'` use allow `GET` multiple times

Examples (env variables):
+ `'SP_ALLOW_GET="/v1\..{1,2}/(version|containers/.*|events.*)"'` could be used for allowing access to the docker socket for Traefik v2.
+ `'SP_ALLOW_HEAD=".*"'` allows all HEAD requests.
+ `'SP_ALLOW_GET="/version" SP_ALLOW_GET_2="/_ping"'` use allow `GET` multiple times

For more information, refer to the [Go regexp documentation](https://golang.org/pkg/regexp/syntax/).

An excellent online regexp tester is [regex101.com](https://regex101.com/).

To determine which HTTP requests your client application uses, you could switch socket-proxy to debug log level and look at the log output while allowing all requests in a secure environment.

> [!NOTE]
> Starting with version 1.12.0, the socket-proxy can set multiple -allow* in params, environment, or docker labels.

#### Setting up bind mount restrictions

By default, socket-proxy does not restrict bind mounts. If you want to add an additional layer of security by restricting which directories can be used as bind mount sources, you can use the `-allowbindmountfrom` parameter or the `SP_ALLOWBINDMOUNTFROM` environment variable.
Expand Down Expand Up @@ -135,6 +140,8 @@ services:
- docker-proxynet # this should be only restricted to traefik and socket-proxy
labels:
- 'socket-proxy.allow.get=.*' # allow all GET requests to socket-proxy
- 'socket-proxy.allow.head=/version' # HEAD `/version` requests to socket-proxy
- 'socket-proxy.allow.head.1=/exec' # another HEAD `exec` requests to socket-proxy
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Minor: clarify the second HEAD label example.

The trailing comment "another HEAD exec requests to socket-proxy" is missing a verb and reads awkwardly. Consider tightening to something like "allow HEAD /exec requests to socket-proxy". Also note that the prefix in the second label uses .1; depending on the label parser's prefix matching this may or may not be required to disambiguate from the first one — see the related comment in internal/config/config.go.

📝 Proposed wording 
-      - 'socket-proxy.allow.head=/version' # HEAD `/version` requests to socket-proxy
-      - 'socket-proxy.allow.head.1=/exec' # another HEAD `exec` requests to socket-proxy
+      - 'socket-proxy.allow.head=/version' # allow HEAD `/version` requests to socket-proxy
+      - 'socket-proxy.allow.head.1=/exec'  # also allow HEAD `/exec` requests to socket-proxy
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 144, Update the README example label
'socket-proxy.allow.head.1=/exec' to a clearer phrasing by changing the trailing
comment to "allow HEAD `/exec` requests to socket-proxy" (or similar concise
wording) and add a short parenthetical note calling out the '.1' prefix
ambiguity so readers know it may be required depending on the label parser;
reference the label-parsing logic in internal/config/config.go to verify whether
the '.1' suffix is necessary and adjust the example or wording accordingly.

```

When this is used, it is not necessary to specify the container in `-allowfrom` as the presence of the allowlist labels will grant corresponding access.
Expand Down Expand Up @@ -235,7 +242,7 @@ socket-proxy can be configured via command-line parameters or via environment va
| `-logjson` | `SP_LOGJSON` | (not set/false) | If set, it enables logging in JSON format. If unset, socket-proxy logs in plain text format. |
| `-loglevel` | `SP_LOGLEVEL` | `INFO` | Sets the log level. Accepted values are: `DEBUG`, `INFO`, `WARN`, `ERROR`. |
| `-proxyport` | `SP_PROXYPORT` | `2375` | Defines the TCP port the proxy listens to. |
| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after SIGTERM or SIGINT (socket-proxy first tries to gracefully shut down the TCP server) | |
| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after SIGTERM or SIGINT (socket-proxy first tries to gracefully shut down the TCP server) |
| `-socketpath` | `SP_SOCKETPATH` | `/var/run/docker.sock` | Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. |
| `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set/false) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. |
| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availability every x seconds (disable checks, if not set or value is 0) |
Expand Down Expand Up @@ -269,6 +276,7 @@ socket-proxy can be configured via command-line parameters or via environment va

1.11 - add per-container allowlists specified by Docker container labels (thanks [@amanda-wee](https://github.com/amanda-wee))

1.12 - support use of allow* multiple times in env, flag and docker labels (thanks [@qianlongzt](https://github.com/qianlongzt))
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Polish the changelog sentence for grammar and consistency.

The line is understandable, but “flag” should be plural and the phrasing can be cleaner.

📝 Suggested wording 
-1.12 - support use of allow* multiple times in env, flag and docker labels (thanks [`@qianlongzt`](https://github.com/qianlongzt))
+1.12 - support using `allow*` multiple times via env vars, flags, and Docker labels (thanks [`@qianlongzt`](https://github.com/qianlongzt))
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
1.12 - support use of allow* multiple times in env, flag and docker labels (thanks [@qianlongzt](https://github.com/qianlongzt))
1.12 - support using `allow*` multiple times via env vars, flags, and Docker labels (thanks [`@qianlongzt`](https://github.com/qianlongzt))
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 279, Update the changelog entry for "1.12" to improve
grammar and consistency: change the sentence mentioning "allow*" to use plural
"flags" and clarify items, e.g., rewrite the line to read something like "1.12 -
Support using allow* multiple times in env vars, flags, and Docker labels" so it
references "1.12" and the "allow*" pattern and uses consistent plural forms for
env vars, flags, and Docker labels.


## License

Expand Down
12 changes: 11 additions & 1 deletion cmd/socket-proxy/handlehttprequest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"log/slog"
"net"
"net/http"
"regexp"

"github.com/wollomatic/socket-proxy/internal/config"
)
Expand All @@ -24,7 +25,7 @@ func handleHTTPRequest(w http.ResponseWriter, r *http.Request) {
communicateBlockedRequest(w, r, "method not allowed", http.StatusMethodNotAllowed)
return
}
if !allowed.MatchString(r.URL.Path) { // path does not match regex -> not allowed
if !matchURL(allowed, r.URL.Path) { // path does not match regex -> not allowed
communicateBlockedRequest(w, r, "path not allowed", http.StatusForbidden)
return
}
Expand All @@ -40,6 +41,15 @@ func handleHTTPRequest(w http.ResponseWriter, r *http.Request) {
socketProxy.ServeHTTP(w, r) // #nosec G704 - Request target is always the specified socket
}

func matchURL(allowedURIs []*regexp.Regexp, requestURI string) bool {
for _, allowedURI := range allowedURIs {
if allowedURI.MatchString(requestURI) {
return true
}
}
return false
}

// return the relevant allowlist
func determineAllowList(r *http.Request) (config.AllowList, bool) {
if cfg.ProxySocketEndpoint == "" { // do not perform this check if we proxy to a unix socket
Expand Down
Loading
Loading