From 2f10b68936ef0908122af72621bc7643a33aad45 Mon Sep 17 00:00:00 2001 From: wollomatic Date: Sat, 24 Aug 2024 19:54:54 +0200 Subject: [PATCH 01/11] allow exposing the filtered unix socket as a unix socket (implements #29) --- README.md | 33 ++++++++++++------- cmd/socket-proxy/handlehttprequest.go | 17 +++++----- cmd/socket-proxy/main.go | 28 ++++++++++++---- internal/config/config.go | 47 +++++++++++++++------------ 4 files changed, 79 insertions(+), 46 deletions(-) diff --git a/README.md b/README.md index 5a8fcf5..14ab9ef 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,14 @@ This is meant to be an additional layer of security. It does not replace other s Socket-proxy listens per default only on `127.0.0.1`. Depending on what you need, you may want to set another listener address with the `-listenip` parameter. In almost every use case, `-listenip=0.0.0.0` will be the correct configuration when using socket-proxy in a docker image. +#### Using a unix socket instead of a TCP listener + +If you want to proxy/filter the unix socket to a new unix socket instead to a TCP listener, +you need to set the `-proxysocketendpoint` parameter or the `SP_PROXYSOCKETENDPOIN` env variable to the socket path of the new unix socket. +This will also disable the TCP listener. + +For example `-proxysocketendpoint=/tmp/filtered-socket.sock` + #### Setting up the IP address or hostname allowlist Per default, only `127.0.0.1/32` is allowed to connect to socket-proxy. You may want to set another allowlist with the `-allowfrom` parameter, depending on your needs. @@ -162,18 +170,19 @@ To log the API calls of the client application, set the log level to `DEBUG` and socket-proxy can be configured via command line parameters or via environment variables. If both command line parameter and environment variables are set, the environment variable will be ignored. -| Parameter | Environment Variable | Default Value | Description | -|----------------------|-------------------------|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `-allowfrom` | `SP_ALLOWFROM` | `127.0.0.1/32` | Specifies the IP addresses of the clients or the hostname of one specific client allowed to connect to the proxy. The default value is `127.0.0.1/32`, which means only localhost is allowed. This default configuration may not be useful in most cases, but it is because of a secure-by-default design. To allow all IPv4 addresses, set `-allowfrom=0.0.0.0/0`. Alternatively, hostnames (comma-separated) can be set, for example `-allowfrom=traefik`, or `-allowfrom=traefik,dozzle`. Please remember that socket-proxy should never be exposed to a public network, regardless of this extra security layer. | -| `-allowhealthcheck` | `SP_ALLOWHEALTHCHECK` | (not set) | If set, it allows the included health check binary to check the socket connection via TCP port 55555 (socket-proxy then listens on `127.0.0.1:55555/health`) | -| `-listenip` | `SP_LISTENIP` | `127.0.0.1` | Specifies the IP address the server will bind on. Default is only the internal network. | -| `-logjson` | `SP_LOGJSON` | (not set) | If set, it enables logging in JSON format. If unset, docker-proxy logs in plain text format. | -| `-loglevel` | `SP_LOGLEVEL` | `INFO` | Sets the log level. Accepted values are: `DEBUG`, `INFO`, `WARN`, `ERROR`. | -| `-proxyport` | `SP_PROXYPORT` | `2375` | Defines the TCP port the proxy listens to. | -| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after sigtern or sigint (socket-proxy first tries to graceful shut down the TCP server) | -| `-socketpath` | `SP_SOCKETPATH` | `/var/run/docker.sock` | Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. | -| `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. | -| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availabibity every x seconds (disable checks, if not set or value is 0) | +| Parameter | Environment Variable | Default Value | Description | +|------------------------|--------------------------|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `-allowfrom` | `SP_ALLOWFROM` | `127.0.0.1/32` | Specifies the IP addresses of the clients or the hostname of one specific client allowed to connect to the proxy. The default value is `127.0.0.1/32`, which means only localhost is allowed. This default configuration may not be useful in most cases, but it is because of a secure-by-default design. To allow all IPv4 addresses, set `-allowfrom=0.0.0.0/0`. Alternatively, hostnames (comma-separated) can be set, for example `-allowfrom=traefik`, or `-allowfrom=traefik,dozzle`. Please remember that socket-proxy should never be exposed to a public network, regardless of this extra security layer. | +| `-allowhealthcheck` | `SP_ALLOWHEALTHCHECK` | (not set) | If set, it allows the included health check binary to check the socket connection via TCP port 55555 (socket-proxy then listens on `127.0.0.1:55555/health`) | +| `-listenip` | `SP_LISTENIP` | `127.0.0.1` | Specifies the IP address the server will bind on. Default is only the internal network. | +| `-logjson` | `SP_LOGJSON` | (not set) | If set, it enables logging in JSON format. If unset, docker-proxy logs in plain text format. | +| `-loglevel` | `SP_LOGLEVEL` | `INFO` | Sets the log level. Accepted values are: `DEBUG`, `INFO`, `WARN`, `ERROR`. | +| `-proxyport` | `SP_PROXYPORT` | `2375` | Defines the TCP port the proxy listens to. | +| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after sigtern or sigint (socket-proxy first tries to graceful shut down the TCP server) | +| `-socketpath` | `SP_SOCKETPATH` | `/var/run/docker.sock` | Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. | +| `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. | +| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availabibity every x seconds (disable checks, if not set or value is 0) | +| `-proxysocketendpoint` | `SP_PROXYSOCKETENDPOINT` | (not set) | Proxy to the given unix socket instead of a TCP port | ### Changelog diff --git a/cmd/socket-proxy/handlehttprequest.go b/cmd/socket-proxy/handlehttprequest.go index 1f203cc..ce016bf 100644 --- a/cmd/socket-proxy/handlehttprequest.go +++ b/cmd/socket-proxy/handlehttprequest.go @@ -13,14 +13,15 @@ import ( // In case of an error, it returns a 500 Internal Server Error. func handleHttpRequest(w http.ResponseWriter, r *http.Request) { - // check if the client's IP is allowed to access - allowedIP, err := isAllowedClient(r.RemoteAddr) - if err != nil { - slog.Warn("cannot get valid IP address for client allowlist check", "reason", err, "method", r.Method, "URL", r.URL, "client", r.RemoteAddr) - } - if !allowedIP { - communicateBlockedRequest(w, r, "forbidden IP", http.StatusForbidden) - return + if cfg.ProxySocketEndpoint == "" { // do not perform this check if we proxy to a unix socket + allowedIP, err := isAllowedClient(r.RemoteAddr) + if err != nil { + slog.Warn("cannot get valid IP address for client allowlist check", "reason", err, "method", r.Method, "URL", r.URL, "client", r.RemoteAddr) + } + if !allowedIP { + communicateBlockedRequest(w, r, "forbidden IP", http.StatusForbidden) + return + } } // check if the request is allowed diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index 6428360..06a5bad 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -19,7 +19,7 @@ import ( const ( programUrl = "github.com/wollomatic/socket-proxy" - logAddSource = false // set to true to log the source position (file and line) of the log message + logAddSource = true // set to true to log the source position (file and line) of the log message ) var ( @@ -51,7 +51,12 @@ func main() { // print configuration slog.Info("starting socket-proxy", "version", version, "os", runtime.GOOS, "arch", runtime.GOARCH, "runtime", runtime.Version(), "URL", programUrl) - slog.Info("configuration info", "socketpath", cfg.SocketPath, "listenaddress", cfg.ListenAddress, "loglevel", cfg.LogLevel, "logjson", cfg.LogJSON, "allowfrom", cfg.AllowFrom, "shutdowngracetime", cfg.ShutdownGraceTime) + if cfg.ProxySocketEndpoint == "" { + slog.Info("configuration info", "socketpath", cfg.SocketPath, "listenaddress", cfg.ListenAddress, "loglevel", cfg.LogLevel, "logjson", cfg.LogJSON, "allowfrom", cfg.AllowFrom, "shutdowngracetime", cfg.ShutdownGraceTime) + } else { + slog.Info("configuration info", "socketpath", cfg.SocketPath, "proxysocketendpoint", cfg.ProxySocketEndpoint, "loglevel", cfg.LogLevel, "logjson", cfg.LogJSON, "allowfrom", cfg.AllowFrom, "shutdowngracetime", cfg.ShutdownGraceTime) + slog.Info("proxysocketendpoint is set, so the TCP listener is deactivated") + } if cfg.WatchdogInterval > 0 { slog.Info("watchdog enabled", "interval", cfg.WatchdogInterval, "stoponwatchdog", cfg.StopOnWatchdog) } else { @@ -88,13 +93,24 @@ func main() { }, } - // start the server in a goroutine - srv := &http.Server{ // #nosec G112 -- intentionally do not timeout the client - Addr: cfg.ListenAddress, // #nosec G112 + var l net.Listener + if cfg.ProxySocketEndpoint != "" { + l, err = net.Listen("unix", cfg.ProxySocketEndpoint) + } else { + l, err = net.Listen("tcp", cfg.ListenAddress) + } + if err != nil { + slog.Error("error listening on address", "error", err) + os.Exit(2) + } + + srv := &http.Server{ // #nosec G112 -- intentionally do not time out the client Handler: http.HandlerFunc(handleHttpRequest), // #nosec G112 } // #nosec G112 + + // start the server in a goroutine go func() { - if err := srv.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) { + if err := srv.Serve(l); err != nil && !errors.Is(err, http.ErrServerClosed) { slog.Error("http server problem", "error", err) os.Exit(2) } diff --git a/internal/config/config.go b/internal/config/config.go index d23dcbd..69c4e61 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -14,29 +14,31 @@ import ( ) var ( - defaultAllowFrom = "127.0.0.1/32" // allowed IPs to connect to the proxy - defaultAllowHealthcheck = false // allow health check requests (HEAD http://localhost:55555/health) - defaultLogJSON = false // if true, log in JSON format - defaultLogLevel = "INFO" // log level as string - defaultListenIP = "127.0.0.1" // ip address to bind the server to - defaultProxyPort = uint(2375) // tcp port to listen on - defaultSocketPath = "/var/run/docker.sock" // path to the unix socket - defaultShutdownGraceTime = uint(10) // Maximum time in seconds to wait for the server to shut down gracefully - defaultWatchdogInterval = uint(0) // watchdog interval in seconds (0 to disable) - defaultStopOnWatchdog = false // set to true to stop the program when the socket gets unavailable (otherwise log only) + defaultAllowFrom = "127.0.0.1/32" // allowed IPs to connect to the proxy + defaultAllowHealthcheck = false // allow health check requests (HEAD http://localhost:55555/health) + defaultLogJSON = false // if true, log in JSON format + defaultLogLevel = "INFO" // log level as string + defaultListenIP = "127.0.0.1" // ip address to bind the server to + defaultProxyPort = uint(2375) // tcp port to listen on + defaultSocketPath = "/var/run/docker.sock" // path to the unix socket + defaultShutdownGraceTime = uint(10) // Maximum time in seconds to wait for the server to shut down gracefully + defaultWatchdogInterval = uint(0) // watchdog interval in seconds (0 to disable) + defaultStopOnWatchdog = false // set to true to stop the program when the socket gets unavailable (otherwise log only) + defaultProxySocketEndpoint = "" // empty string means no socket listener, but regular TCP listener ) type Config struct { - AllowedRequests map[string]*regexp.Regexp - AllowFrom string - AllowHealthcheck bool - LogJSON bool - StopOnWatchdog bool - ShutdownGraceTime uint - WatchdogInterval uint - LogLevel slog.Level - ListenAddress string - SocketPath string + AllowedRequests map[string]*regexp.Regexp + AllowFrom string + AllowHealthcheck bool + LogJSON bool + StopOnWatchdog bool + ShutdownGraceTime uint + WatchdogInterval uint + LogLevel slog.Level + ListenAddress string + SocketPath string + ProxySocketEndpoint string } // used for list of allowed requests @@ -112,6 +114,10 @@ func InitConfig() (*Config, error) { defaultWatchdogInterval = uint(parsedVal) } } + if val, ok := os.LookupEnv("SP_PROXYSOCKETENDPOINT"); ok && val != "" { + defaultProxySocketEndpoint = val + } + for i := 0; i < len(mr); i++ { if val, ok := os.LookupEnv("SP_ALLOW_" + mr[i].method); ok && val != "" { mr[i].regexStringFromEnv = val @@ -128,6 +134,7 @@ func InitConfig() (*Config, error) { flag.StringVar(&cfg.SocketPath, "socketpath", defaultSocketPath, "unix socket path to connect to") flag.BoolVar(&cfg.StopOnWatchdog, "stoponwatchdog", defaultStopOnWatchdog, "stop the program when the socket gets unavailable (otherwise log only)") flag.UintVar(&cfg.WatchdogInterval, "watchdoginterval", defaultWatchdogInterval, "watchdog interval in seconds (0 to disable)") + flag.StringVar(&cfg.ProxySocketEndpoint, "proxysocketendpoint", defaultProxySocketEndpoint, "unix socket endpoint (if set, used instead of the TCP listener)") for i := 0; i < len(mr); i++ { flag.StringVar(&mr[i].regexStringFromParam, "allow"+mr[i].method, "", "regex for "+mr[i].method+" requests (not set means method is not allowed)") } From e6779799788e3e9bb4dedec24fc5b4cf0d6cfbcb Mon Sep 17 00:00:00 2001 From: wollomatic Date: Tue, 27 Aug 2024 19:36:07 +0200 Subject: [PATCH 02/11] shut down gracefully when watchdog initiates exit / slightly more logging --- cmd/socket-proxy/checksocketconnection.go | 5 ++-- cmd/socket-proxy/main.go | 28 +++++++++++++++++------ 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/cmd/socket-proxy/checksocketconnection.go b/cmd/socket-proxy/checksocketconnection.go index 5447166..1cc9c1a 100644 --- a/cmd/socket-proxy/checksocketconnection.go +++ b/cmd/socket-proxy/checksocketconnection.go @@ -5,7 +5,6 @@ import ( "log/slog" "net" "net/http" - "os" "time" ) @@ -26,7 +25,7 @@ func checkSocketAvailability(socketPath string) error { } // startSocketWatchdog starts a watchdog that checks the socket availability every n seconds. -func startSocketWatchdog(socketPath string, interval uint, stopOnWatchdog bool) { +func startSocketWatchdog(socketPath string, interval uint, stopOnWatchdog bool, exitChan chan int) { ticker := time.NewTicker(time.Duration(interval) * time.Second) defer ticker.Stop() @@ -35,7 +34,7 @@ func startSocketWatchdog(socketPath string, interval uint, stopOnWatchdog bool) slog.Error("socket is unavailable", "origin", "watchdog", "error", err) if stopOnWatchdog { slog.Warn("stopping socket-proxy because of unavailable socket", "origin", "watchdog") - os.Exit(10) + exitChan <- 10 } } } diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index 06a5bad..d9d2fb9 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -36,6 +36,11 @@ func main() { os.Exit(1) } + // setup channels for graceful shutdown + internalQuit := make(chan int, 1) // send to this channel to invoke graceful shutdown, int is the exit code + externalQuit := make(chan os.Signal, 1) // configure listener for SIGINT and SIGTERM + signal.Notify(externalQuit, syscall.SIGINT, syscall.SIGTERM) + // setup logging logOpts := &slog.HandlerOptions{ AddSource: logAddSource, @@ -116,28 +121,37 @@ func main() { } }() + slog.Info("socket-proxy running and listening...") + // start the watchdog if configured if cfg.WatchdogInterval > 0 { - go startSocketWatchdog(cfg.SocketPath, cfg.WatchdogInterval, cfg.StopOnWatchdog) + go startSocketWatchdog(cfg.SocketPath, cfg.WatchdogInterval, cfg.StopOnWatchdog, internalQuit) + slog.Debug("watchdog running") } // start the health check server if configured if cfg.AllowHealthcheck { go healthCheckServer(cfg.SocketPath) + slog.Debug("healthcheck ready") + } // Wait for stop signal - quit := make(chan os.Signal, 1) - signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM) - <-quit - + exitCode := 0 + select { + case <-externalQuit: + slog.Info("received stop signal - shutting down") + case value := <-internalQuit: + slog.Info("received internal shutdown - shutting down") + exitCode = value + } // Try to shut down gracefully - slog.Info("received stop signal - shutting down") ctx, cancel := context.WithTimeout(context.Background(), time.Duration(cfg.ShutdownGraceTime)*time.Second) defer cancel() if err := srv.Shutdown(ctx); err != nil { slog.Warn("timeout stopping server (maybe client still running?) - forcing shutdown", "error", err) os.Exit(0) // timeout is no error, so we exit with 0 } - slog.Info("graceful shutdown complete - exiting") + slog.Info("graceful shutdown complete - exiting", "exit code", exitCode) + os.Exit(exitCode) } From 7a08a132d25bb7557d2a8271197459a6aec11065 Mon Sep 17 00:00:00 2001 From: wollomatic Date: Tue, 27 Aug 2024 20:06:38 +0200 Subject: [PATCH 03/11] close listener on exit --- cmd/socket-proxy/main.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index d9d2fb9..0d103f3 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -149,9 +149,11 @@ func main() { ctx, cancel := context.WithTimeout(context.Background(), time.Duration(cfg.ShutdownGraceTime)*time.Second) defer cancel() if err := srv.Shutdown(ctx); err != nil { - slog.Warn("timeout stopping server (maybe client still running?) - forcing shutdown", "error", err) - os.Exit(0) // timeout is no error, so we exit with 0 + slog.Warn("timeout stopping server", "error", err) } - slog.Info("graceful shutdown complete - exiting", "exit code", exitCode) + if err := l.Close(); err != nil { + slog.Warn("error closing listener", "error", err) + } + slog.Info("shutdown finished - exiting", "exit code", exitCode) os.Exit(exitCode) } From 2de2de8984eed845ff061fc83f2e55b2156196e5 Mon Sep 17 00:00:00 2001 From: wollomatic Date: Wed, 28 Aug 2024 19:20:23 +0200 Subject: [PATCH 04/11] no need for closing the listener separately --- cmd/socket-proxy/main.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index 0d103f3..93b6a51 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -151,9 +151,6 @@ func main() { if err := srv.Shutdown(ctx); err != nil { slog.Warn("timeout stopping server", "error", err) } - if err := l.Close(); err != nil { - slog.Warn("error closing listener", "error", err) - } slog.Info("shutdown finished - exiting", "exit code", exitCode) os.Exit(exitCode) } From 0cba782cccfa41399082679599de27146701fc44 Mon Sep 17 00:00:00 2001 From: wollomatic Date: Sat, 31 Aug 2024 14:36:52 +0200 Subject: [PATCH 05/11] improve socket handling --- cmd/socket-proxy/main.go | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index 93b6a51..fc647d5 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -100,13 +100,28 @@ func main() { var l net.Listener if cfg.ProxySocketEndpoint != "" { + if _, err := os.Stat(cfg.ProxySocketEndpoint); err == nil { + slog.Warn(fmt.Sprintf("%s already exists, removing existing file", cfg.ProxySocketEndpoint)) + if err = os.Remove(cfg.ProxySocketEndpoint); err != nil { + slog.Error("error removing existing socket file", "error", err) + os.Exit(2) + } + } l, err = net.Listen("unix", cfg.ProxySocketEndpoint) + if err != nil { + slog.Error("error creating socket", "error", err) + os.Exit(2) + } + if err = os.Chmod(cfg.ProxySocketEndpoint, 0660); err != nil { + slog.Error("error setting socket file permissions", "error", err) + os.Exit(2) + } } else { l, err = net.Listen("tcp", cfg.ListenAddress) - } - if err != nil { - slog.Error("error listening on address", "error", err) - os.Exit(2) + if err != nil { + slog.Error("error listening on address", "error", err) + os.Exit(2) + } } srv := &http.Server{ // #nosec G112 -- intentionally do not time out the client From 898e0307a5bf368c256d3249b5a95dddef19bbd8 Mon Sep 17 00:00:00 2001 From: wollomatic Date: Sat, 31 Aug 2024 14:53:27 +0200 Subject: [PATCH 06/11] follow security-by-default principle, so group access to the filtered unix socket has to be allowed explicitly --- README.md | 27 ++++++++++---------- cmd/socket-proxy/main.go | 6 ++++- internal/config/config.go | 52 ++++++++++++++++++++++----------------- 3 files changed, 49 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index 14ab9ef..2f8e86b 100644 --- a/README.md +++ b/README.md @@ -170,19 +170,20 @@ To log the API calls of the client application, set the log level to `DEBUG` and socket-proxy can be configured via command line parameters or via environment variables. If both command line parameter and environment variables are set, the environment variable will be ignored. -| Parameter | Environment Variable | Default Value | Description | -|------------------------|--------------------------|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `-allowfrom` | `SP_ALLOWFROM` | `127.0.0.1/32` | Specifies the IP addresses of the clients or the hostname of one specific client allowed to connect to the proxy. The default value is `127.0.0.1/32`, which means only localhost is allowed. This default configuration may not be useful in most cases, but it is because of a secure-by-default design. To allow all IPv4 addresses, set `-allowfrom=0.0.0.0/0`. Alternatively, hostnames (comma-separated) can be set, for example `-allowfrom=traefik`, or `-allowfrom=traefik,dozzle`. Please remember that socket-proxy should never be exposed to a public network, regardless of this extra security layer. | -| `-allowhealthcheck` | `SP_ALLOWHEALTHCHECK` | (not set) | If set, it allows the included health check binary to check the socket connection via TCP port 55555 (socket-proxy then listens on `127.0.0.1:55555/health`) | -| `-listenip` | `SP_LISTENIP` | `127.0.0.1` | Specifies the IP address the server will bind on. Default is only the internal network. | -| `-logjson` | `SP_LOGJSON` | (not set) | If set, it enables logging in JSON format. If unset, docker-proxy logs in plain text format. | -| `-loglevel` | `SP_LOGLEVEL` | `INFO` | Sets the log level. Accepted values are: `DEBUG`, `INFO`, `WARN`, `ERROR`. | -| `-proxyport` | `SP_PROXYPORT` | `2375` | Defines the TCP port the proxy listens to. | -| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after sigtern or sigint (socket-proxy first tries to graceful shut down the TCP server) | -| `-socketpath` | `SP_SOCKETPATH` | `/var/run/docker.sock` | Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. | -| `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. | -| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availabibity every x seconds (disable checks, if not set or value is 0) | -| `-proxysocketendpoint` | `SP_PROXYSOCKETENDPOINT` | (not set) | Proxy to the given unix socket instead of a TCP port | +| Parameter | Environment Variable | Default Value | Description | +|----------------------------------|------------------------------------|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `-allowfrom` | `SP_ALLOWFROM` | `127.0.0.1/32` | Specifies the IP addresses of the clients or the hostname of one specific client allowed to connect to the proxy. The default value is `127.0.0.1/32`, which means only localhost is allowed. This default configuration may not be useful in most cases, but it is because of a secure-by-default design. To allow all IPv4 addresses, set `-allowfrom=0.0.0.0/0`. Alternatively, hostnames (comma-separated) can be set, for example `-allowfrom=traefik`, or `-allowfrom=traefik,dozzle`. Please remember that socket-proxy should never be exposed to a public network, regardless of this extra security layer. | +| `-allowhealthcheck` | `SP_ALLOWHEALTHCHECK` | (not set/false) | If set, it allows the included health check binary to check the socket connection via TCP port 55555 (socket-proxy then listens on `127.0.0.1:55555/health`) | +| `-listenip` | `SP_LISTENIP` | `127.0.0.1` | Specifies the IP address the server will bind on. Default is only the internal network. | +| `-logjson` | `SP_LOGJSON` | (not set/false) | If set, it enables logging in JSON format. If unset, docker-proxy logs in plain text format. | +| `-loglevel` | `SP_LOGLEVEL` | `INFO` | Sets the log level. Accepted values are: `DEBUG`, `INFO`, `WARN`, `ERROR`. | +| `-proxyport` | `SP_PROXYPORT` | `2375` | Defines the TCP port the proxy listens to. | +| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after sigtern or sigint (socket-proxy first tries to graceful shut down the TCP server) | +| `-socketpath` | `SP_SOCKETPATH` | `/var/run/docker.sock` | Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. | +| `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set/false) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. | +| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availabibity every x seconds (disable checks, if not set or value is 0) | +| `-proxysocketendpoint` | `SP_PROXYSOCKETENDPOINT` | (not set) | Proxy to the given unix socket instead of a TCP port | +| `-proxysocketendpointallowgroup` | `SP_PROXYSOCKETENDPOINTALLOWGROUP` | (not set/false) | If set, also group access to the proxied unix socket is allowed (only useful with `-proxysocketendpoint`) | ### Changelog diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index fc647d5..5dc743c 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -112,7 +112,11 @@ func main() { slog.Error("error creating socket", "error", err) os.Exit(2) } - if err = os.Chmod(cfg.ProxySocketEndpoint, 0660); err != nil { + var mode os.FileMode = 0600 + if cfg.ProxySocketEndpointAllowGroup { + mode = 0660 + } + if err = os.Chmod(cfg.ProxySocketEndpoint, mode); err != nil { slog.Error("error setting socket file permissions", "error", err) os.Exit(2) } diff --git a/internal/config/config.go b/internal/config/config.go index 69c4e61..5440eec 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -14,31 +14,33 @@ import ( ) var ( - defaultAllowFrom = "127.0.0.1/32" // allowed IPs to connect to the proxy - defaultAllowHealthcheck = false // allow health check requests (HEAD http://localhost:55555/health) - defaultLogJSON = false // if true, log in JSON format - defaultLogLevel = "INFO" // log level as string - defaultListenIP = "127.0.0.1" // ip address to bind the server to - defaultProxyPort = uint(2375) // tcp port to listen on - defaultSocketPath = "/var/run/docker.sock" // path to the unix socket - defaultShutdownGraceTime = uint(10) // Maximum time in seconds to wait for the server to shut down gracefully - defaultWatchdogInterval = uint(0) // watchdog interval in seconds (0 to disable) - defaultStopOnWatchdog = false // set to true to stop the program when the socket gets unavailable (otherwise log only) - defaultProxySocketEndpoint = "" // empty string means no socket listener, but regular TCP listener + defaultAllowFrom = "127.0.0.1/32" // allowed IPs to connect to the proxy + defaultAllowHealthcheck = false // allow health check requests (HEAD http://localhost:55555/health) + defaultLogJSON = false // if true, log in JSON format + defaultLogLevel = "INFO" // log level as string + defaultListenIP = "127.0.0.1" // ip address to bind the server to + defaultProxyPort = uint(2375) // tcp port to listen on + defaultSocketPath = "/var/run/docker.sock" // path to the unix socket + defaultShutdownGraceTime = uint(10) // Maximum time in seconds to wait for the server to shut down gracefully + defaultWatchdogInterval = uint(0) // watchdog interval in seconds (0 to disable) + defaultStopOnWatchdog = false // set to true to stop the program when the socket gets unavailable (otherwise log only) + defaultProxySocketEndpoint = "" // empty string means no socket listener, but regular TCP listener + defaultProxySocketEndpointAllowGroup = false // if true, set socket file mode to 660 instead if 600 ) type Config struct { - AllowedRequests map[string]*regexp.Regexp - AllowFrom string - AllowHealthcheck bool - LogJSON bool - StopOnWatchdog bool - ShutdownGraceTime uint - WatchdogInterval uint - LogLevel slog.Level - ListenAddress string - SocketPath string - ProxySocketEndpoint string + AllowedRequests map[string]*regexp.Regexp + AllowFrom string + AllowHealthcheck bool + LogJSON bool + StopOnWatchdog bool + ShutdownGraceTime uint + WatchdogInterval uint + LogLevel slog.Level + ListenAddress string + SocketPath string + ProxySocketEndpoint string + ProxySocketEndpointAllowGroup bool } // used for list of allowed requests @@ -117,6 +119,11 @@ func InitConfig() (*Config, error) { if val, ok := os.LookupEnv("SP_PROXYSOCKETENDPOINT"); ok && val != "" { defaultProxySocketEndpoint = val } + if val, ok := os.LookupEnv("SP_PROXYSOCKETENDPOINTALLOWGROUP"); ok { + if parsedVal, err := strconv.ParseBool(val); err == nil { + defaultProxySocketEndpointAllowGroup = parsedVal + } + } for i := 0; i < len(mr); i++ { if val, ok := os.LookupEnv("SP_ALLOW_" + mr[i].method); ok && val != "" { @@ -135,6 +142,7 @@ func InitConfig() (*Config, error) { flag.BoolVar(&cfg.StopOnWatchdog, "stoponwatchdog", defaultStopOnWatchdog, "stop the program when the socket gets unavailable (otherwise log only)") flag.UintVar(&cfg.WatchdogInterval, "watchdoginterval", defaultWatchdogInterval, "watchdog interval in seconds (0 to disable)") flag.StringVar(&cfg.ProxySocketEndpoint, "proxysocketendpoint", defaultProxySocketEndpoint, "unix socket endpoint (if set, used instead of the TCP listener)") + flag.BoolVar(&cfg.ProxySocketEndpointAllowGroup, "proxysocketendpointallowgroup", defaultProxySocketEndpointAllowGroup, "allow group access to the filtered unix socket endpoint") for i := 0; i < len(mr); i++ { flag.StringVar(&mr[i].regexStringFromParam, "allow"+mr[i].method, "", "regex for "+mr[i].method+" requests (not set means method is not allowed)") } From 78b23d98922f88f7ff338a01664c9ba068ea32e6 Mon Sep 17 00:00:00 2001 From: wollomatic Date: Sat, 31 Aug 2024 15:01:23 +0200 Subject: [PATCH 07/11] log warning if group access to the unix socket endpoint is allowed --- cmd/socket-proxy/main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index 5dc743c..da07422 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -61,6 +61,9 @@ func main() { } else { slog.Info("configuration info", "socketpath", cfg.SocketPath, "proxysocketendpoint", cfg.ProxySocketEndpoint, "loglevel", cfg.LogLevel, "logjson", cfg.LogJSON, "allowfrom", cfg.AllowFrom, "shutdowngracetime", cfg.ShutdownGraceTime) slog.Info("proxysocketendpoint is set, so the TCP listener is deactivated") + if cfg.ProxySocketEndpointAllowGroup { + slog.Warn("Group access is enabled for the proxy socket endpoint") + } } if cfg.WatchdogInterval > 0 { slog.Info("watchdog enabled", "interval", cfg.WatchdogInterval, "stoponwatchdog", cfg.StopOnWatchdog) From dc2d8c54b49c89cac9eaca3b2dbfe65f18ace49e Mon Sep 17 00:00:00 2001 From: wollomatic Date: Sat, 31 Aug 2024 15:24:26 +0200 Subject: [PATCH 08/11] let user set the unix socket file mode --- README.md | 28 ++++++++--------- cmd/socket-proxy/main.go | 11 ++----- internal/config/config.go | 65 ++++++++++++++++++++------------------- 3 files changed, 50 insertions(+), 54 deletions(-) diff --git a/README.md b/README.md index 2f8e86b..1af788c 100644 --- a/README.md +++ b/README.md @@ -170,20 +170,20 @@ To log the API calls of the client application, set the log level to `DEBUG` and socket-proxy can be configured via command line parameters or via environment variables. If both command line parameter and environment variables are set, the environment variable will be ignored. -| Parameter | Environment Variable | Default Value | Description | -|----------------------------------|------------------------------------|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `-allowfrom` | `SP_ALLOWFROM` | `127.0.0.1/32` | Specifies the IP addresses of the clients or the hostname of one specific client allowed to connect to the proxy. The default value is `127.0.0.1/32`, which means only localhost is allowed. This default configuration may not be useful in most cases, but it is because of a secure-by-default design. To allow all IPv4 addresses, set `-allowfrom=0.0.0.0/0`. Alternatively, hostnames (comma-separated) can be set, for example `-allowfrom=traefik`, or `-allowfrom=traefik,dozzle`. Please remember that socket-proxy should never be exposed to a public network, regardless of this extra security layer. | -| `-allowhealthcheck` | `SP_ALLOWHEALTHCHECK` | (not set/false) | If set, it allows the included health check binary to check the socket connection via TCP port 55555 (socket-proxy then listens on `127.0.0.1:55555/health`) | -| `-listenip` | `SP_LISTENIP` | `127.0.0.1` | Specifies the IP address the server will bind on. Default is only the internal network. | -| `-logjson` | `SP_LOGJSON` | (not set/false) | If set, it enables logging in JSON format. If unset, docker-proxy logs in plain text format. | -| `-loglevel` | `SP_LOGLEVEL` | `INFO` | Sets the log level. Accepted values are: `DEBUG`, `INFO`, `WARN`, `ERROR`. | -| `-proxyport` | `SP_PROXYPORT` | `2375` | Defines the TCP port the proxy listens to. | -| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after sigtern or sigint (socket-proxy first tries to graceful shut down the TCP server) | -| `-socketpath` | `SP_SOCKETPATH` | `/var/run/docker.sock` | Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. | -| `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set/false) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. | -| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availabibity every x seconds (disable checks, if not set or value is 0) | -| `-proxysocketendpoint` | `SP_PROXYSOCKETENDPOINT` | (not set) | Proxy to the given unix socket instead of a TCP port | -| `-proxysocketendpointallowgroup` | `SP_PROXYSOCKETENDPOINTALLOWGROUP` | (not set/false) | If set, also group access to the proxied unix socket is allowed (only useful with `-proxysocketendpoint`) | +| Parameter | Environment Variable | Default Value | Description | +|--------------------------------|----------------------------------|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `-allowfrom` | `SP_ALLOWFROM` | `127.0.0.1/32` | Specifies the IP addresses of the clients or the hostname of one specific client allowed to connect to the proxy. The default value is `127.0.0.1/32`, which means only localhost is allowed. This default configuration may not be useful in most cases, but it is because of a secure-by-default design. To allow all IPv4 addresses, set `-allowfrom=0.0.0.0/0`. Alternatively, hostnames (comma-separated) can be set, for example `-allowfrom=traefik`, or `-allowfrom=traefik,dozzle`. Please remember that socket-proxy should never be exposed to a public network, regardless of this extra security layer. | +| `-allowhealthcheck` | `SP_ALLOWHEALTHCHECK` | (not set/false) | If set, it allows the included health check binary to check the socket connection via TCP port 55555 (socket-proxy then listens on `127.0.0.1:55555/health`) | +| `-listenip` | `SP_LISTENIP` | `127.0.0.1` | Specifies the IP address the server will bind on. Default is only the internal network. | +| `-logjson` | `SP_LOGJSON` | (not set/false) | If set, it enables logging in JSON format. If unset, docker-proxy logs in plain text format. | +| `-loglevel` | `SP_LOGLEVEL` | `INFO` | Sets the log level. Accepted values are: `DEBUG`, `INFO`, `WARN`, `ERROR`. | +| `-proxyport` | `SP_PROXYPORT` | `2375` | Defines the TCP port the proxy listens to. | +| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after sigtern or sigint (socket-proxy first tries to graceful shut down the TCP server) | +| `-socketpath` | `SP_SOCKETPATH` | `/var/run/docker.sock` | Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. | +| `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set/false) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. | +| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availabibity every x seconds (disable checks, if not set or value is 0) | +| `-proxysocketendpoint` | `SP_PROXYSOCKETENDPOINT` | (not set) | Proxy to the given unix socket instead of a TCP port | +| `-proxysocketendpointfilemode` | `SP_PROXYSOCKETENDPOINTFILEMODE` | `0400` | Explicitly set the file mode for the filtered unix socket endpoint (only useful with `-proxysocketendpoint`) | ### Changelog diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index da07422..1406114 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -59,11 +59,8 @@ func main() { if cfg.ProxySocketEndpoint == "" { slog.Info("configuration info", "socketpath", cfg.SocketPath, "listenaddress", cfg.ListenAddress, "loglevel", cfg.LogLevel, "logjson", cfg.LogJSON, "allowfrom", cfg.AllowFrom, "shutdowngracetime", cfg.ShutdownGraceTime) } else { - slog.Info("configuration info", "socketpath", cfg.SocketPath, "proxysocketendpoint", cfg.ProxySocketEndpoint, "loglevel", cfg.LogLevel, "logjson", cfg.LogJSON, "allowfrom", cfg.AllowFrom, "shutdowngracetime", cfg.ShutdownGraceTime) + slog.Info("configuration info", "socketpath", cfg.SocketPath, "proxysocketendpoint", cfg.ProxySocketEndpoint, "proxysocketendpointfilemode", cfg.ProxySocketEndpointFileMode, "loglevel", cfg.LogLevel, "logjson", cfg.LogJSON, "allowfrom", cfg.AllowFrom, "shutdowngracetime", cfg.ShutdownGraceTime) slog.Info("proxysocketendpoint is set, so the TCP listener is deactivated") - if cfg.ProxySocketEndpointAllowGroup { - slog.Warn("Group access is enabled for the proxy socket endpoint") - } } if cfg.WatchdogInterval > 0 { slog.Info("watchdog enabled", "interval", cfg.WatchdogInterval, "stoponwatchdog", cfg.StopOnWatchdog) @@ -115,11 +112,7 @@ func main() { slog.Error("error creating socket", "error", err) os.Exit(2) } - var mode os.FileMode = 0600 - if cfg.ProxySocketEndpointAllowGroup { - mode = 0660 - } - if err = os.Chmod(cfg.ProxySocketEndpoint, mode); err != nil { + if err = os.Chmod(cfg.ProxySocketEndpoint, cfg.ProxySocketEndpointFileMode); err != nil { slog.Error("error setting socket file permissions", "error", err) os.Exit(2) } diff --git a/internal/config/config.go b/internal/config/config.go index 5440eec..2530352 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -14,33 +14,33 @@ import ( ) var ( - defaultAllowFrom = "127.0.0.1/32" // allowed IPs to connect to the proxy - defaultAllowHealthcheck = false // allow health check requests (HEAD http://localhost:55555/health) - defaultLogJSON = false // if true, log in JSON format - defaultLogLevel = "INFO" // log level as string - defaultListenIP = "127.0.0.1" // ip address to bind the server to - defaultProxyPort = uint(2375) // tcp port to listen on - defaultSocketPath = "/var/run/docker.sock" // path to the unix socket - defaultShutdownGraceTime = uint(10) // Maximum time in seconds to wait for the server to shut down gracefully - defaultWatchdogInterval = uint(0) // watchdog interval in seconds (0 to disable) - defaultStopOnWatchdog = false // set to true to stop the program when the socket gets unavailable (otherwise log only) - defaultProxySocketEndpoint = "" // empty string means no socket listener, but regular TCP listener - defaultProxySocketEndpointAllowGroup = false // if true, set socket file mode to 660 instead if 600 + defaultAllowFrom = "127.0.0.1/32" // allowed IPs to connect to the proxy + defaultAllowHealthcheck = false // allow health check requests (HEAD http://localhost:55555/health) + defaultLogJSON = false // if true, log in JSON format + defaultLogLevel = "INFO" // log level as string + defaultListenIP = "127.0.0.1" // ip address to bind the server to + defaultProxyPort = uint(2375) // tcp port to listen on + defaultSocketPath = "/var/run/docker.sock" // path to the unix socket + defaultShutdownGraceTime = uint(10) // Maximum time in seconds to wait for the server to shut down gracefully + defaultWatchdogInterval = uint(0) // watchdog interval in seconds (0 to disable) + defaultStopOnWatchdog = false // set to true to stop the program when the socket gets unavailable (otherwise log only) + defaultProxySocketEndpoint = "" // empty string means no socket listener, but regular TCP listener + defaultProxySocketEndpointFileMode = 0400 // set the file mode of the unix socket endpoint ) type Config struct { - AllowedRequests map[string]*regexp.Regexp - AllowFrom string - AllowHealthcheck bool - LogJSON bool - StopOnWatchdog bool - ShutdownGraceTime uint - WatchdogInterval uint - LogLevel slog.Level - ListenAddress string - SocketPath string - ProxySocketEndpoint string - ProxySocketEndpointAllowGroup bool + AllowedRequests map[string]*regexp.Regexp + AllowFrom string + AllowHealthcheck bool + LogJSON bool + StopOnWatchdog bool + ShutdownGraceTime uint + WatchdogInterval uint + LogLevel slog.Level + ListenAddress string + SocketPath string + ProxySocketEndpoint string + ProxySocketEndpointFileMode os.FileMode } // used for list of allowed requests @@ -68,10 +68,11 @@ var mr = []methodRegex{ func InitConfig() (*Config, error) { var ( - cfg Config - listenIP string - proxyPort uint - logLevel string + cfg Config + listenIP string + proxyPort uint + logLevel string + endpointFileMode int ) if val, ok := os.LookupEnv("SP_ALLOWFROM"); ok && val != "" { @@ -120,8 +121,8 @@ func InitConfig() (*Config, error) { defaultProxySocketEndpoint = val } if val, ok := os.LookupEnv("SP_PROXYSOCKETENDPOINTALLOWGROUP"); ok { - if parsedVal, err := strconv.ParseBool(val); err == nil { - defaultProxySocketEndpointAllowGroup = parsedVal + if parsedVal, err := strconv.ParseInt(val, 10, 32); err == nil { + defaultProxySocketEndpointFileMode = int(parsedVal) } } @@ -142,7 +143,7 @@ func InitConfig() (*Config, error) { flag.BoolVar(&cfg.StopOnWatchdog, "stoponwatchdog", defaultStopOnWatchdog, "stop the program when the socket gets unavailable (otherwise log only)") flag.UintVar(&cfg.WatchdogInterval, "watchdoginterval", defaultWatchdogInterval, "watchdog interval in seconds (0 to disable)") flag.StringVar(&cfg.ProxySocketEndpoint, "proxysocketendpoint", defaultProxySocketEndpoint, "unix socket endpoint (if set, used instead of the TCP listener)") - flag.BoolVar(&cfg.ProxySocketEndpointAllowGroup, "proxysocketendpointallowgroup", defaultProxySocketEndpointAllowGroup, "allow group access to the filtered unix socket endpoint") + flag.IntVar(&endpointFileMode, "proxysocketendpointfilemode", defaultProxySocketEndpointFileMode, "set the file mode of the unix socket endpoint") for i := 0; i < len(mr); i++ { flag.StringVar(&mr[i].regexStringFromParam, "allow"+mr[i].method, "", "regex for "+mr[i].method+" requests (not set means method is not allowed)") } @@ -171,6 +172,8 @@ func InitConfig() (*Config, error) { return nil, errors.New("invalid log level " + logLevel + ": Supported levels are DEBUG, INFO, WARN, ERROR") } + cfg.ProxySocketEndpointFileMode = os.FileMode(endpointFileMode) + // compile regexes for allowed requests cfg.AllowedRequests = make(map[string]*regexp.Regexp) for _, rx := range mr { From 058e7df0703ac897e0c4bdf26f6338790bf2ac87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Ells=C3=A4sser?= Date: Sat, 14 Sep 2024 12:54:11 +0200 Subject: [PATCH 09/11] omit logging of source code position MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Wolfgang Ellsässer --- cmd/socket-proxy/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index 1406114..8853d0a 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -19,7 +19,7 @@ import ( const ( programUrl = "github.com/wollomatic/socket-proxy" - logAddSource = true // set to true to log the source position (file and line) of the log message + logAddSource = false // set to true to log the source position (file and line) of the log message ) var ( From 3cb8dfea9fb411fe2decb58cfb7a748d037cb1f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Ells=C3=A4sser?= Date: Sat, 14 Sep 2024 13:35:09 +0200 Subject: [PATCH 10/11] Go 1.22.7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Wolfgang Ellsässer --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8f7b16e..0a2b175 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM --platform=$BUILDPLATFORM golang:1.22.6-alpine3.20 AS build +FROM --platform=$BUILDPLATFORM golang:1.22.7-alpine3.20 AS build WORKDIR /application COPY . ./ ARG TARGETOS @@ -17,4 +17,4 @@ USER 65534:65534 VOLUME /var/run/docker.sock EXPOSE 2375 ENTRYPOINT ["/socket-proxy"] -COPY --from=build ./healthcheck ./socket-proxy / \ No newline at end of file +COPY --from=build ./healthcheck ./socket-proxy / From 8520e7814f1b57f6cf970b6823b276ba73fb4bc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Ells=C3=A4sser?= Date: Sat, 14 Sep 2024 13:41:13 +0200 Subject: [PATCH 11/11] add info about unix socket forwarding MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Wolfgang Ellsässer --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 1af788c..1e0d4d7 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,9 @@ Socket-proxy listens per default only on `127.0.0.1`. Depending on what you need #### Using a unix socket instead of a TCP listener +> [!CAUTION] +> This is a new feature introduced in version 1.5.0. If you experience any issues, please feel free to open an GitHub issue. + If you want to proxy/filter the unix socket to a new unix socket instead to a TCP listener, you need to set the `-proxysocketendpoint` parameter or the `SP_PROXYSOCKETENDPOIN` env variable to the socket path of the new unix socket. This will also disable the TCP listener.