Skip to content

1.12.0 preparation #130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wollomatic merged 25 commits into from
May 3, 2026
Merged

1.12.0 preparation #130

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
8a32d3b
feat: support use allow* multiple times in env, flag and docker labels
qianlongzt Feb 13, 2026
8b94aa8
doc: remove useless example
qianlongzt Feb 13, 2026
e64698d
doc: remove redundant newline
qianlongzt Feb 13, 2026
0882d69
doc: fix typo on docker labels
qianlongzt Feb 13, 2026
484decb
fix: docker labels allow* method error
qianlongzt Feb 13, 2026
f6fee10
chore: remove redundant test
qianlongzt Feb 13, 2026
4900b7c
chore(config): move getAllowFromEnv out for loop
qianlongzt Feb 28, 2026
a6187d8
test(config): rename test name
qianlongzt Feb 28, 2026
381964f
doc: fix markdown table
qianlongzt Feb 28, 2026
caa268a
test(config): replace reflect.DeepEqual with regexMapsEqual for regex…
qianlongzt Feb 28, 2026
efea0f9
Merge pull request #86 from qianlongzt/main
wollomatic Mar 1, 2026
c62f958
prepare 1.12.0 release
wollomatic Apr 18, 2026
3fa4eae
Merge branch 'main' into feature/99-use-allow-multiple-times
wollomatic Apr 18, 2026
9a2e50e
minor fix in new examples
wollomatic Apr 18, 2026
b9e9509
Bump golang from `c2a1f7b` to `f853308`
dependabot[bot] Apr 20, 2026
844457f
refactor `InitConfig` and related methods for improved maintainabilit…
wollomatic Apr 26, 2026
729050d
Bump step-security/harden-runner from 2.17.0 to 2.19.0
dependabot[bot] Apr 27, 2026
a06be88
fix table
wollomatic May 3, 2026
821fb3c
remove unused code
wollomatic May 3, 2026
468b64e
Merge pull request #127 from wollomatic/dependabot/docker/golang-f853308
wollomatic May 3, 2026
0605f48
Merge pull request #129 from wollomatic/dependabot/github_actions/ste…
wollomatic May 3, 2026
cc17d0e
Merge pull request #126 from wollomatic/feature/99-use-allow-multiple…
wollomatic May 3, 2026
8d4a8c5
clarify support for multiple `-allow*` entries in README examples and…
wollomatic May 3, 2026
62b8ae8
fix issues found by Coderabbit in PR #130
wollomatic May 3, 2026
18d9df7
Merge pull request #131 from wollomatic/minor_fixes_1_12_0
wollomatic May 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit

Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# syntax=docker/dockerfile:1
FROM --platform=$BUILDPLATFORM golang:1.26.2-alpine3.23@sha256:c2a1f7b2095d046ae14b286b18413a05bb82c9bca9b25fe7ff5efef0f0826166 AS build
FROM --platform=$BUILDPLATFORM golang:1.26.2-alpine3.23@sha256:f85330846cde1e57ca9ec309382da3b8e6ae3ab943d2739500e08c86393a21b1 AS build
WORKDIR /application
COPY . ./
ARG TARGETOS
Expand Down
12 changes: 10 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# socket-proxy

## Latest image
- `wollomatic/socket-proxy:1.11.4` / `ghcr.io/wollomatic/socket-proxy:1.11.4`
- `wollomatic/socket-proxy:1.12.0` / `ghcr.io/wollomatic/socket-proxy:1.12.0`
- `wollomatic/socket-proxy:1` / `ghcr.io/wollomatic/socket-proxy:1`

> [!IMPORTANT]
Expand Down Expand Up @@ -93,17 +93,22 @@ Use Go's regexp syntax to create the patterns for these parameters. To avoid ins
Examples (command-line):
+ `'-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'` could be used for allowing access to the docker socket for Traefik v2.
+ `'-allowHEAD=.*'` allows all HEAD requests.
+ `'-allowGET=/version -allowGET=/_ping'` supports using `-allowGET` multiple times

Examples (env variables):
+ `'SP_ALLOW_GET="/v1\..{1,2}/(version|containers/.*|events.*)"'` could be used for allowing access to the docker socket for Traefik v2.
+ `'SP_ALLOW_HEAD=".*"'` allows all HEAD requests.
+ `'SP_ALLOW_GET="/version" SP_ALLOW_GET_2="/_ping"'` supports multiple `SP_ALLOW_GET` entries

For more information, refer to the [Go regexp documentation](https://golang.org/pkg/regexp/syntax/).

An excellent online regexp tester is [regex101.com](https://regex101.com/).

To determine which HTTP requests your client application uses, you could switch socket-proxy to debug log level and look at the log output while allowing all requests in a secure environment.

> [!NOTE]
> Starting with version 1.12.0, the socket-proxy supports using multiple -allow* entries in params, environment, or docker labels.

#### Setting up bind mount restrictions

By default, socket-proxy does not restrict bind mounts. If you want to add an additional layer of security by restricting which directories can be used as bind mount sources, you can use the `-allowbindmountfrom` parameter or the `SP_ALLOWBINDMOUNTFROM` environment variable.
Expand Down Expand Up @@ -135,6 +140,8 @@ services:
- docker-proxynet # this should be only restricted to traefik and socket-proxy
labels:
- 'socket-proxy.allow.get=.*' # allow all GET requests to socket-proxy
- 'socket-proxy.allow.head=/version' # HEAD `/version` requests to socket-proxy
- 'socket-proxy.allow.head.1=/exec' # another HEAD `exec` requests to socket-proxy
```

When this is used, it is not necessary to specify the container in `-allowfrom` as the presence of the allowlist labels will grant corresponding access.
Expand Down Expand Up @@ -235,7 +242,7 @@ socket-proxy can be configured via command-line parameters or via environment va
| `-logjson` | `SP_LOGJSON` | (not set/false) | If set, it enables logging in JSON format. If unset, socket-proxy logs in plain text format. |
| `-loglevel` | `SP_LOGLEVEL` | `INFO` | Sets the log level. Accepted values are: `DEBUG`, `INFO`, `WARN`, `ERROR`. |
| `-proxyport` | `SP_PROXYPORT` | `2375` | Defines the TCP port the proxy listens to. |
| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after SIGTERM or SIGINT (socket-proxy first tries to gracefully shut down the TCP server) | |
| `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after SIGTERM or SIGINT (socket-proxy first tries to gracefully shut down the TCP server) |
| `-socketpath` | `SP_SOCKETPATH` | `/var/run/docker.sock` | Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. |
| `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set/false) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. |
| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availability every x seconds (disable checks, if not set or value is 0) |
Expand Down Expand Up @@ -269,6 +276,7 @@ socket-proxy can be configured via command-line parameters or via environment va

1.11 - add per-container allowlists specified by Docker container labels (thanks [@amanda-wee](https://github.com/amanda-wee))

1.12 - support use of allow* multiple times in env, flag and docker labels (thanks [@qianlongzt](https://github.com/qianlongzt))

## License

Expand Down
12 changes: 11 additions & 1 deletion cmd/socket-proxy/handlehttprequest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"log/slog"
"net"
"net/http"
"regexp"

"github.com/wollomatic/socket-proxy/internal/config"
)
Expand All @@ -24,7 +25,7 @@ func handleHTTPRequest(w http.ResponseWriter, r *http.Request) {
communicateBlockedRequest(w, r, "method not allowed", http.StatusMethodNotAllowed)
return
}
if !allowed.MatchString(r.URL.Path) { // path does not match regex -> not allowed
if !matchURL(allowed, r.URL.Path) { // path does not match regex -> not allowed
communicateBlockedRequest(w, r, "path not allowed", http.StatusForbidden)
return
}
Expand All @@ -40,6 +41,15 @@ func handleHTTPRequest(w http.ResponseWriter, r *http.Request) {
socketProxy.ServeHTTP(w, r) // #nosec G704 - Request target is always the specified socket
}

func matchURL(allowedURIs []*regexp.Regexp, requestURI string) bool {
for _, allowedURI := range allowedURIs {
if allowedURI.MatchString(requestURI) {
return true
}
}
return false
}

// return the relevant allowlist
func determineAllowList(r *http.Request) (config.AllowList, bool) {
if cfg.ProxySocketEndpoint == "" { // do not perform this check if we proxy to a unix socket
Expand Down
Loading
Loading