search

wollomatic / socket-proxy

A secure-by-design and flexible unix socket proxy. No external dependencies. Needs no shell or interpreter in a container. Written in Go (memory safe). Can replace tecnativa/docker-socket-proxy or linuxserver/docker-socket-proxy. Most flexible configuration with regular expressions
https://hub.docker.com/r/wollomatic/socket-proxy
MIT License
82 stars 4 forks source link

Support for TLS #14

Open amir20 opened 7 months ago

amir20 commented 7 months ago

Hello there,

I am the creator of Dozzle. For a long time, I have been wanting to implement something like socket proxy in Go. I found your project through referral links. Many people use Tecnativa/docker-socket-proxy for simple non-secured connection.

However, I think a lot of people prefer a secured connection. I wonder if it would be best for this project to support both. Here is what I am thinking:

  1. socket-proxy could have a --tls option
  2. It would automatically generate certificates and write them to disk
  3. Anybody could pick those certificates (like Dozzle) and pin 'em to their client
  4. socket-proxy would only allow connections that have valid certificates

Currently, to setup TLS over HTTP with Docker is just a pain. This solution could make it a lot simpler to setup docker for TLS with minimum effort. Even better, it would auto generated certs to be used.

What do you think?

wollomatic commented 7 months ago

Hello @amir20,

I am honoured to receive a message from You because I'm a big fan of Dozzle and find it very useful.

Yes, TLS would be a good idea. I had already considered implementing some TLS communication but postponed it to keep it simple.

I like the suggestion, and I think I will implement it.

Thanks again, and have a great weekend, Wolfgang

amir20 commented 7 months ago

Awesome! Here is a related issue https://github.com/amir20/dozzle/issues/2536

I think ideally, it should just work by producing a similar directory to Docker with all the certs in one place.

I did create some code in Golang to generate certs: 

package main

import (
    "crypto/ecdsa"
    "crypto/elliptic"
    "crypto/rand"
    "crypto/x509"
    "crypto/x509/pkix"
    "log"
    "math/big"
    "time"
)

func tls() {
    privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
    if err != nil {
        log.Fatalf("Failed to generate private key: %v", err)
    }
    serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
    serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
    if err != nil {
        log.Fatalf("Failed to generate serial number: %v", err)
    }

    template := x509.Certificate{
        SerialNumber: serialNumber,
        Subject: pkix.Name{
            Organization: []string{"My Corp"},
        },
        DNSNames:  []string{"localhost"},
        NotBefore: time.Now(),
        NotAfter:  time.Now().Add(3 * time.Hour),

        KeyUsage:              x509.KeyUsageDigitalSignature,
        ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
        BasicConstraintsValid: true,
    }

}

You can use it if you want.

When you are ready, we can also update https://dozzle.dev/guide/remote-hosts to add a section about TLS.

amir20 commented 5 months ago

So recently I have been thinking about supporting Docker Swarm and improving remote connection. I am working on agent mode with Dozzle which is described at https://github.com/amir20/dozzle/issues/3052.

If implemented correctly, it would no longer require any kind of socket proxy.

Let me know your thoughts...