From f71b5aa5d6d3e27b77fab4cbb405d585c635d4ee Mon Sep 17 00:00:00 2001
From: Florian Zirker <florian.zirker@kapsweyer.de>
Date: Thu, 1 Apr 2021 19:20:06 +0200
Subject: [PATCH] Secure Treafik by using socket proxy for docker socket

---
 proxy/docker-compose.yaml | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml
index d0bfec2..2ccacce 100644
--- a/proxy/docker-compose.yaml
+++ b/proxy/docker-compose.yaml
@@ -16,8 +16,9 @@ services:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--providers.docker.network=web"
+      - "--providers.docker.endpoint=tcp://docker-socket-proxy:2375"
       #- "--log.level=DEBUG"
-      - "--accesslog=true"
+      #- "--accesslog=true"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
       - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
@@ -33,8 +34,8 @@ services:
       - "443:443"
     networks:
       - web
+      - proxy
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - ${VOLUMES_PATH}/letsencrypt:/letsencrypt
       - $PWD/tls.toml:/etc/traefik/tls.toml
     labels:
@@ -50,6 +51,16 @@ services:
       - "traefik.http.middlewares.auth.basicauth.users=${HTPASSWD}"
       - "docker.group=proxy"
 
+  docker-socket-proxy:
+    image: tecnativa/docker-socket-proxy
+    restart: unless-stopped
+    volumes: 
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      CONTAINERS: 1
+    networks:
+      - proxy
+
 
 #  whoami:
 #    image: containous/whoami
@@ -67,4 +78,4 @@ services:
 networks:
   web:
     external: true
-
+  proxy: