Further harden compose stack
This commit is contained in:
Mike Conrad
14
compose.yml
14
compose.yml
@ -1,5 +1,6 @@
|
|||||||
name: traefik_secure
|
name: traefik_secure
|
||||||
services:
|
services:
|
||||||
|
|
||||||
socket-proxy:
|
socket-proxy:
|
||||||
image: dockerproxy
|
image: dockerproxy
|
||||||
build:
|
build:
|
||||||
@ -10,8 +11,14 @@ services:
|
|||||||
- 8000:8000
|
- 8000:8000
|
||||||
networks:
|
networks:
|
||||||
- traefik
|
- traefik
|
||||||
|
- socket_proxy
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
read_only: true
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
environment:
|
environment:
|
||||||
- ALLOWED_NETWORKS=traefik_secure_traefik
|
- ALLOWED_NETWORKS=traefik_secure_traefik
|
||||||
@ -39,6 +46,7 @@ services:
|
|||||||
- "8080:8080"
|
- "8080:8080"
|
||||||
networks:
|
networks:
|
||||||
- traefik
|
- traefik
|
||||||
|
- socket_proxy
|
||||||
depends_on:
|
depends_on:
|
||||||
- socket-proxy
|
- socket-proxy
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
@ -51,4 +59,8 @@ services:
|
|||||||
- "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
|
- "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
|
||||||
- "traefik.http.routers.whoami.entrypoints=web"
|
- "traefik.http.routers.whoami.entrypoints=web"
|
||||||
networks:
|
networks:
|
||||||
traefik:
|
traefik: {}
|
||||||
|
socket_proxy:
|
||||||
|
driver: bridge
|
||||||
|
internal: true
|
||||||
|
enable_ipv6: false
|
||||||
|
|||||||
Reference in New Issue
Block a user