# DocKet Proxy -  Docker Socket Proxy

## Description
I wanted an easy/simple and secure way to use Traefik in my homelab without giving it free reign over my host machine and the Docker socket.  This project is a WIP where I am testing out some concepts and ideas.

## Getting Started
First build and run the proxy.

```shell
cd proxy
go run main.go # You may need sudo to connect to /var/run/docker.sock
```

Now try it out!  Traefik uses pinned API version routes so first get the version:
```shell
$ export DOCKER_API_VERSION=v$(curl localhost:8000/version | jq -r '.ApiVersion')
$ echo $DOCKER_API_VERSION
1.49
```

Now make some requests
```shell
# List containers (Allowed)
$ curl localhost:8000/v$DOCKER_API_VERSION/containers/json | jq 

# Be sure to replace the below container ids with a valid one when testing.
# Stop a running container (Allowed)
$ curl -X POST localhost:8000/$DOCKER_API_VERSION/containers/52812bebe72b45cbe960babc2e3ff43a21bf9dd6c29ce9462ed39ec3c4e31072/stop

# Start a container (Allowed)
$ curl -X POST localhost:8000/$DOCKER_API_VERSION/containers/52812bebe72b45cbe960babc2e3ff43a21bf9dd6c29ce9462ed39ec3c4e31072/start
```

Now try something sneaky like creating a new network:
```shell
$ curl -X POST localhost:8000/$DOCKER_API_VERSION/networks/create -H 'content-type: application/json' -d @example-payloads/network.json
Forbidden
 ```

See the full code for the list of routes that are allowed.  Any not in the allow list are blocked by default.

I have done some limited testing with the latest version of Traefik and have not noticed any issues.  I have another project that uses [Sablier Plugin](https://hub.docker.com/r/sablierapp/sablier) for Traefik and I have done some limited testing with that.  I can confirm that `Sablier` is still able to start my containers, it looks like it may have some issues stopping all containers but I haven't fully explored it yet.  That part of the reason why there is still some ugly logging in place.