fix: #17

Author: 11notes

arch.dockerfile

@@ -20,7 +20,7 @@
       BUILD_DIR \
       BUILD_BIN
 
-  COPY ./go/ /go
+  COPY ./build/ /
 
   RUN set -ex; \
     cd ${BUILD_DIR}; \
@@ -58,7 +58,8 @@
         SOCKET_PROXY_UID=${APP_UID} \
         SOCKET_PROXY_GID=${APP_GID} \
         SOCKET_PROXY_KEEPALIVE="10s" \
-        SOCKET_PROXY_TIMEOUT="30s"
+        SOCKET_PROXY_TIMEOUT="30s" \
+        SOCKET_PROXY_HTTP_LISTEN_IP="127.0.0.1"
 
   # :: multi-stage
     COPY --from=distroless / /

go/socket-proxy/go.mod build/go/socket-proxy/go.modgo/socket-proxy/go.mod renamed to build/go/socket-proxy/go.mod

@@ -1,3 +1,3 @@
 module github.com/11notes/docker-socket-proxy
 go 1.25.0
-require github.com/11notes/go v1.1.2
+require github.com/11notes/go/v2 v2.0.1

go/socket-proxy/main.go build/go/socket-proxy/main.gogo/socket-proxy/main.go renamed to build/go/socket-proxy/main.go

@@ -14,11 +14,10 @@ import(
 	"strconv"
 	"time"
 
-	"github.com/11notes/go"
+	"github.com/11notes/go/v2"
 )
 
 var(
-	Eleven eleven.New = eleven.New{}
 	proxy *httputil.ReverseProxy
 	socket net.Listener
 	wg sync.WaitGroup
@@ -29,49 +28,50 @@ var(
 	gid string = os.Getenv("SOCKET_PROXY_GID")
 	volume string = os.Getenv("SOCKET_PROXY_VOLUME")
 	dockerSocket string = os.Getenv("SOCKET_PROXY_DOCKER_SOCKET")
+	httpSocket string = os.Getenv("SOCKET_PROXY_HTTP_LISTEN_IP")
 )
 
 func prepareFileSystemDropPrivileges(){
 	// unprivileged user
 	proxyUID, err := strconv.Atoi(uid)
 	if err != nil {
-		Eleven.LogFatal("SOCKET_PROXY_UID must be a number %v", err)
+		eleven.LogFatal("SOCKET_PROXY_UID must be a number %v", err)
 	}
 	proxyGID, err := strconv.Atoi(gid)
 	if err != nil {
-		Eleven.LogFatal("SOCKET_PROXY_GID must be a number %v", err)
+		eleven.LogFatal("SOCKET_PROXY_GID must be a number %v", err)
 	}
 	proxyVolume := regexp.MustCompile(`/+$`).ReplaceAllString(volume, "")
 
 	// chown file system for unprivileged user	
 	if err := os.Chown(proxyVolume, proxyUID , proxyGID); err != nil {
-		Eleven.LogFatal("could not chown folder %s", proxyVolume, err)
+		eleven.LogFatal("could not chown folder %s", proxyVolume, err)
 	}
 
 	// check docker socket permissions
 	stat, err := os.Stat(dockerSocket)
 	if err != nil {
-		Eleven.LogFatal("could not evaluate ownership of docker socket, permission issue %v", err)
+		eleven.LogFatal("could not evaluate ownership of docker socket, permission issue %v", err)
 	}
 	if ownership, ok := stat.Sys().(*syscall.Stat_t); !ok {
-		Eleven.LogFatal("could not evaluate ownership of docker socket, permission issue %v", err)
+		eleven.LogFatal("could not evaluate ownership of docker socket, permission issue %v", err)
 	}else{
 		if(int(ownership.Uid) != os.Getuid()){
-			Eleven.LogFatal("can’t access docker socket as UID %d owned by UID %d. Please change the user setting in your compose to the correct UID/GID pair like this >> user: %d:%d", os.Getuid(), ownership.Uid, ownership.Uid, ownership.Gid)
+			eleven.LogFatal("can’t access docker socket as UID %d owned by UID %d. Please change the user setting in your compose to the correct UID/GID pair like this >> user: %d:%d", os.Getuid(), ownership.Uid, ownership.Uid, ownership.Gid)
 		}else{
 			if(int(ownership.Gid) != os.Getgid()){
-				Eleven.LogFatal("can’t access docker socket as GID %d owned by GID %d. Please change the user setting in your compose to the correct UID/GID pair like this >> user: %d:%d", os.Getgid(), ownership.Gid, os.Getuid(), ownership.Gid)
+				eleven.LogFatal("can’t access docker socket as GID %d owned by GID %d. Please change the user setting in your compose to the correct UID/GID pair like this >> user: %d:%d", os.Getgid(), ownership.Gid, os.Getuid(), ownership.Gid)
 			}
 		}
 	}
 
 	// drop privileges since only the proxy must access the socket as root and nothing else
 	if err := syscall.Setgid(proxyGID); err != nil {
-		Eleven.LogFatal("could not set GID to %d %v", proxyGID, err)
+		eleven.LogFatal("could not set GID to %d %v", proxyGID, err)
 	}
 
 	if err := syscall.Setuid(proxyUID); err != nil {
-		Eleven.LogFatal("could not set UID to %d %v", proxyUID, err)
+		eleven.LogFatal("could not set UID to %d %v", proxyUID, err)
 	}
 }
 
@@ -101,7 +101,7 @@ func httpProxy(w http.ResponseWriter, r *http.Request){
 	if((method  == "GET" || method  == "HEAD") && !httpProxyBlockedPaths(url)){
 		proxy.ServeHTTP(w, r)
 	}else{
-		Eleven.Log("INF", "blocked: %s %s", method, url)
+		eleven.Log("INF", "blocked: %s %s", method, url)
 		http.Error(w, "", http.StatusForbidden)  
 	}
 }
@@ -119,20 +119,20 @@ func healthcheck(exit bool){
 	if(exit){
 		os.Exit(0)
 	}else{
-		Eleven.Log("DBG", "health check successfully")
+		eleven.Log("DBG", "health check successfully")
 	}
 }
 
 func main(){
 	// set socket proxy file path
 	socketProxy = regexp.MustCompile(`/+$`).ReplaceAllString(volume, "") + "/docker.sock"
 
-	if(Eleven.Util.CommandLineArgumentExists("--healthcheck")){
+	if(eleven.Util.CommandLineArgumentExists("--healthcheck")){
 		// only run healthcheck
 		healthcheck(true)
 	}else{
 		// start app
-		Eleven.Log("START", "")
+		eleven.Log("START", "")
 
 		// setup signal handler
 		signalChannel := make(chan os.Signal, 1)
@@ -145,13 +145,13 @@ func main(){
 		// setup proxy to docker socket as root
 		keepAlive, err := time.ParseDuration(keepAlive)
 		if err != nil {
-			Eleven.LogFatal("%s not a valid time format: %s", keepAlive, err)
+			eleven.LogFatal("%s not a valid time format: %s", keepAlive, err)
 		}
 		timeout, err := time.ParseDuration(timeout)
 		if err != nil {
-			Eleven.LogFatal("%s not a valid time format: %s", timeout, err)
+			eleven.LogFatal("%s not a valid time format: %s", timeout, err)
 		}
-		localhost, _ := url.Parse("http://localhost")
+		localhost, _ := url.Parse("http://127.0.0.1")
 		proxy = httputil.NewSingleHostReverseProxy(localhost)
 		docketSockerDialer := &net.Dialer{KeepAlive: keepAlive, Timeout: timeout}
 		proxy.Transport = &http.Transport{
@@ -170,14 +170,14 @@ func main(){
 		os.Remove(socketProxy)
 		unix, err := net.Listen("unix", socketProxy)
 		if err != nil {
-			Eleven.LogFatal("could not start unix socket %v", err)
+			eleven.LogFatal("could not start unix socket %v", err)
 		}
 		wg.Add(1)
 		go func(){
 			defer wg.Done()
-			Eleven.Log("INF", "starting proxy UNIX socket ...")
+			eleven.Log("INF", "starting proxy UNIX socket on " + socketProxy + " ...")
 			if err := unixServer.Serve(unix); err != nil {
-				Eleven.LogFatal("could not start unix socket %v", err)
+				eleven.LogFatal("could not start unix socket %v", err)
 			}
 		}()
 
@@ -186,32 +186,32 @@ func main(){
 			Handler: http.HandlerFunc(httpProxy),
 		}
 
-		tcp, err := net.Listen("tcp", "0.0.0.0:2375")
+		tcp, err := net.Listen("tcp", httpSocket + ":2375")
 		if err != nil {
-			Eleven.LogFatal("could not start tcp socket %v", err)
+			eleven.LogFatal("could not start tcp socket %v", err)
 		}
 		wg.Add(1)
 		go func(){
 			defer wg.Done()
-			Eleven.Log("INF", "starting proxy TCP socket ...")
+			eleven.Log("INF", "starting proxy TCP socket on " + httpSocket + "...")
 			if err := httpServer.Serve(tcp); err != nil {
-				Eleven.LogFatal("could not start tcp socket %v", err)
+				eleven.LogFatal("could not start tcp socket %v", err)
 			}
 		}()
 
 		// try to access the socket proxy
 		client := &http.Client{}
-		req, err := http.NewRequest(http.MethodGet, "http://localhost:2375/version", nil)
+		req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:2375/version", nil)
 		if err != nil {
-			Eleven.LogFatal("could not create HTTP request %v", err)
+			eleven.LogFatal("could not create HTTP request %v", err)
 		}
 		res, err := client.Do(req)
 		if err != nil {
-			Eleven.LogFatal("could not proxy to docker socket %v", err)
+			eleven.LogFatal("could not proxy to docker socket %v", err)
 		}
 		res.Body.Close()
 		if res.StatusCode != http.StatusOK {
-			Eleven.LogFatal("could not proxy to docker socket %v", err)
+			eleven.LogFatal("could not proxy to docker socket %v", err)
 		}
 
 		// set internal socket check

compose.yml

@@ -1,7 +1,7 @@
 name: "reverse-proxy"
 services:
   socket-proxy:
-    image: "11notes/socket-proxy:2.1.6"
+    image: "11notes/socket-proxy:2.1.7"
     read_only: true
     user: "0:0" 
     environment:
@@ -12,6 +12,8 @@ services:
     restart: "always"
 
   traefik:
+    # for more information about this image checkout:
+    # https://github.com/11notes/docker-traefik
     depends_on:
       socket-proxy:
         condition: "service_healthy"
@@ -104,7 +106,8 @@ services:
     restart: "always"
 
   errors:
-    # this image can be used to display a simple error message since Traefik can’t serve content
+    # for more information about this image checkout:
+    # https://github.com/11notes/docker-postgres
     image: "11notes/traefik:errors"
     read_only: true
     labels:
@@ -118,6 +121,8 @@ services:
 
   # example container
   nginx:
+    # for more information about this image checkout:
+    # https://github.com/11notes/docker-nginx
     image: "11notes/nginx:stable"
     read_only: true
     labels: