Publishing the #Docker daemon using a Containerized Reverse Proxy

Publishing the Docker daemon usually involves creating the requires certificates, reconfiguring the Docker daemon and restarting it. But often, you do not have the necessary permissions to change the daemon configuration or restart it. I’ll demonstrate how to use a containerized reverse proxy to achieve the same.

Disclaimer

Always configure certificate authentication when exposing the Docker daemon to the network on a TCP port. Failing to do so will effectively give root privileges to anyone.

Prerequisites

Please follow the official documentation to create the certificates necessary to secure the Docker daemon. Contrary to the official documentation, do not configure the Docker daemon to use the newly created certificates. They will be used in the next section.

Usage

The reverse proxy is based on nginx:stable-alpine and listens on 2376/tcp using TLS. All requests are forwarded to the local Docker daemon socket /var/run/docker.sock which must be mapped into the container:

docker run -d \
    --env CA_CRT=$(cat ca.pem) \
    --env SERVER_KEY=$(cat server_key.pem) \
    --env SERVER_CRT=$(cat server_cert.pem) \
    --volume /var/run/docker.sock:/var/run/docker.sock
    --net=host
    nicholasdille/docker-auth-proxy

You can also start the container in the default network and expose the port:

docker run -d \
    --env CA_CRT=$(cat ca.pem) \
    --env SERVER_KEY=$(cat server_key.pem) \
    --env SERVER_CRT=$(cat server_cert.pem) \
    --volume /var/run/docker.sock:/var/run/docker.sock
    -p 2376:2376
    nicholasdille/docker-auth-proxy

The publishing of the Docker daemon can be started and stopped as required without interferring with running containers.

Use the source

The code for this image is available on GitHub. The image was published to Docker Hub as nicholasdille/docker-auth-proxy.

Alternative: Remoting using SSH

Please also refer to the SSH remoting feature added in Docker 18.09.