0

I'm working on a server hosting project in clients need to be able to access an xterm virtual terminal of their docker container which would allow them to interact with the running process.

For that to be possible, i exposed the dockerd API on the local network, which in turn makes it fully available to the webserver. Clients on the local network can access the ws attach endpoint but also the rest of the API, which is a side effect i surely don't want.

My issue is that i now need to make the websocket attach endpoint reachable to outside clients, without exposing the full api. Is this possible, and if so how?

Here's a diagram of what i think would be the ideal structure to achieve infrastructure diagram

Newe
  • 111
  • 9
  • This is fraught with peril: generally if you can access the Docker socket at all, it's very easy to use it to root the entire host. If you're not confident in how you'd approach this I'd suggest a different way to build your application (restructuring it to have a network API instead of a console UI; giving users ssh access into dedicated VMs). – David Maze Sep 25 '20 at 10:43
  • Ofc clients could just ssh into the containers, but it'd be so much simpler for them to have a conosle directly on their server page. Websockets seem like the best and most hassle-free solution for this task. Are you sure the daemon API could be abused even if all connections are filtered by a reverse proxy; which allow only /attach/ws requests through? – Newe Sep 25 '20 at 10:52

0 Answers0