I'm trying to follow guidelines of docker-bench-security. I'm trying to comply with this rules : Ensure the Docker socket is not mounted inside any containers.
I've read that jwilder-nginx-proxy does not need docker socket to me mounted if it can access it through HTTPS.
I think my docker installation is working, I can communicate with the docker API from my host :
curl https://127.0.0.1:2376/version --cert /home/ubuntu/.docker/cert.pem --key /home/ubuntu/.docker/key.pem --cacert /home/ubuntu/.docker/ca.pem
{"Platform":{"Name":"Docker Engine - Community"},"Components":...}
But I can't access it from nginx jwilder :
******@******:~/docker/proxy$ docker exec -ti nginx bash
root@c4740dcc00d9:/app# curl https://127.0.0.1:2376/version --cert /home/ubuntu/.docker/cert.pem --key /home/ubuntu/.docker/key.pem --cacert /home/ubuntu/.docker/ca.pem
curl: (7) Failed to connect to 127.0.0.1 port 2376: Connection refused
root@c4740dcc00d9:/app# curl https://172.17.0.1:2376/version --cert /home/ubuntu/.docker/cert.pem --key /home/ubuntu/.docker/key.pem --cacert /home/ubuntu/.docker/ca.pem -m 5
curl: (28) Connection timed out after 5000 milliseconds
Here's my docker-compose.yml :
nginx:
container_name: nginx
image: jwilder/nginx-proxy
ports:
- 80:80
- 443:443
environment:
DOCKER_HOST: tcp://127.0.0.1:2376
DOCKER_TLS_VERIFY:
DOCKER_CERT_PATH:
volumes:
- ./certs:${DOCKER_CERT_PATH}
And the daemon.json file :
{
"icc": false,
"userns-remap": "default",
"log-driver": "local",
"live-restore": true,
"tls": true,
"tlsverify": true,
"tlscacert": "/etc/docker/ssl/ca.pem",
"tlscert": "/etc/docker/ssl/daemon-cert.pem",
"tlskey": "/etc/docker/ssl/daemon-key.pem",
"hosts": ["unix:///var/run/docker.sock", "tcp://127.0.0.1:2376"],
"default-ulimit": "nofile=50:100",
"userland-proxy": false
}
I don't know how to reach docker API through jwilder. Is there something to add on the docker-compose file ? or in the docker configuration ? which address should i use to reach it from the containers ?
Thank in advance to point me in the right direction!
