Core package for the Docker Socket Proxy, providing secure access to the Docker API with endpoint filtering and access control.

This package implements a secure proxy that controls access to Docker socket API endpoints. It supports fine-grained permissions for different Docker operations and can restrict HTTP methods (GET-only or GET+POST).

graph TD
    A[HTTP Request] --> B[NewHandler Router]
    B --> C{Method Allowed?}
    C -->|No| D[405 Method Not Allowed]
    C -->|Yes| E{Path Allowed?}
    E -->|No| F[403 Forbidden]
    E -->|Yes| G[Docker Socket Handler]
    G --> H[Reverse Proxy]
    H --> I[Docker Daemon]

Global configuration flags loaded from environment variables:

The NewHandler() function creates an HTTP router with:

• Path-based access control (allowed/denied paths)
• HTTP method filtering (GET-only or GET+POST)
• Version prefix support (e.g., /v1.41/containers)
• Unix domain socket proxying

Based on Go's standard library reverse proxy with enhancements:

• Hop-by-hop header removal
• WebSocket/h2c upgrade handling
• Trailer support
• Context-aware request cancellation

package main

import (
    "log"
    "net/http"
    socketproxy "github.com/yusing/godoxy/socketproxy/pkg"
)

func main() {
    // Configuration is loaded from environment variables
    if socketproxy.ListenAddr == "" {
        log.Fatal("Docker socket address is not set")
    }
    log.Printf("Docker socket listening on: %s", socketproxy.ListenAddr)
    http.ListenAndServe(socketproxy.ListenAddr, socketproxy.NewHandler())
}

1. Endpoint Whitelisting: Only explicitly allowed endpoints are accessible
2. Method Restrictions: Can restrict to GET-only or allow POST
3. Connection Keep-Alive: Maintains persistent connections to Docker socket
4. Header Filtering: Removes hop-by-hop headers to prevent spoofing

The proxy connects to the Docker daemon via Unix socket and proxies all allowed requests. The Docker API version prefix is handled automatically for backward compatibility.