Docker Hardened Proxy

Security-hardened proxy for Docker daemon API. Intercepts container operations against configurable policies with namespace-based isolation.

Quick Start

# Build
docker build -t docker-hardened-proxy .

# Run with config
docker run -d \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v $(pwd)/config.yaml:/etc/docker-hardened-proxy/config.yaml \
  -p 2375:2375 \
  docker-hardened-proxy

# Use proxy
docker -H tcp://localhost:2375 ps

Configuration

listeners:
  tcp:
    address: ["0.0.0.0:2375"]

upstream:
  url: "unix:///var/run/docker.sock"

namespace: "default"

audit:
  deny_privileged: true
  denied_response_mode: "reason"
  
  build:
    policy: "list"
    allowed: ["myregistry.com/"]
  
  pull:
    policy: "list"
    allowed: ["alpine", "ubuntu"]
  
  registry:
    auth: "list"
    auth_allowed: ["https://myregistry.com"]
    push: "list"
    push_allowed: ["myregistry.com/"]

logging:
  level: "info"
  format: "json"

Policies

All policies support three modes:

• deny - block all (default for most)
• allow - allow all
• list - allow only items in allowed list

Endpoints:

• /containers/create - audited for privileged, capabilities, bind mounts
• /containers/{id}/exec - audited for security options
• /build - controlled by audit.build.policy
• /images/create (pull) - controlled by audit.pull.policy
• /auth - controlled by audit.registry.auth
• /images/{name}/push - controlled by audit.registry.push

Denied Response Mode

audit.denied_response_mode controls what body clients receive for ordinary HTTP 403 Forbidden policy denials.

• reason - default, preserves the legacy detailed body such as denied: privileged mode is denied
• generic - returns denied by policy for ordinary HTTP 403 deny responses to reduce exposed policy detail

Choose reason for compatibility with existing tooling that inspects deny messages, or generic when you want to minimize response detail without changing internal audit decisions or logs.

This setting applies to the standard HTTP deny responses generated by the proxy handlers. It does not change deny semantics inside hijacked BuildKit control streams after the h2c upgrade has completed.

Namespace Isolation

Containers are labeled with ltkk.run/namespace. All operations check container labels match the configured namespace. Cross-namespace operations are denied.

namespace: "team-a"

Development

just test      # Run tests
just lint      # Run linter
just build     # Build binary
just run       # Run with default config

Security Defaults

• Bind mounts: denied unless explicitly allowed
• Privileged containers: denied
• Dangerous capabilities (SYS_ADMIN, etc.): denied
• BuildKit: denied by default; when enabled, /session is header-audited and /grpc control RPCs are audited per request
• Unknown endpoints: denied (fail-closed)