From 5795286a7b9cb0a4359f96600d45869b8f40080c Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Thu, 24 Aug 2023 16:24:47 +0200
Subject: [PATCH 01/11] Create start.sh

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Containers/docker-socket-proxy/start.sh | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 Containers/docker-socket-proxy/start.sh

diff --git a/Containers/docker-socket-proxy/start.sh b/Containers/docker-socket-proxy/start.sh
new file mode 100644
index 00000000..dc6e9527
--- /dev/null
+++ b/Containers/docker-socket-proxy/start.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+openssl req -nodes -new -x509 -subj '/CN=*' -sha256 -keyout /etc/privkey.pem -out /etc/fullchain.pem -days 365000
+cat /etc/fullchain.pem /etc/privkey.pem | tee /etc/cert.pem
+
+set -x
+IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short | grep '^[0-9.]\+$' | sort | head -n1)"
+sed -i "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|g"
+sed -i '/NC_IPV4_PLACEHOLDER/d' /conf/eturnal.yml
+
+IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+sed -i "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|g"
+sed -i '/NC_IPV6_PLACEHOLDER/d' /conf/eturnal.yml
+set +x
+
+haproxy -f /haproxy.cfg -db

From 685786c5f6e9b2b6a21f210d2f72ab97ffe53851 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Thu, 24 Aug 2023 16:46:35 +0200
Subject: [PATCH 02/11] Update start.sh

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Containers/docker-socket-proxy/start.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Containers/docker-socket-proxy/start.sh b/Containers/docker-socket-proxy/start.sh
index dc6e9527..3496002c 100644
--- a/Containers/docker-socket-proxy/start.sh
+++ b/Containers/docker-socket-proxy/start.sh
@@ -3,6 +3,12 @@
 openssl req -nodes -new -x509 -subj '/CN=*' -sha256 -keyout /etc/privkey.pem -out /etc/fullchain.pem -days 365000
 cat /etc/fullchain.pem /etc/privkey.pem | tee /etc/cert.pem
 
+# Only start container if nextcloud is accessible
+while ! nc -z "$NEXTCLOUD_HOST" 9000; do
+    echo "Waiting for Nextcloud to start..."
+    sleep 5
+done
+
 set -x
 IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short | grep '^[0-9.]\+$' | sort | head -n1)"
 sed -i "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|g"

From e33f797da1880e40d4777b4505516b471063fa54 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Thu, 24 Aug 2023 20:51:04 +0200
Subject: [PATCH 03/11] remove https

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Containers/docker-socket-proxy/start.sh | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/Containers/docker-socket-proxy/start.sh b/Containers/docker-socket-proxy/start.sh
index 3496002c..250dc34f 100644
--- a/Containers/docker-socket-proxy/start.sh
+++ b/Containers/docker-socket-proxy/start.sh
@@ -1,8 +1,5 @@
 #!/bin/sh
 
-openssl req -nodes -new -x509 -subj '/CN=*' -sha256 -keyout /etc/privkey.pem -out /etc/fullchain.pem -days 365000
-cat /etc/fullchain.pem /etc/privkey.pem | tee /etc/cert.pem
-
 # Only start container if nextcloud is accessible
 while ! nc -z "$NEXTCLOUD_HOST" 9000; do
     echo "Waiting for Nextcloud to start..."

From 0fbd7768e0644de0f4751263eba58967875afa66 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Thu, 24 Aug 2023 21:02:49 +0200
Subject: [PATCH 04/11] Update start.sh

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Containers/docker-socket-proxy/start.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Containers/docker-socket-proxy/start.sh b/Containers/docker-socket-proxy/start.sh
index 250dc34f..43151bcd 100644
--- a/Containers/docker-socket-proxy/start.sh
+++ b/Containers/docker-socket-proxy/start.sh
@@ -9,11 +9,11 @@ done
 set -x
 IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short | grep '^[0-9.]\+$' | sort | head -n1)"
 sed -i "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|g"
-sed -i '/NC_IPV4_PLACEHOLDER/d' /conf/eturnal.yml
+sed -i "s# || { src NC_IPV4_PLACEHOLDER }##g" /conf/haproxy.cfg
 
 IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
 sed -i "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|g"
-sed -i '/NC_IPV6_PLACEHOLDER/d' /conf/eturnal.yml
+sed -i "s# || { src NC_IPV6_PLACEHOLDER }##g" /conf/haproxy.cfg
 set +x
 
-haproxy -f /haproxy.cfg -db
+haproxy -f /conf/haproxy.cfg -db

From 5ad26a42fd451441f8f08dbe4b96f5993d22e52f Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Thu, 24 Aug 2023 21:04:30 +0200
Subject: [PATCH 05/11] Update containers.json

Signed-off-by: Zoey <zoey@z0ey.de>
---
 php/containers.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/php/containers.json b/php/containers.json
index a380e355..8d82bedd 100644
--- a/php/containers.json
+++ b/php/containers.json
@@ -661,7 +661,8 @@
       "restart": "unless-stopped",
       "read_only": true,
       "tmpfs": [
-        "/run/",
+        "/run",
+        "/conf",
         "/var/lib/haproxy"
       ]
     }

From cac797114a8613dcf09c47df025dee5cddafe186 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Wed, 30 Aug 2023 14:59:08 +0200
Subject: [PATCH 06/11] restore lost changes

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/Dockerfile  | 43 ++---------
 Containers/docker-socket-proxy/haproxy.cfg | 84 +++++-----------------
 2 files changed, 23 insertions(+), 104 deletions(-)

diff --git a/Containers/docker-socket-proxy/Dockerfile b/Containers/docker-socket-proxy/Dockerfile
index 21176d35..4b24373f 100644
--- a/Containers/docker-socket-proxy/Dockerfile
+++ b/Containers/docker-socket-proxy/Dockerfile
@@ -1,43 +1,10 @@
-# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/Dockerfile
 FROM haproxy:2.8.2-alpine3.18
 
 USER root
+RUN apk add --no-cache ca-certificates tzdata bind-tools
 
-RUN set -ex; \
-    apk add --no-cache tzdata; \
-    chmod 777 -R /run/; \
-    chmod 777 -R /var/lib/haproxy
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=664 haproxy.cfg /conf/haproxy.cfg
 
-EXPOSE 2375
-ENV ALLOW_RESTARTS=1 \
-    AUTH=1 \
-    BUILD=0 \
-    COMMIT=0 \
-    CONFIGS=0 \
-    CONTAINERS=1 \
-    DISTRIBUTION=0 \
-    EVENTS=0 \
-    EXEC=0 \
-    GRPC=0 \
-    IMAGES=1 \
-    INFO=1 \
-    LOG_LEVEL=info \
-    NETWORKS=1 \
-    NODES=0 \
-    PING=1 \
-    PLUGINS=0 \
-    POST=1 \
-    SECRETS=0 \
-    SERVICES=0 \
-    SESSION=0 \
-    SOCKET_PATH=/var/run/docker.sock \
-    SWARM=0 \
-    SYSTEM=0 \
-    TASKS=0 \
-    VERSION=1 \
-    VOLUMES=1
-COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
-
-USER root
-
-HEALTHCHECK CMD nc -z 127.0.0.1 2375 || exit 1
+ENTRYPOINT ["/start.sh"]
+HEALTHCHECK CMD [ "$(wget http://127.0.0.1:2375/v1.41/_ping -qO -)" = "OK" ] || exit 1
diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index 8143c832..6449a298 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -1,72 +1,24 @@
-# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg
-
-global
-    log stdout format raw daemon "${LOG_LEVEL}"
-
-    pidfile /run/haproxy.pid
-    maxconn 4000
-
-    # Turn on stats unix socket
-    # server-state-file /var/lib/haproxy/server-state
-
 defaults
-    mode http
-    log global
-    option httplog
-    option dontlognull
-    option http-server-close
-    option redispatch
-    retries 3
-    timeout http-request 10s
-    timeout queue 1m
     timeout connect 10s
-    timeout client 10m
-    timeout server 10m
-    timeout http-keep-alive 10s
-    timeout check 10s
-    maxconn 3000
+    timeout client 10s
+    timeout server 10s
 
-    # Allow seamless reloads
-    # load-server-state-from-file global
-
-    # Use provided example error pages
-    errorfile 400 /usr/local/etc/haproxy/errors/400.http
-    errorfile 403 /usr/local/etc/haproxy/errors/403.http
-    errorfile 408 /usr/local/etc/haproxy/errors/408.http
-    errorfile 500 /usr/local/etc/haproxy/errors/500.http
-    errorfile 502 /usr/local/etc/haproxy/errors/502.http
-    errorfile 503 /usr/local/etc/haproxy/errors/503.http
-    errorfile 504 /usr/local/etc/haproxy/errors/504.http
-
-backend dockerbackend
-    server dockersocket $SOCKET_PATH
-
-frontend dockerfrontend
+frontend http
+    mode http
     bind :2375
-    http-request deny unless METH_GET || { env(POST) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } { env(COMMIT) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } { env(CONFIGS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } { env(CONTAINERS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } { env(DISTRIBUTION) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } { env(EVENTS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } { env(EXEC) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/grpc } { env(GRPC) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } { env(IMAGES) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } { env(INFO) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } { env(NETWORKS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } { env(NODES) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } { env(PING) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } { env(PLUGINS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } { env(SECRETS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } { env(SERVICES) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } { env(SESSION) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } { env(SWARM) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } { env(SYSTEM) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } { env(TASKS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } { env(VERSION) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } { env(VOLUMES) -m bool }
+    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((start)|(stop)|(restart)|(kill)) }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version }
     http-request deny
     default_backend dockerbackend
+
+backend dockerbackend
+    mode http
+    server dockersocket /var/run/docker.sock

From a56fbb604538d74a13e1e71d767b470158dbbb84 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Wed, 30 Aug 2023 15:13:08 +0200
Subject: [PATCH 07/11] address review

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/Dockerfile     | 14 ++++++++++----
 Containers/docker-socket-proxy/haproxy.cfg    |  3 ++-
 Containers/docker-socket-proxy/healthcheck.sh |  6 ++++++
 Containers/docker-socket-proxy/start.sh       | 11 ++++++-----
 php/containers.json                           |  4 +---
 5 files changed, 25 insertions(+), 13 deletions(-)
 create mode 100644 Containers/docker-socket-proxy/healthcheck.sh

diff --git a/Containers/docker-socket-proxy/Dockerfile b/Containers/docker-socket-proxy/Dockerfile
index 4b24373f..5999ba72 100644
--- a/Containers/docker-socket-proxy/Dockerfile
+++ b/Containers/docker-socket-proxy/Dockerfile
@@ -1,10 +1,16 @@
 FROM haproxy:2.8.2-alpine3.18
 
 USER root
-RUN apk add --no-cache ca-certificates tzdata bind-tools
+ENV NEXTCLOUD_HOST nextcloud-aio-nextcloud
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        tzdata \
+        bind-tools; \
+    chmod -R 777 /tmp
 
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=664 haproxy.cfg /conf/haproxy.cfg
+COPY --chmod=775 *.sh /
+COPY --chmod=664 haproxy.cfg /haproxy.cfg
 
 ENTRYPOINT ["/start.sh"]
-HEALTHCHECK CMD [ "$(wget http://127.0.0.1:2375/v1.41/_ping -qO -)" = "OK" ] || exit 1
+HEALTHCHECK CMD /healthcheck.sh
diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index 6449a298..7ec80aab 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -1,3 +1,5 @@
+# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg
+
 defaults
     timeout connect 10s
     timeout client 10s
@@ -8,7 +10,6 @@ frontend http
     bind :2375
     http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((start)|(stop)|(restart)|(kill)) }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info }
diff --git a/Containers/docker-socket-proxy/healthcheck.sh b/Containers/docker-socket-proxy/healthcheck.sh
new file mode 100644
index 00000000..867d9a5e
--- /dev/null
+++ b/Containers/docker-socket-proxy/healthcheck.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
+if [ "$(wget http://127.0.0.1:2375/v1.41/_ping -qO -)" != "OK" ]; then
+    exit 1
+fi
diff --git a/Containers/docker-socket-proxy/start.sh b/Containers/docker-socket-proxy/start.sh
index 43151bcd..d1b9e29c 100644
--- a/Containers/docker-socket-proxy/start.sh
+++ b/Containers/docker-socket-proxy/start.sh
@@ -8,12 +8,13 @@ done
 
 set -x
 IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short | grep '^[0-9.]\+$' | sort | head -n1)"
-sed -i "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|g"
-sed -i "s# || { src NC_IPV4_PLACEHOLDER }##g" /conf/haproxy.cfg
+HAPROXYFILE="$(sed "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|" /haproxy.cfg)" 
+echo "$HAPROXYFILE" > /tmp/haproxy.cfg
 
 IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-sed -i "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|g"
-sed -i "s# || { src NC_IPV6_PLACEHOLDER }##g" /conf/haproxy.cfg
+HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
+HAPROXYFILE="$(echo "$HAPROXYFILE" | sed "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|")" 
+echo "$HAPROXYFILE" > /tmp/haproxy.cfg
 set +x
 
-haproxy -f /conf/haproxy.cfg -db
+haproxy -f /tmp/haproxy.cfg -db
diff --git a/php/containers.json b/php/containers.json
index 8d82bedd..1df76249 100644
--- a/php/containers.json
+++ b/php/containers.json
@@ -661,9 +661,7 @@
       "restart": "unless-stopped",
       "read_only": true,
       "tmpfs": [
-        "/run",
-        "/conf",
-        "/var/lib/haproxy"
+        "/tmp"
       ]
     }
   ]

From 2bb47bdf1b07adbc65a3fee1256bc4809ec5bca1 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Wed, 30 Aug 2023 15:14:29 +0200
Subject: [PATCH 08/11] add disable label

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Containers/docker-socket-proxy/Dockerfile b/Containers/docker-socket-proxy/Dockerfile
index 5999ba72..6f72f7fd 100644
--- a/Containers/docker-socket-proxy/Dockerfile
+++ b/Containers/docker-socket-proxy/Dockerfile
@@ -14,3 +14,4 @@ COPY --chmod=664 haproxy.cfg /haproxy.cfg
 
 ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.enable="false"

From b4e30bc66a56290d3f99906cacc93e49875b45c4 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Wed, 30 Aug 2023 15:16:35 +0200
Subject: [PATCH 09/11] add recommended regex

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/haproxy.cfg | 33 ++++++++++++++++------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index 7ec80aab..363abb71 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -8,15 +8,30 @@ defaults
 frontend http
     mode http
     bind :2375
-    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((start)|(stop)|(restart)|(kill)) }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((json)|(start)|(stop)) } METH_GET
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
+
+    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
+    acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"
+
+    # ACL to restrict the number of Mounts to 1
+    acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]"
+    # ACL to deny if there are any binds
+    acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
+    # ACL to restrict the type of Mounts to volume
+    acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
+    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
+
+    # ACL to restrict container creation, that it has HostConfig.Privileged only set to false
+    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\":\s?false"
+    # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
+    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name no_privileged_flag nc_app_volume_data_only METH_POST
+
+    acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data METH_POST
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
     http-request deny
     default_backend dockerbackend
 

From f92d36a5f73971c5f3ee9588237ab8dd359e842f Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Wed, 30 Aug 2023 15:23:40 +0200
Subject: [PATCH 10/11] of course we need the src

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/haproxy.cfg | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index 363abb71..024983b5 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -8,6 +8,7 @@ defaults
 frontend http
     mode http
     bind :2375
+    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((json)|(start)|(stop)) } METH_GET
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
 

From 204a24019fb5cf9c8f335633794ef49180317520 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Wed, 30 Aug 2023 15:59:51 +0200
Subject: [PATCH 11/11] fix SC

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/start.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Containers/docker-socket-proxy/start.sh b/Containers/docker-socket-proxy/start.sh
index d1b9e29c..18840a7c 100644
--- a/Containers/docker-socket-proxy/start.sh
+++ b/Containers/docker-socket-proxy/start.sh
@@ -13,6 +13,7 @@ echo "$HAPROXYFILE" > /tmp/haproxy.cfg
 
 IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
 HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
+# shellcheck disable=SC2001
 HAPROXYFILE="$(echo "$HAPROXYFILE" | sed "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|")" 
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
 set +x