From cac797114a8613dcf09c47df025dee5cddafe186 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Wed, 30 Aug 2023 14:59:08 +0200
Subject: [PATCH] restore lost changes

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/Dockerfile  | 43 ++---------
 Containers/docker-socket-proxy/haproxy.cfg | 84 +++++-----------------
 2 files changed, 23 insertions(+), 104 deletions(-)

diff --git a/Containers/docker-socket-proxy/Dockerfile b/Containers/docker-socket-proxy/Dockerfile
index 21176d35..4b24373f 100644
--- a/Containers/docker-socket-proxy/Dockerfile
+++ b/Containers/docker-socket-proxy/Dockerfile
@@ -1,43 +1,10 @@
-# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/Dockerfile
 FROM haproxy:2.8.2-alpine3.18
 
 USER root
+RUN apk add --no-cache ca-certificates tzdata bind-tools
 
-RUN set -ex; \
-    apk add --no-cache tzdata; \
-    chmod 777 -R /run/; \
-    chmod 777 -R /var/lib/haproxy
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=664 haproxy.cfg /conf/haproxy.cfg
 
-EXPOSE 2375
-ENV ALLOW_RESTARTS=1 \
-    AUTH=1 \
-    BUILD=0 \
-    COMMIT=0 \
-    CONFIGS=0 \
-    CONTAINERS=1 \
-    DISTRIBUTION=0 \
-    EVENTS=0 \
-    EXEC=0 \
-    GRPC=0 \
-    IMAGES=1 \
-    INFO=1 \
-    LOG_LEVEL=info \
-    NETWORKS=1 \
-    NODES=0 \
-    PING=1 \
-    PLUGINS=0 \
-    POST=1 \
-    SECRETS=0 \
-    SERVICES=0 \
-    SESSION=0 \
-    SOCKET_PATH=/var/run/docker.sock \
-    SWARM=0 \
-    SYSTEM=0 \
-    TASKS=0 \
-    VERSION=1 \
-    VOLUMES=1
-COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
-
-USER root
-
-HEALTHCHECK CMD nc -z 127.0.0.1 2375 || exit 1
+ENTRYPOINT ["/start.sh"]
+HEALTHCHECK CMD [ "$(wget http://127.0.0.1:2375/v1.41/_ping -qO -)" = "OK" ] || exit 1
diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index 8143c832..6449a298 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -1,72 +1,24 @@
-# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg
-
-global
-    log stdout format raw daemon "${LOG_LEVEL}"
-
-    pidfile /run/haproxy.pid
-    maxconn 4000
-
-    # Turn on stats unix socket
-    # server-state-file /var/lib/haproxy/server-state
-
 defaults
-    mode http
-    log global
-    option httplog
-    option dontlognull
-    option http-server-close
-    option redispatch
-    retries 3
-    timeout http-request 10s
-    timeout queue 1m
     timeout connect 10s
-    timeout client 10m
-    timeout server 10m
-    timeout http-keep-alive 10s
-    timeout check 10s
-    maxconn 3000
+    timeout client 10s
+    timeout server 10s
 
-    # Allow seamless reloads
-    # load-server-state-from-file global
-
-    # Use provided example error pages
-    errorfile 400 /usr/local/etc/haproxy/errors/400.http
-    errorfile 403 /usr/local/etc/haproxy/errors/403.http
-    errorfile 408 /usr/local/etc/haproxy/errors/408.http
-    errorfile 500 /usr/local/etc/haproxy/errors/500.http
-    errorfile 502 /usr/local/etc/haproxy/errors/502.http
-    errorfile 503 /usr/local/etc/haproxy/errors/503.http
-    errorfile 504 /usr/local/etc/haproxy/errors/504.http
-
-backend dockerbackend
-    server dockersocket $SOCKET_PATH
-
-frontend dockerfrontend
+frontend http
+    mode http
     bind :2375
-    http-request deny unless METH_GET || { env(POST) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } { env(COMMIT) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } { env(CONFIGS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } { env(CONTAINERS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } { env(DISTRIBUTION) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } { env(EVENTS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } { env(EXEC) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/grpc } { env(GRPC) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } { env(IMAGES) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } { env(INFO) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } { env(NETWORKS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } { env(NODES) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } { env(PING) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } { env(PLUGINS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } { env(SECRETS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } { env(SERVICES) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } { env(SESSION) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } { env(SWARM) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } { env(SYSTEM) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } { env(TASKS) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } { env(VERSION) -m bool }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } { env(VOLUMES) -m bool }
+    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((start)|(stop)|(restart)|(kill)) }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version }
     http-request deny
     default_backend dockerbackend
+
+backend dockerbackend
+    mode http
+    server dockersocket /var/run/docker.sock