Docker-Socket-Proxy

Docker-Socket-Proxy

Docker app from grtgbln's Repository

Overview

The Socket Proxy is a security-enhanced proxy which allows you to apply access rules to the Docker socket, limiting the attack surface for containers such as watchtower or Traefik that need to use it.

Contributing to socket-proxy

Gotchas

  • While contributing make sure to make all your changes before creating a Pull Request, as our pipeline builds each commit after the PR is open.
  • Read, and fill the Pull Request template
    • If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR
    • If the PR is addressing an existing issue include, closes #<issue number>, in the body of the PR commit message
  • If you want to discuss changes, you can also bring it up in #dev-talk in our Discord server

Common files

File Use case
Dockerfile Dockerfile used to build amd64 images
Dockerfile.aarch64 Dockerfile used to build 64bit ARM architectures
Dockerfile.armhf Dockerfile used to build 32bit ARM architectures
Jenkinsfile This file is a product of our builder and should not be edited directly. This is used to build the image
jenkins-vars.yml This file is used to generate the Jenkinsfile mentioned above, it only affects the build-process
package_versions.txt This file is generated as a part of the build-process and should not be edited directly. It lists all the installed packages and their versions
README.md This file is a product of our builder and should not be edited directly. This displays the readme for the repository and image registries
readme-vars.yml This file is used to generate the README.md

Readme

If you would like to change our readme, please do not directly edit the readme, as it is auto-generated on each commit. Instead edit the readme-vars.yml.

These variables are used in a template for our Jenkins Builder as part of an ansible play. Most of these variables are also carried over to docs.linuxserver.io

Fixing typos or clarify the text in the readme

There are variables for multiple parts of the readme, the most common ones are:

Variable Description
project_blurb This is the short excerpt shown above the project logo.
app_setup_block This is the text that shows up under "Application Setup" if enabled

Parameters

The compose and run examples are also generated from these variables.

We have a reference file in our Jenkins Builder.

These are prefixed with param_ for required parameters, or opt_param for optional parameters, except for cap_add. Remember to enable param, if currently disabled. This differs between parameters, and can be seen in the reference file.

Devices, environment variables, ports and volumes expects its variables in a certain way.

Devices

param_devices:
  - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }
opt_param_devices:
  - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }

Environment variables

param_env_vars:
  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
opt_param_env_vars:
  - { env_var: "VERSION", env_value: "latest", desc: "Supported values are LATEST, PLEXPASS or a specific version number." }

Ports

param_ports:
  - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" }
opt_param_ports:
  - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" }

Volumes

param_volumes:
  - { vol_path: "/config", vol_host_path: "</path/to/appdata/config>", desc: "Configuration files." }
opt_param_volumes:
  - { vol_path: "/config", vol_host_path: "</path/to/appdata/config>", desc: "Configuration files." }

Testing template changes

After you make any changes to the templates, you can use our Jenkins Builder to have the files updated from the modified templates. Please use the command found under Running Locally on this page to generate them prior to submitting a PR.

Dockerfiles

We use multiple Dockerfiles in our repos, this is because sometimes some CPU architectures needs different packages to work. If you are proposing additional packages to be added, ensure that you added the packages to all the Dockerfiles in alphabetical order.

Testing your changes

git clone https://github.com/linuxserver/docker-socket-proxy.git
cd docker-socket-proxy
docker build \
  --no-cache \
  --pull \
  -t linuxserver/socket-proxy:latest .

The ARM variants can be built on x86_64 hardware and vice versa using lscr.io/linuxserver/qemu-static

docker run --rm --privileged lscr.io/linuxserver/qemu-static --reset

Once registered you can define the dockerfile to use with -f Dockerfile.aarch64.

Update the changelog

If you are modifying the Dockerfiles or any of the startup scripts in root, add an entry to the changelog

changelogs:
  - { date: "DD.MM.YY:", desc: "Added some love to templates" }

Install Docker-Socket-Proxy on Unraid in a few clicks.

Find Docker-Socket-Proxy in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.

Open the Apps tab on your Unraid server Search Community Apps for Docker-Socket-Proxy Review the template variables and paths Click Install

Download Statistics

882,091
Total Downloads
122,919
This Month
98,074
Avg / Month

Total Downloads Over Time

Loading chart...

Related apps

Details

Repository
lscr.io/linuxserver/socket-proxy:latest
Last Updated2026-06-22
First Seen2025-06-07

Runtime arguments

Network
bridge
Privileged
true
Extra Params
--read-only --tmpfs /run

Template configuration

Allow POSTVariable

When set to 0, only GET and HEAD operations are allowed, making API access read-only.

Target
POST
Default
0|1
Allow Container StartsVariable

Allow starting containers.

Target
ALLOW_START
Default
0|1
Allow Container StopsVariable

Allow stopping containers.

Target
ALLOW_STOP
Default
0|1
Allow Container RestartsVariable

Allow restarting containers.

Target
ALLOW_RESTARTS
Default
0|1
Allow Auth EndpointVariable

Allow access to the auth endpoint.

Target
AUTH
Default
0|1
Allow Build EndpointVariable

Allow access to the build endpoint.

Target
BUILD
Default
0|1
Allow Commit EndpointVariable

Allow access to the commit endpoint.

Target
COMMIT
Default
0|1
Allow Configs EndpointVariable

Allow access to the configs endpoint.

Target
CONFIGS
Default
0|1
Allow Containers EndpointVariable

Allow access to the containers endpoint.

Target
CONTAINERS
Default
0|1
Allow Distribution EndpointVariable

Allow access to the distribution endpoint.

Target
DISTRIBUTION
Default
0|1
Disable IPv6Variable

Set to 1 to prevent binding to the IPv6 interface for legacy systems that cannot support IPv6.

Target
DISABLE_IPV6
Default
0|1
Allow Events EndpointVariable

Allow access to the events endpoint.

Target
EVENTS
Default
1|0
Allow Exec EndpointVariable

Allow access to the exec endpoint.

Target
EXEC
Default
0|1
Allow Images EndpointVariable

Allow access to the images endpoint.

Target
IMAGES
Default
0|1
Allow Info EndpointVariable

Allow access to the info endpoint.

Target
INFO
Default
0|1
Allow Networks EndpointVariable

Allow access to the networks endpoint.

Target
NETWORKS
Default
0|1
Allow Nodes EndpointVariable

Allow access to the nodes endpoint.

Target
NODES
Default
0|1
Allow Ping EndpointVariable

Allow access to the ping endpoint.

Target
PING
Default
1|0
Allow Plugins EndpointVariable

Allow access to the plugins endpoint.

Target
PLUGINS
Default
0|1
Allow Secrets EndpointVariable

Allow access to the secrets endpoint.

Target
SECRETS
Default
0|1
Allow Services EndpointVariable

Allow access to the services endpoint.

Target
SERVICES
Default
0|1
Allow Session EndpointVariable

Allow access to the session endpoint.

Target
SESSION
Default
0|1
Allow Swarm EndpointVariable

Allow access to the swarm endpoint.

Target
SWARM
Default
0|1
Allow System EndpointVariable

Allow access to the system endpoint.

Target
SYSTEM
Default
0|1
Allow Tasks EndpointVariable

Allow access to the tasks endpoint.

Target
TASKS
Default
0|1
Allow Version EndpointVariable

Allow access to the version endpoint.

Target
VERSION
Default
1|0
Allow Volumes EndpointVariable

Allow access to the volumes endpoint.

Target
VOLUMES
Default
0|1
Docker socketPathrw

Path to the Docker socket

Target
/var/run/docker.sock
Default
/var/run/docker.sock
Value
/var/run/docker.sock
Log LevelVariable

Set the log level for the proxy.

Target
LOG_LEVEL
Default
info|debug|notice|warning|err|crit|alert|emerg