Updates

nextcloud-aio/Containers/docker-socket-proxy/Dockerfile

@@ -0,0 +1,22 @@
+# syntax=docker/dockerfile:latest
+FROM haproxy:3.2.6-alpine
+
+# hadolint ignore=DL3002
+USER root
+ENV NEXTCLOUD_HOST=nextcloud-aio-nextcloud
+RUN set -ex; \
+    apk upgrade --no-cache -a; \
+    apk add --no-cache \
+        ca-certificates \
+        tzdata \
+        bash \
+        bind-tools; \
+    chmod -R 777 /tmp
+
+COPY --chmod=775 *.sh /
+COPY --chmod=664 haproxy.cfg /haproxy.cfg
+
+ENTRYPOINT ["/start.sh"]
+HEALTHCHECK CMD /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.enable="false" \
+    org.label-schema.vendor="Nextcloud"

nextcloud-aio/Containers/docker-socket-proxy/haproxy.cfg

@@ -0,0 +1,68 @@
+# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg
+
+global
+    maxconn 10
+
+defaults
+    timeout connect 30s
+    timeout client 30s
+    timeout server 1800s
+
+frontend http
+    mode http
+    bind :::2375 v4v6
+    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
+    # docker system _ping
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping$ } METH_GET
+    # docker inspect image: GET images/%s/json
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/.*/json } METH_GET
+    # container inspect: GET containers/%s/json
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
+    # container inspect: GET containers/%s/logs
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/logs } METH_GET
+    # container start/stop: POST containers/%s/start containers/%s/stop
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
+    # container rm: DELETE containers/%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
+    # container update/exec: POST containers/%s/update containers/%s/exec
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((update)|(exec)) } METH_POST
+    # container put: PUT containers/%s/archive
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/archive } METH_PUT
+    # run exec instance: POST exec/%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec/[a-zA-Z0-9_.-]+/start } METH_POST
+
+    # container create: POST containers/create?name=%s
+    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
+    acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"
+
+    # ACL to restrict the number of Mounts to 1
+    acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]"
+    # ACL to deny if there are any binds
+    acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
+    # ACL to restrict the type of Mounts to volume
+    acl type_not_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[[^\]]*(\"Type\"\s*:\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
+    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
+
+    # ACL to restrict container creation, that it has HostConfig.Privileged(by searching for "Privileged" word in all payload)
+    acl no_privileged_flag req.body -m reg -i "\"Privileged\""
+    # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
+    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*{[^}]*\"Source\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
+    # end of container create
+
+    # volume create: POST volumes/create
+    # restrict name
+    acl nc_app_volume_data req.body -m reg -i "\"Name\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    # do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
+    acl volume_no_device req.body -m reg -i "\"device\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
+    # volume rm: DELETE volumes/%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE
+    # image pull: POST images/create?fromImage=%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
+    http-request deny
+    default_backend dockerbackend
+
+backend dockerbackend
+    mode http
+    server dockersocket /var/run/docker.sock

nextcloud-aio/Containers/docker-socket-proxy/healthcheck.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
+nc -z 127.0.0.1 2375 || exit 1

nextcloud-aio/Containers/docker-socket-proxy/start.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Only start container if nextcloud is accessible
+while ! nc -z "$NEXTCLOUD_HOST" 9001; do
+    echo "Waiting for Nextcloud to start..."
+    sleep 5
+done
+
+set -x
+IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
+HAPROXYFILE="$(sed "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|" /haproxy.cfg)" 
+echo "$HAPROXYFILE" > /tmp/haproxy.cfg
+
+IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+if [ -n "$IPv6_ADDRESS_NC" ]; then
+    HAPROXYFILE="$(sed "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|" /tmp/haproxy.cfg)"
+else
+    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
+fi
+echo "$HAPROXYFILE" > /tmp/haproxy.cfg
+set +x
+
+haproxy -f /tmp/haproxy.cfg -db