Support for TLS

[amir20]

Hello there,

I am the creator of Dozzle. For a long time, I have been wanting to implement something like socket proxy in Go. I found your project through referral links. Many people use Tecnativa/docker-socket-proxy for simple non-secured connection.

However, I think a lot of people prefer a secured connection. I wonder if it would be best for this project to support both. Here is what I am thinking:

1. socket-proxy could have a --tls option
2. It would automatically generate certificates and write them to disk
3. Anybody could pick those certificates (like Dozzle) and pin 'em to their client
4. socket-proxy would only allow connections that have valid certificates

Currently, to setup TLS over HTTP with Docker is just a pain. This solution could make it a lot simpler to setup docker for TLS with minimum effort. Even better, it would auto generated certs to be used.

What do you think?

[wollomatic]

Hello @amir20,

I am honoured to receive a message from You because I'm a big fan of Dozzle and find it very useful.

Yes, TLS would be a good idea. I had already considered implementing some TLS communication but postponed it to keep it simple.

I like the suggestion, and I think I will implement it.

Thanks again, and have a great weekend,
Wolfgang

[amir20]

Awesome! Here is a related issue amir20/dozzle#2536

I think ideally, it should just work by producing a similar directory to Docker with all the certs in one place.

I did create some code in Golang to generate certs:

package main

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/x509"
	"crypto/x509/pkix"
	"log"
	"math/big"
	"time"
)

func tls() {
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		log.Fatalf("Failed to generate private key: %v", err)
	}
	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	if err != nil {
		log.Fatalf("Failed to generate serial number: %v", err)
	}

	template := x509.Certificate{
		SerialNumber: serialNumber,
		Subject: pkix.Name{
			Organization: []string{"My Corp"},
		},
		DNSNames:  []string{"localhost"},
		NotBefore: time.Now(),
		NotAfter:  time.Now().Add(3 * time.Hour),

		KeyUsage:              x509.KeyUsageDigitalSignature,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
		BasicConstraintsValid: true,
	}

}

You can use it if you want.

When you are ready, we can also update https://dozzle.dev/guide/remote-hosts to add a section about TLS.

[amir20]

So recently I have been thinking about supporting Docker Swarm and improving remote connection. I am working on agent mode with Dozzle which is described at amir20/dozzle#3052.

If implemented correctly, it would no longer require any kind of socket proxy.

Let me know your thoughts...

[reneleonhardt]

Is there a more detailed list how to implement this?

[vnghia]

Hello, I just want to give my opinion about this issue.

I think support for TLS is not necessary because: Docker TLS is just mTLS. I think we could (and should) offload these tasks to a reverse proxy (traefik in my case). I was able to use mTLS with Traefik on server side and docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:443 version on client side. I think there are two benefits with this approach:

• keep this awesome socket-proxy simple.
• we can reuse the 443 port instead of having to open another port 2376.

I can send a PR to add document how to do that if it sounds good for you. Thank you very much!