generated from Templates/Baseline
This commit is contained in:
parent
d0090a7e9a
commit
de8c64a650
4
.vscode/dictionaries/project-words.txt
vendored
4
.vscode/dictionaries/project-words.txt
vendored
@ -1,10 +1,14 @@
|
|||||||
|
FOSS
|
||||||
|
gitea
|
||||||
Gitea
|
Gitea
|
||||||
LOGLEVEL
|
LOGLEVEL
|
||||||
MAXCLIENTS
|
MAXCLIENTS
|
||||||
|
ocram
|
||||||
Quickstart
|
Quickstart
|
||||||
swarmproxy
|
swarmproxy
|
||||||
Swarmproxy
|
Swarmproxy
|
||||||
tbd
|
tbd
|
||||||
|
tinyproxy
|
||||||
Tinyproxy
|
Tinyproxy
|
||||||
TINYPROXY
|
TINYPROXY
|
||||||
UID
|
UID
|
||||||
|
44
README.md
44
README.md
@ -16,12 +16,10 @@
|
|||||||
🦁 Swarmproxy is a simple http proxy to limit your outbound traffic.
|
🦁 Swarmproxy is a simple http proxy to limit your outbound traffic.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
## ❓ FAQ
|
## 📖 About
|
||||||
|
|
||||||
### What ist Swarmproxy?
|
|
||||||
|
|
||||||
Swarmproxy is a simply way to integrate a http proxy in your Docker swarm cluster or any other container network.
|
Swarmproxy is a simply way to integrate a http proxy in your Docker swarm cluster or any other container network.
|
||||||
It acts as an centralized proxy to limit your outbound / egress traffic. You can also enable a whitelist filter to
|
It acts as an centralized proxy to limit your outbound / egress traffic. You can also add a whitelist filter to
|
||||||
limit the allowed domains. There is also an option to use a upstream proxy.
|
limit the allowed domains. There is also an option to use a upstream proxy.
|
||||||
|
|
||||||
### What does Swarmproxy for you?
|
### What does Swarmproxy for you?
|
||||||
@ -31,16 +29,18 @@ Therefore, unfiltered Internet access may be prohibited.
|
|||||||
|
|
||||||
So Swarmproxy could help you with these features:
|
So Swarmproxy could help you with these features:
|
||||||
|
|
||||||
- Prevent direct web access from Container workload.
|
- ✔️ Prevent direct web access from Container workload.
|
||||||
- Upstream proxy with or without authentication
|
- ✔️ Upstream proxy with or without authentication
|
||||||
- Optional domain based whitelist filter.
|
- ✔️ Optional domain based whitelist filter.
|
||||||
|
|
||||||
### What does Swarmproxy not?
|
### What does Swarmproxy not?
|
||||||
|
|
||||||
Swarmproxy is just a supercharged Tinyproxy where you can point your container workload to.
|
Swarmproxy is just a supercharged Tinyproxy where you can point your container workload to.
|
||||||
|
|
||||||
> ☣️ Swarmproxy does not block the web access or other traffic if the proxy is not used. It's not a firewall, and it
|
- ☣️ Swarmproxy does not block the web access or other traffic if you workload doesn't use a proxy
|
||||||
> does not customize your iptables or so
|
- ☣️ It's not a firewall, thus it does not customize your iptables or any other firewall policies.
|
||||||
|
|
||||||
|
## 🚀 Quickstart
|
||||||
|
|
||||||
### 1. ⚡ Get the image 📦
|
### 1. ⚡ Get the image 📦
|
||||||
|
|
||||||
@ -49,10 +49,13 @@ You can download the image from the Gitea embedded container registry: `gitea.oc
|
|||||||
- `latest`, `main` - Is based on the lasted master branch commit.
|
- `latest`, `main` - Is based on the lasted master branch commit.
|
||||||
- `1`, `0.1`, `0.1.0` - tag based version.
|
- `1`, `0.1`, `0.1.0` - tag based version.
|
||||||
|
|
||||||
> **💡 NOTE: See the [packages page](https://gitea.ocram85.com/OCram85/-/packages/container/swarmproxy/latest) for latest version and all other available tags.**
|
> **💡 NOTE: See the [packages page](https://gitea.ocram85.com/OCram85/-/packages/container/swarmproxy/latest)
|
||||||
|
> for latest version and all other available tags.**
|
||||||
|
|
||||||
### 2. 🛡️ Run as Docker Swarm Stack
|
### 2. 🛡️ Run as Docker Swarm Stack
|
||||||
|
|
||||||
|
This example shows all available configuration keys / environment variables for Swarmproxy.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
version: "3.8"
|
version: "3.8"
|
||||||
|
|
||||||
@ -80,6 +83,7 @@ services:
|
|||||||
#secrets:
|
#secrets:
|
||||||
# - upstream-proxy
|
# - upstream-proxy
|
||||||
environment:
|
environment:
|
||||||
|
- LOGLEVEL=Info
|
||||||
# Recommended settings
|
# Recommended settings
|
||||||
# Use an optional upstream proxy
|
# Use an optional upstream proxy
|
||||||
#- UPSTREAM_PROXY=
|
#- UPSTREAM_PROXY=
|
||||||
@ -92,16 +96,15 @@ services:
|
|||||||
#- TINYPROXY_GID=5123
|
#- TINYPROXY_GID=5123
|
||||||
#- PORT=8888
|
#- PORT=8888
|
||||||
#- TIMEOUT=600
|
#- TIMEOUT=600
|
||||||
#- LOGLEVEL=Info
|
|
||||||
#- MAXCLIENTS=600
|
#- MAXCLIENTS=600
|
||||||
#- FILTER_FILE=/app/filter
|
#- FILTER_FILE=/app/filter
|
||||||
volumes:
|
volumes:
|
||||||
# You can mount a single filter file into the container.
|
# You can mount a single filter file into the container.
|
||||||
# To reload the file use the docker kill -s USR1 <container_id| container_name> command.
|
# To reload the file use the docker kill -s USR1 <container_id| container_name> command.
|
||||||
- ./filter.txt:/app/filter:ro
|
# - ./filter.txt:/app/filter:ro
|
||||||
configs:
|
#configs:
|
||||||
- source: filter_file
|
# - source: filter_file
|
||||||
target: /app/filter
|
# target: /app/filter
|
||||||
networks:
|
networks:
|
||||||
egress:
|
egress:
|
||||||
aliases:
|
aliases:
|
||||||
@ -109,7 +112,10 @@ services:
|
|||||||
- proxy
|
- proxy
|
||||||
```
|
```
|
||||||
|
|
||||||
### 3. Use the proxy form other containers
|
### 3. 🚀 Full example
|
||||||
|
|
||||||
|
You can find a full example containing a fake upstream, swarmproxy and workload container in the
|
||||||
|
[docker-compose.yml](docker-compose.yml) file.
|
||||||
|
|
||||||
|
|
||||||
## 💣 Known Issues
|
## 💣 Known Issues
|
||||||
@ -139,11 +145,11 @@ code in Copilot.
|
|||||||
|
|
||||||
## 🙏 Credits
|
## 🙏 Credits
|
||||||
|
|
||||||
swarmproxy is based on the following projects and wouldn't be possible without them:
|
Swarmproxy is based on the following projects and wouldn't be possible without them:
|
||||||
|
|
||||||
- [Tinyproxy](https://github.com/tinyproxy/tinyproxy) - The Tinyproxy project itself
|
- [Tinyproxy](https://github.com/tinyproxy/tinyproxy) - The Tinyproxy project itself
|
||||||
- [docker-tinyproxy](https://github.com/kalaksi/docker-tinyproxy) - A containerized tinyproxy variant.
|
- [docker-tinyproxy](https://github.com/kalaksi/docker-tinyproxy) - A containerized Tinyproxy variant.
|
||||||
- [docker-tinyproxy](https://github.com/ajoergensen/docker-tinyproxy) - A containerized tinyproxy variant.
|
- [docker-tinyproxy](https://github.com/ajoergensen/docker-tinyproxy) - A containerized Tinyproxy variant.
|
||||||
|
|
||||||
## ⚖️ License (AGPLv3)
|
## ⚖️ License (AGPLv3)
|
||||||
|
|
||||||
|
@ -1,54 +1,66 @@
|
|||||||
version: "3.8"
|
version: "3.8"
|
||||||
|
|
||||||
|
|
||||||
|
# Setting up 3 default networks to act as dummy:
|
||||||
|
# - backend : internal only network
|
||||||
|
# - dmz : dmz network with connections allowed from internal and external
|
||||||
|
# - egress : dummy egress zone with fake upstream proxy
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
egress:
|
egress:
|
||||||
attachable: true
|
attachable: true
|
||||||
#external: true
|
dmz:
|
||||||
|
attachable: true
|
||||||
#configs:
|
backend:
|
||||||
# filter_file:
|
internal: true
|
||||||
# # config can be predefined / external or loaded from file
|
|
||||||
# #external: true
|
|
||||||
# file: ./filter.txt
|
|
||||||
|
|
||||||
#secrets:
|
|
||||||
# upstream-proxy:
|
|
||||||
# external: true
|
|
||||||
|
|
||||||
services:
|
services:
|
||||||
swarmproxy:
|
# Creating a fake upstream proxy
|
||||||
|
upstream:
|
||||||
image: gitea.ocram85.com/ocram85/swarmproxy:latest
|
image: gitea.ocram85.com/ocram85/swarmproxy:latest
|
||||||
deploy:
|
deploy:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
#secrets:
|
|
||||||
# - upstream-proxy
|
|
||||||
environment:
|
environment:
|
||||||
# Recommended settings
|
- LOGLEVEL=Info
|
||||||
- LOGLEVEL=Connect
|
|
||||||
|
|
||||||
# Use an optional upstream proxy
|
|
||||||
#- UPSTREAM_PROXY=
|
|
||||||
# Set UPSTREAM_PROXY as docker secret if your upstream needs authentication
|
|
||||||
# Eg.: http://user:password@upstream.intra:3128
|
|
||||||
#- UPSTREAM_PROXY_FILE=/run/secrets/UPSTREAM_PROXY
|
|
||||||
|
|
||||||
# OPTIONAL config keys
|
|
||||||
#- TINYPROXY_UID=5123
|
|
||||||
#- TINYPROXY_GID=5123
|
|
||||||
#- PORT=8888
|
|
||||||
#- TIMEOUT=600
|
|
||||||
#- MAXCLIENTS=600
|
|
||||||
#- FILTER_FILE=/app/filter
|
|
||||||
# You can mount a single filter file into the container.
|
|
||||||
# To reload the file use the docker kill -s USR1 <container_id| container_name> command.
|
|
||||||
#volumes:
|
|
||||||
# - ./filter.txt:/app/filter:ro
|
|
||||||
# alenate filter file mount
|
|
||||||
#configs:
|
|
||||||
# - source: filter_file
|
|
||||||
# target: /app/filter
|
|
||||||
networks:
|
networks:
|
||||||
egress:
|
egress:
|
||||||
|
aliases:
|
||||||
|
- upstream
|
||||||
|
|
||||||
|
# Creating our swarmproxy instance to use the external upstream proxy
|
||||||
|
swarmproxy:
|
||||||
|
# Do not use the `latest` tag in production!
|
||||||
|
image: gitea.ocram85.com/ocram85/swarmproxy:latest
|
||||||
|
depends_on:
|
||||||
|
- upstream
|
||||||
|
deploy:
|
||||||
|
replicas: 1
|
||||||
|
environment:
|
||||||
|
- UPSTREAM_PROXY=upstream:8888
|
||||||
|
- LOGLEVEL=Info
|
||||||
|
networks:
|
||||||
|
dmz:
|
||||||
aliases:
|
aliases:
|
||||||
- swarmproxy
|
- swarmproxy
|
||||||
- proxy
|
- proxy
|
||||||
|
egress:
|
||||||
|
|
||||||
|
# container workload example whicht tries to communicate through our swarmproxy instance
|
||||||
|
# http request / response:
|
||||||
|
# [curl container] <---|req/res|---> [swarmproxy] <---|req/res|---> [upstream] <---|req/res|---> [target]
|
||||||
|
curl:
|
||||||
|
image: curlimages/curl:8.1.2
|
||||||
|
command: ["-I", "-x", "proxy:8888", "https://google.com"]
|
||||||
|
depends_on:
|
||||||
|
- upstream
|
||||||
|
- swarmproxy
|
||||||
|
deploy:
|
||||||
|
replicas: 1
|
||||||
|
restart_policy:
|
||||||
|
condition: any
|
||||||
|
delay: 10s
|
||||||
|
max_attempts: 5
|
||||||
|
window: 120s
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
|
- dmz
|
||||||
|
Loading…
Reference in New Issue
Block a user