A containerized tinyproxy as docker swarm outbound / egress proxy
Go to file
OCram85 78d6610963
All checks were successful
ci / docker (pull_request) Successful in 14s
update changelog
2024-06-20 17:32:57 +02:00
.gitea chore(deps): update actions/metadata-action action to v5 (#20) 2024-06-20 17:30:36 +02:00
.vscode update changelog 2024-06-20 17:32:57 +02:00
.woodpecker setup basic action based ci (#3) 2023-07-10 11:51:45 +02:00
assets finalize ci (#5) 2023-07-11 19:27:12 +02:00
examples Adds examples docs (#13) 2023-07-13 14:01:45 +02:00
.changelog.yml add changelog + release setup 2023-07-12 12:04:24 +02:00
.editorconfig Initial commit 2023-07-04 16:41:17 +02:00
.gitattributes Initial commit 2023-07-04 16:41:17 +02:00
.gitignore Initial commit 2023-07-04 16:41:17 +02:00
.gitlocal Initial commit 2023-07-04 16:41:17 +02:00
CHANGELOG.md update changelog 2024-06-20 17:32:57 +02:00
Dockerfile chore(deps): update alpine docker tag to v3.20.0 (#16) 2024-06-20 17:25:47 +02:00
entrypoint.sh Add Readme content (#11) 2023-07-12 17:25:31 +02:00
LICENSE add first prototype implementation (#1) 2023-07-06 09:29:32 +02:00
README.md fix logo source link 2023-07-13 14:18:38 +02:00
renovate.json adds renovate support (#8) 2023-07-12 14:01:39 +02:00

Swarmproxy - Tame your traffic

🦁 Swarmproxy is a simple http proxy to limit your outbound traffic.

📖 About

Swarmproxy is a simply way to integrate a http proxy in your Docker swarm cluster or any other container network. It acts as an centralized proxy to limit your outbound / egress traffic. You can also add a whitelist filter to limit the allowed domains. There is also an option to use a upstream proxy.

What does Swarmproxy for you?

Enterprise and production environments often face more stringent security requirements. Therefore, unfiltered Internet access may be prohibited.

So Swarmproxy could help you with these features:

  • ✔️ Prevent direct web access from Container workload.
  • ✔️ Upstream proxy with or without authentication
  • ✔️ Optional domain based whitelist filter.

What does Swarmproxy not?

Swarmproxy is just a supercharged Tinyproxy where you can point your container workload to.

  • ☣️ Swarmproxy does not block the web access or other traffic if you workload doesn't use a proxy
  • ☣️ It's not a firewall, thus it does not customize your iptables or any other firewall policies.

🚀 Quickstart

1. Get the image 📦

You can download the image from the Gitea embedded container registry: gitea.ocram85.com/ocram85/swarmproxy with these tags:

  • latest, main - Is based on the lasted master branch commit.
  • 1, 0.1, 0.1.0 - tag based version.

💡 NOTE: See the packages page for latest version and all other available tags.

2. 🛡️ Run as Docker Swarm Stack

This example shows all available configuration keys / environment variables for Swarmproxy.

version: "3.8"

networks:
  egress:
   attachable: true
   #external: true

#configs:
#  filter_file:
#    # config can be predefined / external or loaded from file
#    #external: true
#    file: ./filter.txt

#secrets:
#  upstream-proxy:
#    external: true

services:
  swarmproxy:
    # Do not use the `latest` tag in production!
    image: gitea.ocram85.com/OCram85/swarmproxy:latest
    deploy:
      replicas: 1
    #secrets:
    #  - upstream-proxy
    environment:
      - LOGLEVEL=Info
      # Recommended settings
      # Use an optional upstream proxy
      #- UPSTREAM_PROXY=
      # Set UPSTREAM_PROXY as docker secret if your upstream needs authentication
      # Eg.: http://user:password@upstream.intra:3128
      #- UPSTREAM_PROXY_FILE=/run/secrets/UPSTREAM_PROXY

      # OPTIONAL config keys
      #- TINYPROXY_UID=5123
      #- TINYPROXY_GID=5123
      #- PORT=8888
      #- TIMEOUT=600
      #- MAXCLIENTS=600
      #- FILTER_FILE=/app/filter
    volumes:
      # You can mount a single filter file into the container.
      # To reload the file use the docker kill -s USR1 <container_id| container_name> command.
      # - ./filter.txt:/app/filter:ro
    #configs:
    #  - source: filter_file
    #    target: /app/filter
    networks:
      egress:
        aliases:
          - swarmproxy
          - proxy

🚀 Examples

See the Readme docs in the examples folder...

💣 Known Issues

😡 We're Using GitHub Under Protest

This project is currently mirrored to GitHub. This is not ideal; GitHub is a proprietary, trade-secret system that is not Free and Open Source Software (FOSS). We are deeply concerned about using a proprietary system like GitHub to develop our FOSS project. We have an open Gitea repository where the project contributors are actively discussing how we can move away from GitHub in the long term. We urge you to read about the Give up GitHub campaign from the Software Freedom Conservancy to understand some of the reasons why GitHub is not a good place to host FOSS projects.

If you are a contributor who personally has already quit using GitHub, please check this resource for how to send us contributions without using GitHub directly.

Any use of this project's code by GitHub Copilot, past or present, is done without our permission. We do not consent to GitHub's use of this project's code in Copilot.

Logo of the GiveUpGitHub campaign

🙏 Credits

Swarmproxy is based on the following projects and wouldn't be possible without them:

⚖️ License (AGPLv3)

AGPL

Swarmproxy - A simple http/https proxy for outbound traffic in a docker swarm cluster.
Copyright (C) 2023 "OCram85 <me@ocram85.com>"

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.