Publication of Moein Platform Version 2.6New GIS Feature in Moein PlatformMoein Platform Version 2.3
SolutionsCatalog+982191004220Support SystemSupport
Falanguage icon
×
Main Page
Products
Services
Resources
About Us
Contact Us
How to Set Minimal Read-Only Access for Docker Monitoring using Moein
How to Set Minimal Read-Only Access for Docker Monitoring using Moein

How to Set Minimal Read-Only Access for Docker Monitoring using Moein

2025/08/11
hamburger icon
How to Set Minimal Read-Only Access for Docker Monitoring using Moein

Introduction

In many operational infrastructures, direct access to the Docker socket is used for monitoring, automation, or CI/CD processes in Docker. Direct access to the Docker socket can pose a serious security risk. By default, this socket allows execution of all Docker management commands, and unauthorized access could potentially lead to full control over the system.

In this article, we introduce a secure method to provide limited, read-only access to the Docker socket using Docker Socket Proxy. In this solution, additional access to HTTP methods such as POST is completely blocked, only the GET method is allowed, and access is restricted to specific paths that are essential for monitoring. This approach can be highly useful in scenarios where the Moein monitoring platform needs to read Docker information without compromising the overall system security.

Proposed Solutions

There are multiple solutions to secure and reduce the risks associated with full access to the Docker socket, including the use of firewalls and various proxies. One suitable and cost-effective solution, due to its open-source nature, is using Docker Socket Proxy. According to conducted tests, it performs effectively and enforces access restrictions accurately and practically.

Additionally, it is recommended that, besides using Docker Socket Proxy, firewall rules should limit access based on the source IP and port of the required systems.

This method is a cost-effective approach that provides a high level of security. Note that more secure solutions tailored to each operational environment may vary; detailed analysis aligned with the policies and requirements of each organization should be conducted by the security team.

Technical Architecture

In this architecture, instead of direct access from the monitoring tool through a published port to the Docker socket, a protective proxy called Docker Socket Proxy is placed in between. This proxy acts as a filter, allowing only authorized requests to pass through. Consequently, tools that only need to view Docker information (such as container status or Docker version) can securely access this data without the risk of executing destructive commands like creating, stopping, or removing containers.

Essentially, this proxy runs as a separate container that mounts the Docker socket in a read-only mode and accepts only GET methods on specific paths of the Docker API. These paths are selected based on the requirements of the Moein monitoring tool, while all other paths are blocked.

Installation via Docker Compose

To set this up, the following Docker Compose file needs to be created and executed:

services:
  docker-socket-proxy:
    image: tecnativa/docker-socket-proxy
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - IMAGES=1
      - SERVICES=1
      - NODES=1
      - TASKS=1
      - NETWORKS=1
      - VOLUMES=1
      - INFO=1
      - VERSION=1
      - POST=0       # Deny all POST requests
    ports:
      - "2375:2375"

Installation via docker run

To do this, the following command needs to be executed:

docker run -d \
  --name docker-api-proxy \
  --restart=unless-stopped \
  -p 127.0.0.1:2375:2375 \
  -e CONTAINERS=1 \
  -e IMAGES=1 \
  -e SERVICES=1 \
  -e NODES=1 \
  -e TASKS=1 \
  -e NETWORKS=1 \
  -e VOLUMES=1 \
  -e INFO=1 \
  -e VERSION=1 \
  -e POST=0 \
  -e LOG_LEVEL=info \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  tecnativa/docker-socket-proxy

Conclusion

Directly exposing the Docker socket to various monitoring and CI/CD tools, although simple and common, carries significant security risks and can put the entire infrastructure at risk. The solution presented in this article, using Docker Socket Proxy, provides controlled and secure access to the Docker API by restricting HTTP methods and precisely defining allowed paths. This approach allows monitoring tools to access the information they need without the ability to make changes or execute management commands on containers. Implementing this model is very simple and quick, yet it can add a highly effective layer of security to your Docker architecture.

Share This Article

The Latest Articles

Pharmaceutical IT Infrastructure Monitoring: Why Moein Stands Out
Pharmaceutical IT Infrastructure Monitoring: Why Moein Stands Out
2025/08/19
How to Set Minimal Read-Only Access for Docker Monitoring using Moein
How to Set Minimal Read-Only Access for Docker Monitoring using Moein
2025/08/11
Comprehensive IT Infrastructure Monitoring for Brokerage Firms and Financial
Comprehensive IT Infrastructure Monitoring for Brokerage Firms and Financial
2025/07/19
Comprehensive IT Performance Monitoring in Banking Environments with Moein
Comprehensive IT Performance Monitoring in Banking Environments with Moein
2025/07/09
close icon

Resources

All Resources
News
Videos
Articles
Podcasts

The Most Visited Articles

What is Client-Server Model and What Are Its Advantages and Disadvantages?
What is a Virtual Machine and How Does It Work?
What is SNMP and What Are the Advantages and Disadvantages of Using It?
Guide to Submitting a Review for Moein Platform on Gartner and G2
Contact Us
Info
Sale
Support
Fax
info@behpaya.com
Address
3rd floor, No. 8, 2nd dead-end, Sadeghi St., Azadi Ave., Tehran, Iran, Postal code 1458846155
Quick LinksMain PageResourcesJob OpportunitiesAbout UsContact Us
Moein PlatformIntroductionFeaturesSolutionsDocuments
Behpaya Co. All rights reserved