I am already a user of the Nextcloud All-in-One, and I am currently trying to learn about Traefik. In my exploration of Traefik I have come across a few places that recommend the uses Docker Socket Proxy, the following one being the recommendation:
Should I be using a Docker Socket Proxy With Nextcloud All-in-One? If yes, does anyone have a working docker-compose.yml file that would be willing to share?
Or are a Docker Socket Proxy in general not necessary, especially when using an image for a trusted source like Nextcloud or Traefik.
All-In-One orchestrates its own containers. Firewalling it from the Docker socket would inevitably break things.
That said, the UNIX socket shouldn’t ever be exposed other than to tools, containers, and system users you trust.
I would never discourage someone from trying to gain more control over their infrastructure and its various moving parts. I’m just saying you’ll need to be willing to really dig into what AIO and Docker are doing - and assume responsibility for any weird issues that crop up.
My gut tells me that you’d have to make so many exceptions - for AIO to work - with a tool like you linked to, that you’d essentially end up disabling most or all of the security benefit therein.
That tool you linked to could be useful for limited how much access a - for example - Docker monitoring tool has since you could make it’s access effectively read-only. That could be useful and bring some security benefit.
None of this is to say “don’t try it with AIO” - just be prepared to probably be on your own a bit isolating the causes of any issues that come up. You might come up with a working configuration that does increase security. If so, I imagine some in the community would be interested in your results.
As much as I would like to play around with this and hopefully learn more about the All-In-One orchestrate, the docker socket, etc. I don’t think I have the time right now. I have decided to go without the proxy for both AIO and Traefik for this reason. Also, I found the Proxy container very slow to start up.
You might come up with a working configuration that does increase security. If so, I imagine some in the community would be interested in your results.