Why need to use Proxy in enterprise environments ?
proxy servers play a vital role in securing, optimizing, and managing enterprise networks while ensuring adherence to corporate policies and legal requirements. As an example we enforce access control using proxy such as content filtering where Proxies enforce organizational policies by blocking access to non-work-related or inappropriate websites (e.g., social media, gambling). Although proxy servers play a vital role in enterprise environments, they can pose challenges when working with services like Docker. Without proper proxy configuration for these services, users may encounter significant connectivity issues, leading to disruptions and inefficiencies.
In this article we focus on the proxy configuration for Docker , when you run docker service in a linux environment.
Docker Architecture
First lets have a look at the Docker architecture .
Image source : https://www.geeksforgeeks.org/architecture-of-docker/
Docker operates on a client-server architecture. The Docker Client communicates with the Docker Daemon, which handles the building, running, and managing of containers. The client and daemon can run on the same machine or be connected remotely. Communication between them occurs via a REST API, using UNIX sockets or a network interface, enabling flexibility and scalability in managing containerized applications.
- Docker Client: The interface through which users interact with Docker, sending commands to the Docker Daemon via a command-line or API.
- Docker Daemon: The core service running on the Docker Host, responsible for managing containers, images, networks, and storage.
- Docker Host: The physical or virtual machine where Docker Daemon runs and manages containers using the host's resources.
- Docker Registry: A storage and distribution system for Docker images, often hosted locally or via public services like Docker Hub.
Docker Daemon Proxy
Case 1 : When Running Docker as a systemd service (This is applicable for most cases)
Option 1: If you're running the Docker daemon as a systemd service, you can create a systemd drop-in file that sets the variables for the docker service.
- step 1 : Create a systemd drop-in directory for the docker service (if not existing)sudo mkdir -p /etc/systemd/system/docker.service.d
- step 2 : Create a file named /etc/systemd/system/docker.service.d/http-proxy.conf that adds the environment variable:
Important :
- If you are behind an HTTPS proxy server, set the
HTTPS_PROXY
environment variable - If you have internal Docker registries that you need to contact without proxying, you can specify them via the NO_PROXY environment variable.
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:3128"
Environment="HTTPS_PROXY=https://proxy.example.com:3129"
Environment="NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp"
- Step 3 : reload daemon , restart docker
sudo systemctl reload daemon
sudo systemctl restart docker
Option 2 : You may configure proxy behavior for the daemon in the daemon.json
- step1 : Modify the /etc/docker/daemon.json like below
{
"proxies": {
"http-proxy": "http://proxy.example.com:3128",
"https-proxy": "https://proxy.example.com:3129",
"no-proxy": "*.test.example.com,.example.org,127.0.0.0/8"
}
}
- Step 2 : reload daemon , restart docker
sudo systemctl reload daemon
sudo systemctl restart docker
Case 2 : When not running as a systemd service
Option 1 : Environment Variables (Set in the shell or system environment)
Environment variables are the highest precedence. If you set HTTP_PROXY, HTTPS_PROXY, or NO_PROXY in the shell (e.g., via export commands) before starting Docker, they will override settings from daemon.json or any startup script.
export HTTP_PROXY="http://your-proxy.example.com:port"
export HTTPS_PROXY="https://your-proxy.example.com:port"
export NO_PROXY="localhost,127.0.0.1,*.yourdomain.com"
Option2 : Startup Scripts (e.g., /etc/default/docker or /etc/sysconfig/docker)
- If Docker is managed by an init system (e.g., SysVinit), proxy settings defined in startup scripts will be the second highest precedence. These scripts are executed before starting the Docker daemon, so any proxy settings in them will take effect.
- For example, on a system using
/etc/default/docker
(common on Debian/Ubuntu systems), you would add the proxy environment variables:
HTTP_PROXY="http://your-proxy.example.com:port"
HTTPS_PROXY="https://your-proxy.example.com:port"
NO_PROXY="localhost,127.0.0.1,*.yourdomain.com"
Option 3: daemon.json Configuration File
- If neither environment variables nor startup scripts are used, Docker will fall back to the configuration in the daemon.json file, which is located at /etc/docker/daemon.json (or another system-specific location).
- The proxy settings in daemon.json will take effect only if no environment variables or startup scripts override them.
Docker Client Proxy
You can add proxy configurations for the Docker client using a JSON configuration file, located in ~/.docker/config.json
{
"proxies": {
"default": {
"httpProxy": "http://proxy.example.com:3128",
"httpsProxy": "https://proxy.example.com:3129",
"noProxy": "*.test.example.com,.example.org,127.0.0.0/8"
}
}
}
- The configuration becomes active after saving the file, you don't need to restart Docker.
- However, the configuration only applies to new containers and builds, and doesn't affect existing containers
Example Use case
What Happens During docker pull?
- Docker Client:
- Sends an API request to the Docker Daemon (POST /images/create) to pull the image.
- The Client does not initiate any direct connection to the Docker registry (e.g., Docker Hub). It’s merely a command issuer.
- Docker Daemon:
- Handles all the network operations to fetch the image layers and metadata from the registry.
- Uses the Daemon Proxy settings to route traffic if a proxy is configured.
- Proxy Usage Breakdown
- Since the Docker Client doesn’t perform any direct external communication in this operation, it does not need to use a proxy.
- The Docker Daemon does use the proxy because it is responsible for fetching the image from the registry.
0 Comments