rootless?

[airdogvan]

While I appreciate that I can run the 3 containers version, therefore slightly alleviating the risk of access to /var/run/docker.sock by not including it in the nginx (proxy exposing ports) the risk is nevertheless still there since the location of that file is widely known and can easily be exploited by a script that would by other means access the machine.

Wouldn't it be possible to make the location of the socket be chosen by the user (/home/joeblow/run/docker.sock) as is the case when running docker rootless?

Seems to me this would make it much more secure as most experts agree that running docker as root represents the greatest risk in running containers.

[airdogvan]

Sorry to say that with the paste I've lost the indentation in the docker file.

So I tried it just to see and I'm happy to report IT WORKS!
I installed docker rootless according to the directions on their site: https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports

As for the acme-companion I made a few changes:
1 - change the path of the docker.sock file both in the Dockerfile and the docker-compose.yml file
2 - in the docker-compose file changed the network

• commented out the network_mode: bridge
• added
  • networks:
    proxy-net

So (hopefully the paste is going to keep the format) here's what my docker-compose.yml looks like:

version: '2'

services:
nginx-proxy:
image: nginxproxy/nginx-proxy
container_name: nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- conf:/etc/nginx/conf.d
- vhost:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- dhparam:/etc/nginx/dhparam
- certs:/etc/nginx/certs:ro
- /path_to/docker.sock:/tmp/docker.sock:ro
networks:
- proxy-net

acme-companion:
image: nginxproxy/acme-companion
container_name: nginx-proxy-acme
volumes_from:
- nginx-proxy
volumes:
- certs:/etc/nginx/certs:rw
- acme:/etc/acme.sh
- /path_to/docker.sock:/var/run/docker.sock:ro
networks:
- proxy-net

volumes:
conf:
vhost:
html:
dhparam:
certs:
acme:

networks:
proxy-net:

With that all the containers I start (with the necessary env variables DOCKER_HOST, LETSENCRYPT_HOST, VIRTUAL_PORT and also the proxy-net declared external) under my user (non root) are correctly certified and redirected by the proxy and I can connect to each on from an external machine.

I of course don't know if there is something in the existing code of both proxy and acme-companion for which this method would represent a security risk and would be extremely grateful if one of the contributors could point me out to some potential danger with this method.

So unless as said someone sees a potential security risk here this seems to me a much better method of running the proxy as all containers are run as unprivileged users. Additionally I've shut down the root docker system which means that it is NOT possible to start containers as root.