Air-gapped containers
Air-gapped containers let you restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from.
Docker Desktop can apply a custom set of proxy rules to network traffic from containers. The proxy can be configured to:
- Accept network connections
- Reject network connections
- Tunnel through an HTTP or SOCKS proxy
You can choose:
- Which outgoing TCP ports the policy applies to. For example, only certain ports,
80
,443
or all with*
. - Whether to forward to a single HTTP or SOCKS proxy, or to have a policy per destination via a Proxy Auto-Configuration (PAC) file.
Configuration
Assuming
enforced sign-in and
Settings Management are enabled, add the new proxy configuration to the admin-settings.json
file. For example:
{
"configurationFileVersion": 2,
"containersProxy": {
"locked": true,
"mode": "manual",
"http": "",
"https": "",
"exclude": "",
"pac": "http://192.168.1.16:62039/proxy.pac",
"transparentPorts": "*"
}
}
The containersProxy
setting describes the policy which is applied to traffic from containers. The valid fields are:
locked
: If true, it is not possible for developers to override these settings. If false the settings are interpreted as default values which the developer can change.mode
: Same meaning as with the existingproxy
setting. Possible values aresystem
andmanual
.http
,https
,exclude
: Same meaning as with theproxy
setting. Only takes effect ifmode
is set tomanual
.pac
: URL for a PAC file. Only takes effect ifmode
ismanual
, and is considered higher priority thanhttp
,https
,exclude
.transparentPorts
: A comma-separated list of ports (e.g."80,443,8080"
) or a wildcard (*
) indicating which ports should be proxied.
Important
Any existing
proxy
setting in theadmin-settings.json
file continues to apply to traffic from the app on the host.
Example PAC file
For general information about PAC files, see the MDN Web Docs.
The following is an example PAC file:
function FindProxyForURL(url, host) {
if (localHostOrDomainIs(host, 'internal.corp')) {
return "PROXY 10.0.0.1:3128";
}
if (isInNet(host, "192.168.0.0", "255.255.255.0")) {
return "DIRECT";
}
return "PROXY reject.docker.internal:1234";
}
The url
parameter is either http://host_or_ip:port
or https://host_or_ip:port
.
The hostname is normally available for outgoing requests on port 80
and 443
, but for other cases there is only an IP address.
The FindProxyForURL
can return the following values:
PROXY host_or_ip:port
: Tunnels this request through the HTTP proxyhost_or_ip:port
SOCKS5 host_or_ip:port
: Tunnels this request through the SOCKS proxyhost_or_ip:port
DIRECT
: Lets this request go direct, without a proxyPROXY reject.docker.internal:any_port
: Rejects this request
In this particular example, HTTP and HTTPS requests for internal.corp
are sent via the HTTP proxy 10.0.0.1:3128
. Requests to connect to IPs on the subnet 192.168.0.0/24
connect directly. All other requests are blocked.
To restrict traffic connecting to ports on the developers local machine,
match the special hostname host.docker.internal
.