Switch back to HAProxy

.github/workflows/external_trigger.yml

@@ -27,7 +27,7 @@ jobs:
           echo "> External trigger running off of main branch. To disable this trigger, add \`socket-proxy_main\` into the Github organizational variable \`SKIP_EXTERNAL_TRIGGER\`." >> $GITHUB_STEP_SUMMARY
           printf "\n## Retrieving external version\n\n" >> $GITHUB_STEP_SUMMARY
           EXT_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
-            && awk '/^P:'"nginx"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://')
+            && awk '/^P:'"haproxy"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://')
           echo "Type is \`alpine_repo\`" >> $GITHUB_STEP_SUMMARY
           if grep -q "^socket-proxy_main_${EXT_RELEASE}" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
             echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
@@ -104,7 +104,7 @@ jobs:
           if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then
             echo "Version \`${EXT_RELEASE}\` already pushed, exiting" >> $GITHUB_STEP_SUMMARY
             exit 0
-          elif [[ $(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/aarch64/APKINDEX.tar.gz" | tar -xz -C /tmp && awk '/^P:'"nginx"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') != "${EXT_RELEASE}" ]]; then
+          elif [[ $(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/aarch64/APKINDEX.tar.gz" | tar -xz -C /tmp && awk '/^P:'"haproxy"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') != "${EXT_RELEASE}" ]]; then
             echo "New version \`${EXT_RELEASE}\` found; but not all arch repos updated yet; exiting" >> $GITHUB_STEP_SUMMARY
             FAILURE_REASON="New version ${EXT_RELEASE} for socket-proxy tag latest is detected, however not all arch repos are updated yet. Will try again later."
             curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,

Dockerfile

@@ -5,7 +5,7 @@ FROM docker.io/alpine:3.21
 # set version label
 ARG BUILD_DATE
 ARG VERSION
-ARG NGINX_VERSION
+ARG HAPROXY_VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
 LABEL maintainer="thespad"
 
@@ -14,18 +14,19 @@ RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache \
     alpine-release \
-    bash \
-    curl \
-    envsubst && \
-  if [ -z ${NGINX_VERSION+x} ]; then \
-  NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
-    && awk '/^P:nginx$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
+    curl && \
+  if [ -z ${HAPROXY_VERSION+x} ]; then \
+  HAPROXY_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
+    && awk '/^P:haproxy$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
   fi && \
   apk add --no-cache \
-    nginx==${NGINX_VERSION} && \
+    haproxy==${HAPROXY_VERSION} && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
-  rm -f /etc/nginx/conf.d/stream.conf && \
-  rm -f /etc/nginx/http.d/default.conf
+  apk del --no-cache \
+    curl && \
+  rm -rf \
+    /etc/haproxy \
+    /tmp/*
 
 ENV ALLOW_RESTARTS=0 \
   ALLOW_STOP=0 \
@@ -58,6 +59,4 @@ ENV ALLOW_RESTARTS=0 \
 # add local files
 COPY root/ /
 
-EXPOSE 2375
-
 ENTRYPOINT ["/docker-entrypoint.sh"]

Dockerfile.aarch64

@@ -5,7 +5,7 @@ FROM docker.io/alpine:3.21
 # set version label
 ARG BUILD_DATE
 ARG VERSION
-ARG NGINX_VERSION
+ARG HAPROXY_VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
 LABEL maintainer="thespad"
 
@@ -14,18 +14,19 @@ RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache \
     alpine-release \
-    bash \
-    curl \
-    envsubst && \
-  if [ -z ${NGINX_VERSION+x} ]; then \
-  NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
-    && awk '/^P:nginx$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
+    curl && \
+  if [ -z ${HAPROXY_VERSION+x} ]; then \
+  HAPROXY_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
+    && awk '/^P:haproxy$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
   fi && \
   apk add --no-cache \
-    nginx==${NGINX_VERSION} && \
+    haproxy==${HAPROXY_VERSION} && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
-  rm -f /etc/nginx/conf.d/stream.conf && \
-  rm -f /etc/nginx/http.d/default.conf
+  apk del --no-cache \
+    curl && \
+  rm -rf \
+    /etc/haproxy \
+    /tmp/*
 
 ENV ALLOW_RESTARTS=0 \
   ALLOW_STOP=0 \
@@ -58,6 +59,4 @@ ENV ALLOW_RESTARTS=0 \
 # add local files
 COPY root/ /
 
-EXPOSE 2375
-
 ENTRYPOINT ["/docker-entrypoint.sh"]

Jenkinsfile

@@ -19,7 +19,7 @@ pipeline {
     DOCKERHUB_TOKEN=credentials('docker-hub-ci-pat')
     QUAYIO_API_TOKEN=credentials('quayio-repo-api-token')
     GIT_SIGNING_KEY=credentials('484fbca6-9a4f-455e-b9e3-97ac98785f5f')
-    BUILD_VERSION_ARG = 'NGINX_VERSION'
+    BUILD_VERSION_ARG = 'HAPROXY_VERSION'
     LS_USER = 'linuxserver'
     LS_REPO = 'docker-socket-proxy'
     CONTAINER_NAME = 'socket-proxy'
@@ -28,7 +28,7 @@ pipeline {
     PR_DOCKERHUB_IMAGE = 'lspipepr/socket-proxy'
     DIST_IMAGE = 'alpine'
     DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.21/main/'
-    DIST_REPO_PACKAGES = 'nginx'
+    DIST_REPO_PACKAGES = 'haproxy'
     MULTIARCH='true'
     CI='true'
     CI_WEB='false'

README.md

@@ -52,7 +52,7 @@ The architectures supported by this image are:
 
 ## Application Setup
 
-This container is based on [https://github.com/Tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) and as such does not follow our usual container conventions. It *does not* support mods or custom scripts/services, or running as a user other than root (or the docker user in a rootless environment). It is designed to act as a drop-in replacement for the Tecnativa container.
+This container is conceptually based on [https://github.com/Tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) and as such does not follow our usual container conventions. It *does not* support mods or custom scripts/services, or running as a user other than root (or the docker user in a rootless environment). It is designed to act as a drop-in replacement for the Tecnativa container.
 
 The container should be run on the same docker network as the service(s) using it. Most containers that would normally connect to a mounted docker.sock can have their endpoint overridden using the `DOCKER_HOST` environment variable if they do not offer the option in their configuration; it should typically be pointed to `tcp://socket-proxy:2375`.
 
@@ -100,7 +100,6 @@ services:
       - PING=1 #optional
       - PLUGINS=0 #optional
       - POST=0 #optional
-      - PROXY_READ_TIMEOUT=240 #optional
       - SECRETS=0 #optional
       - SERVICES=0 #optional
       - SESSION=0 #optional
@@ -141,7 +140,6 @@ docker run -d \
   -e PING=1 `#optional` \
   -e PLUGINS=0 `#optional` \
   -e POST=0 `#optional` \
-  -e PROXY_READ_TIMEOUT=240 `#optional` \
   -e SECRETS=0 `#optional` \
   -e SERVICES=0 `#optional` \
   -e SESSION=0 `#optional` \
@@ -172,7 +170,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e CONFIGS=0` | `/configs` |
 | `-e CONTAINERS=0` | `/containers` |
 | `-e DISTRIBUTION=0` | `/distribution` |
-| `-e DISABLE_IPV6=0` | Set to `1` to prevent nginx binding to the IPv6 interface for legacy system that cannot support IPv6. |
+| `-e DISABLE_IPV6=0` | Set to `1` to prevent binding to the IPv6 interface for legacy system that cannot support IPv6. |
 | `-e EVENTS=1` | `/events` |
 | `-e EXEC=0` | `/exec` & `/containers/{id}/exec` |
 | `-e IMAGES=0` | `/images` |
@@ -182,7 +180,6 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e PING=1` | `/_ping` |
 | `-e PLUGINS=0` | `/plugins` |
 | `-e POST=0` | When set to `0`, only `GET` and `HEAD` operations are allowed, making API access read-only. |
-| `-e PROXY_READ_TIMEOUT=240` | Connection timeout when no data is being sent. Useful for tailing quiet containers. Accepts values in s/m/h/d/w, no suffix assumes s. |
 | `-e SECRETS=0` | `/secrets` |
 | `-e SERVICES=0` | `/services` |
 | `-e SESSION=0` | `/session` |
@@ -315,6 +312,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **06.04.25:** - Switch back to haproxy for better handling of `docker exec` connection hijacking.
 * **02.01.25:** - Support custom read timeout values.
 * **05.12.24:** - Rebase to Alpine 3.21.
 * **26.08.24:** - Change `ALLOW_START`, `ALLOW_STOP`, and `ALLOW_RESTARTS` to work even with `POST=0`.

jenkins-vars.yml

@@ -9,7 +9,7 @@ ls_branch: main
 image_sbom: true
 image_provenance: true
 repo_vars:
-  - BUILD_VERSION_ARG = 'NGINX_VERSION'
+  - BUILD_VERSION_ARG = 'HAPROXY_VERSION'
   - LS_USER = 'linuxserver'
   - LS_REPO = 'docker-socket-proxy'
   - CONTAINER_NAME = 'socket-proxy'
@@ -18,7 +18,7 @@ repo_vars:
   - PR_DOCKERHUB_IMAGE = 'lspipepr/socket-proxy'
   - DIST_IMAGE = 'alpine'
   - DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.21/main/'
-  - DIST_REPO_PACKAGES = 'nginx'
+  - DIST_REPO_PACKAGES = 'haproxy'
   - MULTIARCH='true'
   - CI='true'
   - CI_WEB='false'

readme-vars.yml

@@ -59,7 +59,7 @@ full_custom_readme: |
 
   ## Application Setup
 
-  This container is based on [https://github.com/Tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) and as such does not follow our usual container conventions. It *does not* support mods or custom scripts/services, or running as a user other than root (or the docker user in a rootless environment). It is designed to act as a drop-in replacement for the Tecnativa container.
+  This container is conceptually based on [https://github.com/Tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) and as such does not follow our usual container conventions. It *does not* support mods or custom scripts/services, or running as a user other than root (or the docker user in a rootless environment). It is designed to act as a drop-in replacement for the Tecnativa container.
 
   The container should be run on the same docker network as the service(s) using it. Most containers that would normally connect to a mounted docker.sock can have their endpoint overridden using the `DOCKER_HOST` environment variable if they do not offer the option in their configuration; it should typically be pointed to `tcp://socket-proxy:2375`.
 
@@ -107,7 +107,6 @@ full_custom_readme: |
         - PING=1 #optional
         - PLUGINS=0 #optional
         - POST=0 #optional
-        - PROXY_READ_TIMEOUT=240 #optional
         - SECRETS=0 #optional
         - SERVICES=0 #optional
         - SESSION=0 #optional
@@ -148,7 +147,6 @@ full_custom_readme: |
     -e PING=1 `#optional` \
     -e PLUGINS=0 `#optional` \
     -e POST=0 `#optional` \
-    -e PROXY_READ_TIMEOUT=240 `#optional` \
     -e SECRETS=0 `#optional` \
     -e SERVICES=0 `#optional` \
     -e SESSION=0 `#optional` \
@@ -179,7 +177,7 @@ full_custom_readme: |
   | `-e CONFIGS=0` | `/configs` |
   | `-e CONTAINERS=0` | `/containers` |
   | `-e DISTRIBUTION=0` | `/distribution` |
-  | `-e DISABLE_IPV6=0` | Set to `1` to prevent nginx binding to the IPv6 interface for legacy system that cannot support IPv6. |
+  | `-e DISABLE_IPV6=0` | Set to `1` to prevent binding to the IPv6 interface for legacy system that cannot support IPv6. |
   | `-e EVENTS=1` | `/events` |
   | `-e EXEC=0` | `/exec` & `/containers/{id}/exec` |
   | `-e IMAGES=0` | `/images` |
@@ -189,7 +187,6 @@ full_custom_readme: |
   | `-e PING=1` | `/_ping` |
   | `-e PLUGINS=0` | `/plugins` |
   | `-e POST=0` | When set to `0`, only `GET` and `HEAD` operations are allowed, making API access read-only. |
-  | `-e PROXY_READ_TIMEOUT=240` | Connection timeout when no data is being sent. Useful for tailing quiet containers. Accepts values in s/m/h/d/w, no suffix assumes s. |
   | `-e SECRETS=0` | `/secrets` |
   | `-e SERVICES=0` | `/services` |
   | `-e SESSION=0` | `/session` |
@@ -322,6 +319,7 @@ full_custom_readme: |
 
   ## Versions
 
+  * **06.04.25:** - Switch back to haproxy for better handling of `docker exec` connection hijacking.
   * **02.01.25:** - Support custom read timeout values.
   * **05.12.24:** - Rebase to Alpine 3.21.
   * **26.08.24:** - Change `ALLOW_START`, `ALLOW_STOP`, and `ALLOW_RESTARTS` to work even with `POST=0`.

root/docker-entrypoint.sh

@@ -1,18 +1,14 @@
-#!/bin/bash
+#!/bin/sh
 
-export PROXY_READ_TIMEOUT=${PROXY_READ_TIMEOUT:-240}
+mkdir -p /run/haproxy
 
-if [[ $POST == 1 ]] && [[ $DISABLE_IPV6 == 1 ]]; then
-    envsubst "$(printf '${%s} ' $(bash -c "compgen -A variable"))" < /templates/default_post_ipv4.template > /run/default.conf
-elif [[ $POST == 0 ]] && [[ $DISABLE_IPV6 == 1 ]]; then
-    envsubst "$(printf '${%s} ' $(bash -c "compgen -A variable"))" < /templates/default_nopost_ipv4.template > /run/default.conf
-elif [[ $POST == 1 ]]; then
-    envsubst "$(printf '${%s} ' $(bash -c "compgen -A variable"))" < /templates/default_post.template > /run/default.conf
+if [ "${DISABLE_IPV6}" = 1 ]; then
+    BIND_PROTO=":2375"
 else
-    envsubst "$(printf '${%s} ' $(bash -c "compgen -A variable"))" < /templates/default_nopost.template > /run/default.conf
+    BIND_PROTO="[::]:2375 v4v6"
 fi
 
-mkdir /run/nginx-tmp
+sed "s/@@BIND_PROTO@@/${BIND_PROTO}/g" /templates/haproxy.cfg > /run/haproxy/haproxy.cfg
 
 echo '
 ───────────────────────────────────────
@@ -32,7 +28,7 @@ To support LSIO projects visit:
 https://www.linuxserver.io/donate/
 
 ───────────────────────────────────────'
-if [[ -f /build_version ]]; then
+if [ -f /build_version ]; then
     cat /build_version
     echo '
 ───────────────────────────────────────
@@ -41,4 +37,4 @@ fi
 
 echo "[ls.io-init] done."
 
-exec /usr/sbin/nginx -e stderr
+exec /usr/sbin/haproxy -f /run/haproxy/haproxy.cfg -W -db