more strict rules for the container creation (#44)

oleksandr-nc · web-flow · commit 511363484006 · 2025-03-21T15:18:54.000+03:00
Signed-off-by: Oleksander Piskun &lt;oleksandr2088@icloud.com&gt;
diff --git a/haproxy.cfg.template b/haproxy.cfg.template
@@ -41,7 +41,7 @@ frontend docker_engine
     http-request auth realm AppAPI unless valid_credentials
 
     # docker system _ping
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping$ } METH_GET
     # container inspect: GET containers/%s/json
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
     # container inspect: GET containers/%s/logs
@@ -66,19 +66,19 @@ frontend docker_engine
     # ACL to deny if there are any binds
     acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
     # ACL to restrict the type of Mounts to volume
-    acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
+    acl type_not_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[[^\]]*(\"Type\"\s*:\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
 
-    # ACL to restrict container creation, that it has HostConfig.Privileged not set
-    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\""
+    # ACL to restrict container creation, that it has HostConfig.Privileged(by searching for "Privileged" word in all payload)
+    acl no_privileged_flag req.body -m reg -i "\"Privileged\""
     # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
-    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*{[^}]*\"Source\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
     # end of container create
 
     # volume create: POST volumes/create
     # restrict name
-    acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    acl nc_app_volume_data req.body -m reg -i "\"Name\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
     # do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
     acl volume_no_device req.body -m reg -i "\"device\""
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
