Can you proxy all network trafic outgoing from docker to a proxy running on the host?

I want to “forward” (or is it actually backward?) all trafic outgoing from my docker on port 80 to a proxy on the host (my ubuntu) on port 4033.
The docker is a readymade docker, and I don’t want/can’t build it. So I tried a few approaches:

  1. I tried to use port forwarding (but it turned to be forward from the outer world into the docker… what was I thinking?)

    sudo docker run -p 22225:80 app/app

  2. Before that I tried setting a proxy config.json file:

    sudo docker --config /home/user/bla/bla/docker-config run --rm app/app

And set /home/user/bla/bla/docker-config/config.json to:

{
 "proxies":
 {
   "default":
   {
     "httpProxy": "http://127.0.0.1:22225",
     "httpsProxy": "http://127.0.0.1:22225"
   }
 }
}
  1. I tried setting the http_proxy environment variables as follows:

    sudo HTTP_PROXY=http://127.0.0.1:22225/ HTTPS_PROXY=https://127.0.0.1:22225/ docker run --rm app/app

  2. And also this way:

    export HTTP_PROXY=http://127.0.0.1:22225/
    export HTTPS_PROXY=https://127.0.0.1:22225/
    sudo docker run --rm app/app

  3. I actually tried numerous other options but I utterly failed to proxy network traffic going out from the docker to my local proxy…

Any clue what am I doing wrong?

1 Like

As far I can judge, you did just configure the proxy for the engine itself (e.g. interactions with dockerhub while pulling images), but you need to set the proxy inside the container itself.

If the application inside the container respects the environments HTTP_PROXY variable, then declaring as -e is sufficient. Though, other applications (like java applications) may require the configuration in a different way.

Like this:

sudo docker run --rm -e HTTP_PROXY=http://127.0.0.1:22225/ -e HTTPS_PROXY=https://127.0.0.1:22225/ app/app

For any configuration for the container (like used/interpreted by the app running in the container), wouldn’t that need something like http://host.docker.internal:22225 (and for Linux set --add-host=host.docker.internal:host-gateway or use 172.17.0.1 instead of host.docker.internal) to refer to the host?

1 Like

Good catch, Arjan!

Of course it would be wrong to use 127.0.0.1 or localhost to access a service on the host from the container, as localhost in the container != localhost on the host (except when --network host is used)

I did that also… and it might actually have worked. The thing is that it’s kind of a tough job to monitor outgoing traffic from the docker (there’s lots of it) and see if the proxying actually worked. I tried both the net-tools on ubuntu (and there is a way to use it as if inside a docker) and also wireshark (using the docker network interface) but it’s not very clear if the networking was actually tunneled through the proxy or not…
To make matters harder some times the site that is being proxied to, responds with 502 error when the proxy address is being identified as an intruder, so it’s not very clear were the problem is and where it isn’t …

BTW
Is the host always identified by 172.17.0.1 ?

If it’s on the same node, it should be either 172.17.0.1 (ip of the docker0 interface) or 172.18.0.1 (ip of the docker_gwbridge interface)

2 Likes