{ { < introduced desktop 4.29.0 "/manuals/desktop/release-notes.md#4290" > } }
Air-Gapped Containers allows administrators to restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from.
Docker Desktop can apply a custom set of proxy rules to network traffic from containers. The proxy can be configured to:
- Allow network connections
- Reject network connections
- Tunnel through an HTTP or SOCKS proxy
You can choose:
- Which outgoing TCP ports the policy applies to. For example, only certain ports,
80
,443
or all with*
. - Whether to forward to a single HTTP or SOCKS proxy, or to have a policy per destination via a Proxy Auto-Configuration (PAC) file.
Configuration#
Assuming enforced sign-in and Settings Management are enabled, add the new proxy configuration to the admin-settings.json
file. For example:
{
"configurationFileVersion": 2,
"containersProxy": {
"locked": true,
"mode": "manual",
"http": "",
"https": "",
"exclude": "",
"pac": "http://192.168.1.16:62039/proxy.pac",
"transparentPorts": "*"
}
}
The containersProxy
setting describes the policy which is applied to traffic from containers. The valid fields are:
locked
: If true, it is not possible for developers to override these settings. If false the settings are interpreted as default values which the developer can change.mode
: Same meaning as with the existingproxy
setting. Possible values aresystem
andmanual
.http
,https
,exclude
: Same meaning as with theproxy
setting. Only takes effect ifmode
is set tomanual
.pac
: URL for a PAC file. Only takes effect ifmode
ismanual
, and is considered higher priority thanhttp
,https
,exclude
.transparentPorts
: A comma-separated list of ports (e.g."80,443,8080"
) or a wildcard (*
) indicating which ports should be proxied.
[!IMPORTANT]
Any existing
proxy
setting in theadmin-settings.json
file continues to apply to traffic from the app on the host.
Example PAC file#
For general information about PAC files, see the MDN Web Docs.
The following is an example PAC file:
function FindProxyForURL(url, host) {
if (localHostOrDomainIs(host, 'internal.corp')) {
return "PROXY 10.0.0.1:3128";
}
if (isInNet(host, "192.168.0.0", "255.255.255.0")) {
return "DIRECT";
}
return "PROXY reject.docker.internal:1234";
}
The url
parameter is either http://host_or_ip:port
or https://host_or_ip:port
.
The hostname is normally available for outgoing requests on port 80
and 443
, but for other cases there is only an IP address.
The FindProxyForURL
can return the following values:
PROXY host_or_ip:port
: Tunnels this request through the HTTP proxyhost_or_ip:port
SOCKS5 host_or_ip:port
: Tunnels this request through the SOCKS proxyhost_or_ip:port
DIRECT
: Allows this request to go direct, without a proxyPROXY reject.docker.internal:any_port
: Rejects this request
In this particular example, HTTP and HTTPS requests for internal.corp
are sent via the HTTP proxy 10.0.0.1:3128
. Requests to connect to IPs on the subnet 192.168.0.0/24
connect directly. All other requests are blocked.
To restrict traffic connecting to ports on the developers local machine, match the special hostname host.docker.internal
.