Docker socket proxy and Caddy reverse proxy

Help
1

I am fairly new to docker, but completely new to Caddy. I’m eager to learn and hope others can help improve my understanding.

I’ve been trying to look up best practices for docker containers. One such information is to not pass the docker socket directly to containers: - /var/run/docker.sock:/var/run/docker.sock:ro Instead, to use a socket proxy. After reviewing documentation and a few guides, I decided to mostly follow this guide.

My Goals:

  • Expose a service (e.g. nextcloud) to the web
  • Setup a reverse proxy with Caddy (docker) to add protection
  • Setup with a domain name I own for easier user access

The Question

When adding this socket proxy best practice to the mix, I’m not quite sure how that works alongside a reverse proxy with Caddy.

For example, if a service needs access to the docker.sock and to the Caddy reverse proxy,

Background

I use a docker-compose file to set up the socket proxy, and I decided it might be good to keep it as its own docker-compose, so that multiple unrelated containers can interact and use it.

Socket Proxy docker-compose

networks:
  socket_proxy:
    name: socket_proxy
    ipam:
      config:
        - subnet: 172.100.0.0/24 #change subnet as necessary
services:
  socket-proxy:
    container_name: socket-proxy
    image: tecnativa/docker-socket-proxy
    restart: unless-stopped
    networks:
      - socket_proxy
    ports:
      - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network.
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - PUID=1010
      - PGID=105
      - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
      ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
      # 0 to revoke access.
      # 1 to grant access.
      ## Granted by Default
      - EVENTS=1
      - PING=1
      - VERSION=1

Services docker-compose content
In theory, I then need to define the default network to point to the docker socket in each service’s docker-compose.

networks:
  default:
    name: socket_proxy
    external: true

And in each service

 environment: 
 - DOCKER_HOST=tcp://socket-proxy:2375
 networks:
  - socket_proxy

Detailed Question

So if I am setting up a Caddy reverse proxy, that would mean another network, correct?
How do I set a service to use a Caddy network for public web access, but the socket proxy network if it needs to access the docker.sock?