feat: resolve Docker container names in proxy ACL and logs (#32)

## Summary

- Adds a `DockerResolver` that queries the Docker daemon via its Unix
socket to map container IPs to container names/IDs, with a configurable
TTL cache.
- Integrates Docker-based identity resolution into the `Bypass` plugin
so ACL rules can match full Docker container names (e.g.
`docker-myapp-1`) instead of raw IPs.
- Derives the log method field (`HTTP/SOCKS5`) from the gost service
name instead of hardcoding `SOCKS5`.

## Test plan
   
- `DockerResolver` unit tests cover IP => name resolution and cache TTL
expiry
- `Bypass` plugin tests cover Docker identity resolution taking priority
over username fallback
- Manual test: start a Docker container, confirm its name appears in
proxy logs and ACL evaluation

```shell
# Build and restart 
go build ./cmd/greyproxy
pkill -f "greyproxy serve"

# Start with Docker resolver enabled
GREYPROXY_DOCKER_ENABLED=true \
GREYPROXY_DOCKER_SOCKET=/var/run/docker.sock \
./greyproxy serve -C greyproxy.yml

# One time setup
docker network create proxy-test

# Test Docker naming resolution
docker run --rm --name my-test-app \
  --network proxy-test \
  --add-host=host.docker.internal:host-gateway \
  curlimages/curl \
  curl -x http://host.docker.internal:43051 https://example.com
```

<img width="1254" height="1146" alt="image"
src="https://github.com/user-attachments/assets/ee4a7c12-412f-4e16-8412-6832f0cd6a1e"
/>

Author: juanArias8

.gitignore

@@ -10,6 +10,7 @@ release
 debian
 bin
 .vscode
+.idea
 
 # Architecture specific extensions/prefixes
 *.[568vq]

cmd/greyproxy/docker_env_test.go

@@ -0,0 +1,96 @@
+package main
+
+import (
+	"testing"
+
+	greyproxy "github.com/greyhavenhq/greyproxy/internal/greyproxy"
+)
+
+func TestApplyDockerEnvOverrides(t *testing.T) {
+	tests := []struct {
+		name        string
+		env         map[string]string
+		initial     greyproxy.DockerConfig
+		wantEnabled bool
+		wantSocket  string
+	}{
+		{
+			name:        "no env vars: config unchanged",
+			env:         map[string]string{},
+			initial:     greyproxy.DockerConfig{Enabled: false, Socket: "/var/run/docker.sock"},
+			wantEnabled: false,
+			wantSocket:  "/var/run/docker.sock",
+		},
+		{
+			name:        "ENABLED=true overrides disabled config",
+			env:         map[string]string{"GREYPROXY_DOCKER_ENABLED": "true"},
+			initial:     greyproxy.DockerConfig{Enabled: false, Socket: ""},
+			wantEnabled: true,
+			wantSocket:  "",
+		},
+		{
+			name:        "ENABLED=false overrides enabled config",
+			env:         map[string]string{"GREYPROXY_DOCKER_ENABLED": "false"},
+			initial:     greyproxy.DockerConfig{Enabled: true, Socket: "/var/run/docker.sock"},
+			wantEnabled: false,
+			wantSocket:  "/var/run/docker.sock",
+		},
+		{
+			name:        "ENABLED unset leaves config value intact",
+			env:         map[string]string{},
+			initial:     greyproxy.DockerConfig{Enabled: true, Socket: ""},
+			wantEnabled: true,
+			wantSocket:  "",
+		},
+		{
+			name:        "SOCKET overrides config socket path",
+			env:         map[string]string{"GREYPROXY_DOCKER_SOCKET": "/run/podman/podman.sock"},
+			initial:     greyproxy.DockerConfig{Enabled: false, Socket: "/var/run/docker.sock"},
+			wantEnabled: false,
+			wantSocket:  "/run/podman/podman.sock",
+		},
+		{
+			name:        "SOCKET empty string does not override config",
+			env:         map[string]string{"GREYPROXY_DOCKER_SOCKET": ""},
+			initial:     greyproxy.DockerConfig{Enabled: false, Socket: "/var/run/docker.sock"},
+			wantEnabled: false,
+			wantSocket:  "/var/run/docker.sock",
+		},
+		{
+			name: "both ENABLED and SOCKET override config",
+			env: map[string]string{
+				"GREYPROXY_DOCKER_ENABLED": "true",
+				"GREYPROXY_DOCKER_SOCKET":  "/run/podman/podman.sock",
+			},
+			initial:     greyproxy.DockerConfig{Enabled: false, Socket: "/var/run/docker.sock"},
+			wantEnabled: true,
+			wantSocket:  "/run/podman/podman.sock",
+		},
+		{
+			name:        "ENABLED with unrecognized value leaves config unchanged",
+			env:         map[string]string{"GREYPROXY_DOCKER_ENABLED": "yes"},
+			initial:     greyproxy.DockerConfig{Enabled: true, Socket: ""},
+			wantEnabled: true,
+			wantSocket:  "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Isolate env changes to this subtest.
+			for k, v := range tt.env {
+				t.Setenv(k, v)
+			}
+
+			cfg := greyproxy.Config{Docker: tt.initial}
+			applyDockerEnvOverrides(&cfg)
+
+			if cfg.Docker.Enabled != tt.wantEnabled {
+				t.Errorf("Enabled: got %v, want %v", cfg.Docker.Enabled, tt.wantEnabled)
+			}
+			if cfg.Docker.Socket != tt.wantSocket {
+				t.Errorf("Socket: got %q, want %q", cfg.Docker.Socket, tt.wantSocket)
+			}
+		})
+	}
+}

cmd/greyproxy/program.go

@@ -374,6 +374,9 @@ func (p *program) buildGreyproxyService() error {
 		gaCfg.Resolver = "resolver-0"
 	}
 
+
+	applyDockerEnvOverrides(&gaCfg)
+
 	log := logger.Default().WithFields(map[string]any{"kind": "service", "service": "@greyproxy"})
 
 	// Create shared state (this also opens the DB)
@@ -492,7 +495,7 @@ func (p *program) buildGreyproxyService() error {
 		if port == 0 {
 			port = 443
 		}
-		containerName, _ := greyproxy_plugins.ResolveIdentity(info.ContainerName)
+		containerName, _ := greyproxy_plugins.ResolveIdentity(info.ContainerName, "")
 		go func() {
 			reqCT := info.RequestHeaders.Get("Content-Type")
 			respCT := info.ResponseHeaders.Get("Content-Type")
@@ -553,7 +556,7 @@ func (p *program) buildGreyproxyService() error {
 		if port == 0 {
 			port = 443
 		}
-		containerName, _ := greyproxy_plugins.ResolveIdentity(info.ContainerName)
+		containerName, _ := greyproxy_plugins.ResolveIdentity(info.ContainerName, "")
 		go func() {
 			if err := greyproxy.UpdateLatestLogMitmSkipReason(shared.DB, containerName, host, port, info.MitmSkipReason); err != nil {
 				log.Warnf("failed to update MITM skip reason: %v", err)
@@ -571,7 +574,7 @@ func (p *program) buildGreyproxyService() error {
 		if port == 0 {
 			port = 443
 		}
-		containerName, _ := greyproxy_plugins.ResolveIdentity(info.ContainerName)
+		containerName, _ := greyproxy_plugins.ResolveIdentity(info.ContainerName, "")
 
 		// Resolve hostname from cache
 		resolvedHostname := shared.Cache.ResolveIP(host)
@@ -586,10 +589,25 @@ func (p *program) buildGreyproxyService() error {
 		return nil
 	})
 
+	// Initialize Docker resolver if configured.
+	var dockerResolver greyproxy_plugins.ContainerResolver
+	if gaCfg.Docker.Enabled {
+		socketPath := gaCfg.Docker.Socket
+		if socketPath == "" {
+			socketPath = "/var/run/docker.sock"
+		}
+		cacheTTL := gaCfg.Docker.CacheTTL
+		if cacheTTL == 0 {
+			cacheTTL = 30 * time.Second
+		}
+		dockerResolver = greyproxy.NewDockerResolver(socketPath, cacheTTL)
+		log.Infof("docker resolver enabled (socket=%s, cacheTTL=%s)", socketPath, cacheTTL)
+	}
+
 	// Create and register gost plugins
 	autherPlugin := greyproxy_plugins.NewAuther()
 	admissionPlugin := greyproxy_plugins.NewAdmission()
-	bypassPlugin := greyproxy_plugins.NewBypass(shared.DB, shared.Cache, shared.Bus, shared.Waiters, shared.ConnTracker)
+	bypassPlugin := greyproxy_plugins.NewBypass(shared.DB, shared.Cache, shared.Bus, shared.Waiters, shared.ConnTracker, dockerResolver)
 	resolverPlugin := greyproxy_plugins.NewResolver(shared.Cache)
 
 	registry.AutherRegistry().Register(gaCfg.Auther, autherPlugin)
@@ -741,3 +759,21 @@ func decompressBody(body []byte, encoding string) []byte {
 	}
 	return decoded
 }
+
+// applyDockerEnvOverrides configures Docker resolution from environment variables.
+// Docker is disabled by default; use these env vars to opt in:
+//
+//   - GREYPROXY_DOCKER_ENABLED=true  → enable Docker resolution
+//   - GREYPROXY_DOCKER_ENABLED=false → explicitly disable (default)
+//   - GREYPROXY_DOCKER_SOCKET=<path> → socket path (default: /var/run/docker.sock)
+func applyDockerEnvOverrides(cfg *greyproxy.Config) {
+	switch os.Getenv("GREYPROXY_DOCKER_ENABLED") {
+	case "true":
+		cfg.Docker.Enabled = true
+	case "false":
+		cfg.Docker.Enabled = false
+	}
+	if v := os.Getenv("GREYPROXY_DOCKER_SOCKET"); v != "" {
+		cfg.Docker.Socket = v
+	}
+}

greyproxy.yml

@@ -24,6 +24,7 @@ greyproxy:
   notifications:
     enabled: true
 
+
 services:
   # HTTP/HTTPS proxy on port 3128 (backward compatible with Squid)
   - name: http-proxy

internal/greyproxy/config.go

@@ -1,5 +1,7 @@
 package greyproxy
 
+import "time"
+
 // Config holds configuration for the embedded proxy API service.
 type Config struct {
 	Addr          string              `yaml:"addr" json:"addr"`
@@ -10,9 +12,24 @@ type Config struct {
 	Bypass        string              `yaml:"bypass" json:"bypass"`
 	Resolver      string              `yaml:"resolver" json:"resolver"`
 	Notifications NotificationsConfig `yaml:"notifications" json:"notifications"`
+	Docker        DockerConfig        `yaml:"docker" json:"docker"`
 }
 
 // NotificationsConfig controls OS desktop notifications for pending requests.
 type NotificationsConfig struct {
 	Enabled bool `yaml:"enabled" json:"enabled"`
 }
+
+// DockerConfig enables optional Docker socket integration for resolving container
+// IP addresses to container names. When enabled, the bypass plugin uses the Docker
+// API to map source IPs to the actual container name, producing more meaningful
+// ACL rule matching (e.g. "docker-backend-1" instead of "unknown-172.17.0.2").
+type DockerConfig struct {
+	// Enabled controls whether Docker socket resolution is active.
+	Enabled bool `yaml:"enabled" json:"enabled"`
+	// Socket is the path to the Docker/Podman socket. Defaults to /var/run/docker.sock.
+	Socket string `yaml:"socket" json:"socket"`
+	// CacheTTL controls how long resolved container names are cached.
+	// Accepts Go duration strings (e.g. "30s", "1m"). Defaults to 30s.
+	CacheTTL time.Duration `yaml:"cacheTTL" json:"cacheTTL"`
+}