add the ability to connect to a TLS protected Docker engine (#230)

* add the ability to connect to a TLS protected Docker engine

* fix wrong image in README

* change UIFD flags to be compliant with Docker CLI

Author: deviantony

README.md

@@ -12,7 +12,7 @@ UI For Docker is a web interface for the Docker Remote API.  The goal is to prov
 * Minimal dependencies - I really want to keep this project a pure html/js app.
 * Consistency - The web UI should be consistent with the commands found on the docker CLI.
 
-### Quickstart 
+### Quickstart
 1. Run: `docker run -d -p 9000:9000 --privileged -v /var/run/docker.sock:/var/run/docker.sock uifd/ui-for-docker`
 
 2. Open your browser to `http://<dockerd host ip>:9000`
@@ -25,17 +25,35 @@ Bind mounting the Unix socket into the UI For Docker container is much more secu
 
 By default UI For Docker connects to the Docker daemon with`/var/run/docker.sock`. For this to work you need to bind mount the unix socket into the container with `-v /var/run/docker.sock:/var/run/docker.sock`.
 
-You can use the `-e` flag to change this socket:
+You can use the `-H` flag to change this socket:
 
     # Connect to a tcp socket:
-    $ docker run -d -p 9000:9000 --privileged uifd/ui-for-docker -e http://127.0.0.1:2375
+    $ docker run -d -p 9000:9000 --privileged uifd/ui-for-docker -H tcp://127.0.0.1:2375
 
 ### Change address/port UI For Docker is served on
 UI For Docker listens on port 9000 by default. If you run UI For Docker inside a container then you can bind the container's internal port to any external address and port:
 
     # Expose UI For Docker on 10.20.30.1:80
     $ docker run -d -p 10.20.30.1:80:9000 --privileged -v /var/run/docker.sock:/var/run/docker.sock uifd/ui-for-docker
 
+### Access a Docker engine protected via TLS
+
+Ensure that you have access to the CA, the TLS certificate and the TLS key used to access your Docker engine.  
+
+These files will need to be named `ca.pem`, `cert.pem` and `key.pem` respectively. Store them somewhere on your disk and mount a volume containing these files inside the UI container:
+
+```
+$ docker run -d -p 9000:9000 uifd/ui-for-docker -v /path/to/certs:/certs -H tcp://my-docker-host.domain:2376 -tlsverify
+```
+
+If you want to specify different names for the CA, certificate and public key respectively you can use the `-tlscacert`, `-tlscert` and `-tlskey`:
+
+```
+$ docker run -d -p 9000:9000 uifd/ui-for-docker -v /path/to/certs:/certs -H tcp://my-docker-host.domain:2376 -tlsverify -tlscacert /certs/myCA.pem -tlscert /certs/myCert.pem -tlskey /certs/myKey.pem
+```
+
+*Note*: Replace `/path/to/certs` to the path to the certificate files on your disk.
+
 ### Check the [wiki](https://github.com/kevana/ui-for-docker/wiki) for more info about using UI For Docker
 
 ### Stack
@@ -62,24 +80,24 @@ The UI For Docker code is licensed under the MIT license.
 Copyright (c) 2013-2016 Michael Crosby (crosbymichael.com), Kevan Ahlquist (kevanahlquist.com)
 
 Permission is hereby granted, free of charge, to any person
-obtaining a copy of this software and associated documentation 
-files (the "Software"), to deal in the Software without 
-restriction, including without limitation the rights to use, copy, 
-modify, merge, publish, distribute, sublicense, and/or sell copies 
-of the Software, and to permit persons to whom the Software is 
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use, copy,
+modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be 
+The above copyright notice and this permission notice shall be
 included in all copies or substantial portions of the Software.
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 EXPRESS OR IMPLIED,
-INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 
-HOLDERS BE LIABLE FOR ANY CLAIM, 
-DAMAGES OR OTHER LIABILITY, 
-WHETHER IN AN ACTION OF CONTRACT, 
-TORT OR OTHERWISE, 
-ARISING FROM, OUT OF OR IN CONNECTION WITH 
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH
 THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

dockerui.go

@@ -9,18 +9,23 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"os"
-	"strings"
 	"github.com/gorilla/csrf"
 	"io/ioutil"
 	"fmt"
 	"github.com/gorilla/securecookie"
+	"crypto/tls"
+	"crypto/x509"
 )
 
 var (
-	endpoint = flag.String("e", "/var/run/docker.sock", "Dockerd endpoint")
-	addr     = flag.String("p", ":9000", "Address and port to serve UI For Docker")
-	assets   = flag.String("a", ".", "Path to the assets")
-	data     = flag.String("d", ".", "Path to the data")
+	endpoint 	= flag.String("H", "unix:///var/run/docker.sock", "Dockerd endpoint")
+	addr     	= flag.String("p", ":9000", "Address and port to serve UI For Docker")
+	assets   	= flag.String("a", ".", "Path to the assets")
+	data     	= flag.String("d", ".", "Path to the data")
+	tlsverify = flag.Bool("tlsverify", false, "TLS support")
+	tlscacert = flag.String("tlscacert", "/certs/ca.pem", "Path to the CA")
+	tlscert   = flag.String("tlscert", "/certs/cert.pem", "Path to the TLS certificate file")
+	tlskey    = flag.String("tlskey", "/certs/key.pem", "Path to the TLS key")
 	authKey  []byte
 	authKeyFile = "authKey.dat"
 )
@@ -29,6 +34,13 @@ type UnixHandler struct {
 	path string
 }
 
+type TLSFlags struct {
+	tls bool
+	caPath string
+	certPath string
+	keyPath string
+}
+
 func (h *UnixHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	conn, err := net.Dial("unix", h.path)
 	if err != nil {
@@ -61,35 +73,72 @@ func copyHeader(dst, src http.Header) {
 	}
 }
 
-func createTcpHandler(e string) http.Handler {
-	u, err := url.Parse(e)
+func createTLSConfig(flags TLSFlags) *tls.Config {
+	cert, err := tls.LoadX509KeyPair(flags.certPath, flags.keyPath)
+	if err != nil {
+		log.Fatal(err)
+	}
+	caCert, err := ioutil.ReadFile(flags.caPath)
 	if err != nil {
 		log.Fatal(err)
 	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      caCertPool,
+	}
+	return tlsConfig;
+}
+
+func createTcpHandler(u *url.URL) http.Handler {
+	u.Scheme = "http";
 	return httputil.NewSingleHostReverseProxy(u)
 }
 
+func createTcpHandlerWithTLS(u *url.URL, flags TLSFlags) http.Handler {
+	u.Scheme = "https";
+	var tlsConfig = createTLSConfig(flags)
+	proxy := httputil.NewSingleHostReverseProxy(u)
+	proxy.Transport = &http.Transport{
+		TLSClientConfig: tlsConfig,
+	}
+	return proxy;
+}
+
 func createUnixHandler(e string) http.Handler {
 	return &UnixHandler{e}
 }
 
-func createHandler(dir string, d string, e string) http.Handler {
+func createHandler(dir string, d string, e string, flags TLSFlags) http.Handler {
 	var (
 		mux         = http.NewServeMux()
 		fileHandler = http.FileServer(http.Dir(dir))
 		h           http.Handler
 	)
 
-	if strings.Contains(e, "http") {
-		h = createTcpHandler(e)
-	} else {
-		if _, err := os.Stat(e); err != nil {
+	u, perr := url.Parse(e)
+	if perr != nil {
+		log.Fatal(perr)
+	}
+
+	if u.Scheme == "tcp" {
+		if flags.tls {
+			h = createTcpHandlerWithTLS(u, flags)
+		} else {
+			h = createTcpHandler(u)
+		}
+	} else if u.Scheme == "unix" {
+		var socketPath = u.Path
+		if _, err := os.Stat(socketPath); err != nil {
 			if os.IsNotExist(err) {
-				log.Fatalf("unix socket %s does not exist", e)
+				log.Fatalf("unix socket %s does not exist", socketPath)
 			}
 			log.Fatal(err)
 		}
-		h = createUnixHandler(e)
+		h = createUnixHandler(socketPath)
+	} else {
+		log.Fatalf("Bad Docker enpoint: %s. Only unix:// and tcp:// are supported.", e)
 	}
 
 	// Use existing csrf authKey if present or generate a new one.
@@ -127,7 +176,14 @@ func csrfWrapper(h http.Handler) http.Handler {
 func main() {
 	flag.Parse()
 
-	handler := createHandler(*assets, *data, *endpoint)
+	tlsFlags := TLSFlags{
+		tls: *tlsverify,
+		caPath: *tlscacert,
+		certPath: *tlscert,
+		keyPath: *tlskey,
+	}
+
+	handler := createHandler(*assets, *data, *endpoint, tlsFlags)
 	if err := http.ListenAndServe(*addr, handler); err != nil {
 		log.Fatal(err)
 	}

gruntFile.js

@@ -265,7 +265,7 @@ module.exports = function (grunt) {
                 command: [
                     'docker stop ui-for-docker',
                     'docker rm ui-for-docker',
-                    'docker run --net=host -d -v /tmp/ui-for-docker:/data --name ui-for-docker ui-for-docker -d /data -e http://127.0.0.1:2374'
+                    'docker run --net=host -d -v /tmp/ui-for-docker:/data --name ui-for-docker ui-for-docker -d /data -H tcp://127.0.0.1:2374'
                 ].join(';')
             },
             cleanImages: {