Docker setup relies on host mapped ports and OpenSSH being available on the host

In our setup, a dedicated IP address for boringproxy is served from another network interface than the Docker host system’s.

This setup is now working for us:

diff --git a/Dockerfile b/Dockerfile
index 90afd94..8131cd9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,16 +17,20 @@ RUN if [[ "ORIGIN" == 'remote' ]] ; then git clone --depth 1 --branch "${BRANCH}
 COPY go.* ./
 RUN go mod download
 COPY . .
+COPY ./default_logo.png ./logo.png
 RUN cd cmd/boringproxy && CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} \
        go build -ldflags "-X main.Version=${VERSION}" \
        -o boringproxy
-FROM scratch
-EXPOSE 80 443
+FROM alpine:latest
+EXPOSE 22 80 443
 WORKDIR /storage
+RUN apk add --update --no-cache openssh shadow
+RUN usermod -p '*' root
 COPY --from=builder /build/cmd/boringproxy/boringproxy /
-ENTRYPOINT ["/boringproxy"]
-CMD ["version"]
\ No newline at end of file

With being chmod +x -v'ed and reading as:


ssh-keygen -A

exec /usr/sbin/sshd -D -e &
exec /boringproxy "$@"

wait -n
exit $?

And everything coming together through an environment


and a Compose:

version: '3.7'


      context: ./context/boringproxy
    image: boringproxy
    command: "server -admin-domain ${ADMIN_DOMAIN} -acme-email ${ACME_EMAIL} -accept-ca-terms -cert-dir /storage/certmagic -print-login -public-ip ${IPV4}"
    network_mode: bridge
      - "${IPV4}:22:22"
      - "${IPV4}:80:80"
      - "${IPV4}:443:443"
      - "${IPV6}:22:22"
      - "${IPV6}:80:80"
      - "${IPV6}:443:443"
      - /etc/ssl/certs/:/etc/ssl/certs/:ro
      - ./.state/ssh:/root/.ssh
      - ./.state/sshd:/etc/ssh
      - ./.state/storage:/storage
      USER: ${USER}

This is missing out, how sshd_config in the /etc/ssh mount came about: docker cp'ed from a container without that host-mapped volume, and then edited, and put back in place.

This is a more “container-native” BoringProxy setup, which does not make assumptions about its host, but to have a separate IP address available for itself. This must be present as a separate network interface on the host system to bind the ports to.

It is not a perfect container setup, as we wouldn’t want to run multiple processes in the same container. Yet the previous experiment with such

did not work out very well. The error when not having its local tunnels available through could probably be circumvented with a custom IP of the SSH server provided to the server command, or a so-called ambassador container (netcat), which could listen on all three desired ports, and forward them respectively to the others.