From f9f2d5355632c59cbfd44d3dde951f0d9008bfcf Mon Sep 17 00:00:00 2001
From: Christophe Mehay <cmehay@student.42.fr>
Date: Wed, 15 Mar 2017 08:58:34 +0100
Subject: [PATCH] Add socket support

---
 README.md                      | 12 ++++++++++-
 assets/onions/onions/Onions.py | 16 ++++++++-------
 assets/torrc                   |  3 ++-
 docker-compose.v2.socket.yml   | 37 ++++++++++++++++++++++++++++++++++
 4 files changed, 59 insertions(+), 9 deletions(-)
 create mode 100644 docker-compose.v2.socket.yml

diff --git a/README.md b/README.md
index 940bd0a..664f58d 100644
--- a/README.md
+++ b/README.md
@@ -68,6 +68,7 @@ Like docker, first port is exposed port and the second one is service internal p
 links:
   - hello
   - world
+  - hey
 environment:
     # Set mapping ports
     HELLO_PORTS: 80:80
@@ -75,11 +76,20 @@ environment:
     # Multiple ports can be coma separated
     WORLD_PORTS: 8000:80,8888:80,22:22
 
+    # Socket mapping is supported
+    HEY_PORTS: 80:unix:/var/run/socket.sock
+
 ```
 
-__DEPECATED:__
+__DEPRECATED:__
 By default, ports are the same as linked containers, but a default port can be mapped using `PORT_MAP` environment variable.
 
+#### Socket
+
+To increase security, it's possible to setup your service through socket between containers and turn off network in your app container. See `docker-compose.v2.sock.yml` for an example.
+
+__Warning__: Due to a bug in `tor` configuration parser, it's not possible to mix network link and socket link in the same `tor` configuration.
+
 ### Compose v2 support
 
 Links setting are required when using docker-compose v2. See `docker-compose.v2.yml` for example.
diff --git a/assets/onions/onions/Onions.py b/assets/onions/onions/Onions.py
index ff1dc7c..4954a57 100644
--- a/assets/onions/onions/Onions.py
+++ b/assets/onions/onions/Onions.py
@@ -45,16 +45,17 @@ class Setup(object):
         self._add_host(host)
         if 'ports' not in self.setup[host]:
             self.setup[host]['ports'] = []
-        ports_l = [[int(v) for v in sp.split(':')] for sp in ports.split(',')]
+        ports_l = [
+            [
+                int(v) if not v.startswith('unix:') else v
+                for v in sp.split(':', 1)
+            ] for sp in ports.split(',')
+        ]
         for port in ports_l:
             assert len(port) == 2
             if port not in self.setup[host]['ports']:
                 self.setup[host]['ports'].append(port)
 
-    def _get_ip(self):
-        for host in self.setup:
-            self.setup[host]['ip'] = str(socket.gethostbyname(host))
-
     def _get_key(self, host, key):
         self._add_host(host)
         assert len(key) > 800
@@ -104,14 +105,15 @@ class Setup(object):
         temp = env.get_template(self.torrc_template)
         with open(self.torrc, mode='w') as f:
             f.write(temp.render(setup=self.setup,
-                                env=os.environ))
+                                env=os.environ,
+                                type=type,
+                                int=int))
 
     def setup_hosts(self):
         self.setup = {}
         try:
             self._get_setup_from_env()
             self._get_setup_from_links()
-            self._get_ip()
             self._set_keys()
             self._set_conf()
         except:
diff --git a/assets/torrc b/assets/torrc
index 4f087a8..0f03255 100644
--- a/assets/torrc
+++ b/assets/torrc
@@ -1,8 +1,9 @@
 {% for service, conf in setup.items() %}
 HiddenServiceDir /var/lib/tor/hidden_service/{{service}}
 {% for ports in conf['ports'] %}
+{% set map = ports[1] if type(ports[1]) != int else '{service}:{port}'.format(service=service, port=ports[1]) %}
 # PORT {{service}} {{ports[0]}}
-HiddenServicePort {{ports[0]}} {{service}}:{{ports[1]}}
+HiddenServicePort {{ports[0]}} {{map}}
 {% endfor %}
 {% endfor %}
 
diff --git a/docker-compose.v2.socket.yml b/docker-compose.v2.socket.yml
new file mode 100644
index 0000000..8f27bca
--- /dev/null
+++ b/docker-compose.v2.socket.yml
@@ -0,0 +1,37 @@
+# docker version 2 example
+
+version: "2"
+
+services:
+  tor:
+    image: goldy/tor-hidden-service
+    build: .
+    links:
+      - world
+    environment:
+        # Set mapping port to unix socket
+        WORLD_PORTS: 80:unix:/var/run/nginx.sock
+
+    # Mount socket directory from world container
+    volumes_from:
+        - world
+
+    # Keep keys in volumes
+    volumes:
+      - tor-keys:/var/lib/tor/hidden_service/
+
+  world:
+    image: tutum/hello-world
+    hostname: world
+    # You can disable network to increase security
+    network_mode: none
+    command: |
+        sh -c 'php-fpm -d variables_order="EGPCS" &&
+        sed -i "s|80|unix:/var/run/nginx.sock|" /etc/nginx/nginx.conf &&
+        exec nginx -g "daemon off;"'
+    volumes:
+        - /var/run
+
+volumes:
+    tor-keys:
+        driver: local