add recommended regex

Signed-off-by: Simon L <szaimen@e.mail.de>

Containers/docker-socket-proxy/haproxy.cfg

@@ -8,15 +8,30 @@ defaults
 frontend http
     mode http
     bind :2375
-    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((start)|(stop)|(restart)|(kill)) }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((json)|(start)|(stop)) } METH_GET
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
+
+    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
+    acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"
+
+    # ACL to restrict the number of Mounts to 1
+    acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]"
+    # ACL to deny if there are any binds
+    acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
+    # ACL to restrict the type of Mounts to volume
+    acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
+    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
+
+    # ACL to restrict container creation, that it has HostConfig.Privileged only set to false
+    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\":\s?false"
+    # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
+    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name no_privileged_flag nc_app_volume_data_only METH_POST
+
+    acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data METH_POST
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
     http-request deny
     default_backend dockerbackend