# middleman

Securely mount the Docker socket: apply fine-grained access control to Docker socket HTTP requests.

```shell
$ openssl ecparam -check -name prime256v1 -genkey -noout -out key.pem -rand /dev/urandom
$ vim traefik.cfg
```

```
[req]
distinguished_name = req_distinguished_name
prompt = no
default_md = sha256

[req_distinguished_name]
CN = infra.local

[database]
basicConstraints = CA:false
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier = hash
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = infra.local
DNS.2 = *.infra.local
DNS.3 = localhost
IP.1 = 127.0.0.1
```

```shell
$ openssl req -new -key key.pem -out csr.pem -rand /dev/urandom -config traefik.cfg
$ openssl x509 -req -days 365 -in csr.pem -signkey key.pem -out cert.pem -extensions properties -extfile traefik.cfg
```

```shell
$ docker compose --project-name infra up --detach
$ docker compose --project-name infra down --remove-orphans --volumes
```