- Configure the daemon with systemd
- Custom Docker daemon options
- Manually create the systemd unit files
- Configure the Docker daemon to use a proxy server
- Configure Docker to use a proxy server
- Configure the Docker client
- Run containers with a proxy configuration
- Build with a proxy configuration
- Configure proxy settings per daemon
- Set proxy using the CLI
- Proxy as environment variable for builds
- How to set the Proxy for Docker on Ubuntu
- Systemd Docker Service
- Creating Proxy Configuration
Configure the daemon with systemd
This page describes how to customize daemon settings when using systemd.
Custom Docker daemon options
Most configuration options for the Docker daemon are set using the daemon.json configuration file. See Docker daemon configuration overview for more information.
Manually create the systemd unit files
When installing the binary without a package manager, you may want to integrate Docker with systemd. For this, install the two unit files ( service and socket ) from the github repository to /etc/systemd/system .
Configure the Docker daemon to use a proxy server
The Docker daemon uses the following environment variables in its start-up environment to configure HTTP or HTTPS proxy behavior:
- HTTP_PROXY
- http_proxy
- HTTPS_PROXY
- https_proxy
- NO_PROXY
- no_proxy
In Docker Engine version 23.0 and later versions, you may also configure proxy behavior for the daemon in the daemon.json file:
"proxies": "http-proxy": "http://proxy.example.com:3128", "https-proxy": "https://proxy.example.com:3129", "no-proxy": "*.test.example.com,.example.org,127.0.0.0/8" > > These configurations override the default docker.service systemd file.
If you are behind an HTTP or HTTPS proxy server, for example in corporate settings, the daemon proxy configurations must be specified in the systemd service file, not in the daemon.json file or using environment variables.
Note for rootless mode
The location of systemd configuration files are different when running Docker in rootless mode. When running in rootless mode, Docker is started as a user-mode systemd service, and uses files stored in each users’ home directory in ~/.config/systemd/user/docker.service.d/ . In addition, systemctl must be executed without sudo and with the —user flag. Select the “rootless mode” tab below if you are running Docker in rootless mode.
$ sudo mkdir -p /etc/systemd/system/docker.service.d [Service] Environment="HTTP_PROXY=http://proxy.example.com:3128" [Service] Environment="HTTPS_PROXY=https://proxy.example.com:3129" [Service] Environment="HTTP_PROXY=http://proxy.example.com:3128" Environment="HTTPS_PROXY=https://proxy.example.com:3129" Note Special characters in the proxy value, such as #?!()[]<> , must be double escaped using %% . For example:
[Service] Environment="HTTP_PROXY=http://domain%%5Cuser:complex%%23pass@proxy.example.com:3128/" - IP address prefix ( 1.2.3.4 )
- Domain name, or a special DNS label ( * )
- A domain name matches that name and all subdomains. A domain name with a leading “.” matches subdomains only. For example, given the domains foo.example.com and example.com :
- example.com matches example.com and foo.example.com , and
- .example.com matches only foo.example.com
[Service] Environment="HTTP_PROXY=http://proxy.example.com:3128" Environment="HTTPS_PROXY=https://proxy.example.com:3129" Environment="NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp"$ sudo systemctl daemon-reload $ sudo systemctl restart docker$ sudo systemctl show --property=Environment docker Environment=HTTP_PROXY=http://proxy.example.com:3128 HTTPS_PROXY=https://proxy.example.com:3129 NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp$ mkdir -p ~/.config/systemd/user/docker.service.d[Service] Environment="HTTP_PROXY=http://proxy.example.com:3128"[Service] Environment="HTTPS_PROXY=https://proxy.example.com:3129"[Service] Environment="HTTP_PROXY=http://proxy.example.com:3128" Environment="HTTPS_PROXY=https://proxy.example.com:3129"Note Special characters in the proxy value, such as #?!()[]<> , must be double escaped using %% . For example:
[Service] Environment="HTTP_PROXY=http://domain%%5Cuser:complex%%23pass@proxy.example.com:3128/"- IP address prefix ( 1.2.3.4 )
- Domain name, or a special DNS label ( * )
- A domain name matches that name and all subdomains. A domain name with a leading “.” matches subdomains only. For example, given the domains foo.example.com and example.com :
- example.com matches example.com and foo.example.com , and
- .example.com matches only foo.example.com
[Service] Environment="HTTP_PROXY=http://proxy.example.com:3128" Environment="HTTPS_PROXY=https://proxy.example.com:3129" Environment="NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp"$ systemctl --user daemon-reload $ systemctl --user restart docker$ systemctl --user show --property=Environment docker Environment=HTTP_PROXY=http://proxy.example.com:3128 HTTPS_PROXY=https://proxy.example.com:3129 NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corpConfigure Docker to use a proxy server
This page describes how to configure the Docker CLI to use proxies via environment variables in containers.
This page doesn’t describe how to configure proxies for the Docker daemon. For instructions on configuring Docker Desktop to use HTTP/HTTPS proxies, see proxies on Mac, proxies on Windows, and proxies on Linux.
If you’re running Docker Engine without Docker Desktop, refer to Configure the Docker daemon to use a proxy server to learn how to configure a proxy server for the Docker daemon ( dockerd ) itself.
If your container needs to use an HTTP, HTTPS, or FTP proxy server, you can configure it in different ways:
Note
Unfortunately, there’s no standard that defines how web clients should handle proxy environment variables, or the format for defining them.
If you’re interested in the history of these variables, check out this blog post on the subject, by the GitLab team: We need to talk: Can we standardize NO_PROXY?.
Configure the Docker client
You can add proxy configurations for the Docker client using a JSON configuration file, located in ~/.docker/config.json . Builds and containers use the configuration specified in this file.
"proxies": "default": "httpProxy": "http://proxy.example.com:3128", "httpsProxy": "https://proxy.example.com:3129", "noProxy": "*.test.example.com,.example.org,127.0.0.0/8" > > >Warning
Proxy settings may contain sensitive information. For example, some proxy servers require authentication information to be included in their URL, or their address may expose IP-addresses or hostnames of your company’s environment.
Environment variables are stored as plain text in the container’s configuration, and as such can be inspected through the remote API or committed to an image when using docker commit .
The configuration becomes active after saving the file, you don’t need to restart Docker. However, the configuration only applies to new containers and builds, and doesn’t affect existing containers.
The following table describes the available configuration parameters.
Property Description httpProxy Sets the HTTP_PROXY and http_proxy environment variables and build arguments. httpsProxy Sets the HTTPS_PROXY and https_proxy environment variables and build arguments. ftpProxy Sets the FTP_PROXY and ftp_proxy environment variables and build arguments. noProxy Sets the NO_PROXY and no_proxy environment variables and build arguments. allProxy Sets the ALL_PROXY and all_proxy environment variables and build arguments. These settings are used to configure proxy environment variables for containers only, and not used as proxy settings for the Docker CLI or the Docker Engine itself. Refer to the environment variables and configure the Docker daemon to use a proxy server sections for configuring proxy settings for the CLI and daemon.
Run containers with a proxy configuration
When you start a container, its proxy-related environment variable are set to reflect your proxy configuration in ~/.docker/config.json .
For example, assuming a proxy configuration like the example shown in the earlier section, environment variables for containers that you run are set as follows:
$ docker run --rm alpine sh -c 'env | grep -i _PROXY' https_proxy=http://proxy.example.com:3129 HTTPS_PROXY=http://proxy.example.com:3129 http_proxy=http://proxy.example.com:3128 HTTP_PROXY=http://proxy.example.com:3128 no_proxy=*.test.example.com,.example.org,127.0.0.0/8 NO_PROXY=*.test.example.com,.example.org,127.0.0.0/8Build with a proxy configuration
When you invoke a build, proxy-related build arguments are pre-populated automatically, based on the proxy settings in your Docker client configuration file.
Assuming a proxy configuration like the example shown in the earlier section, environment are set as follows during builds:
$ docker build \ --no-cache \ --progress=plain \ - EOF FROM alpine RUN env | grep -i _PROXY EOF#5 [2/2] RUN env | grep -i _PROXY #5 0.100 HTTPS_PROXY=https://proxy.example.com:3129 #5 0.100 no_proxy=*.test.example.com,.example.org,127.0.0.0/8 #5 0.100 NO_PROXY=*.test.example.com,.example.org,127.0.0.0/8 #5 0.100 https_proxy=https://proxy.example.com:3129 #5 0.100 http_proxy=http://proxy.example.com:3128 #5 0.100 HTTP_PROXY=http://proxy.example.com:3128 #5 DONE 0.1sConfigure proxy settings per daemon
The default key under proxies in daemon.json configures the proxy settings for all daemons that the client connects to. To configure the proxies for individual daemons, use the address of the daemon instead of the default key.
The following example configures both a default proxy config, and a no-proxy override for the Docker daemon on address tcp://docker-daemon1.example.com :
"proxies": "default": "httpProxy": "http://proxy.example.com:3128", "httpsProxy": "https://proxy.example.com:3129", "noProxy": "*.test.example.com,.example.org,127.0.0.0/8" > "tcp://docker-daemon1.example.com": "noProxy": "*.internal.example.net" > > >Set proxy using the CLI
Instead of configuring the Docker client, you can specify proxy configurations on the command-line when you invoke the docker build and docker run commands.
Proxy configuration on the command-line uses the —build-arg flag for builds, and the —env flag for when you want to run containers with a proxy.
$ docker build --build-arg HTTP_PROXY="http://proxy.example.com:3128" . $ docker run --env HTTP_PROXY="http://proxy.example.com:3128" redisFor a list of all the proxy-related build arguments that you can use with the docker build command, see Predefined ARGs. These proxy values are only available in the build container. They’re not included in the build output.
Proxy as environment variable for builds
Don’t use the ENV Dockerfile instruction to specify proxy settings for builds. Use build arguments instead.
Using environment variables for proxies embeds the configuration into the image. If the proxy is an internal proxy, it might not be accessible for containers created from that image.
Embedding proxy settings in images also poses a security risk, as the values may include sensitive information.
How to set the Proxy for Docker on Ubuntu
The Docker services will not use environment variables to get proxy information. Instead, you will have to configure the service to use a proxy. This tutorial will show you how to set the proxy for Docker on Ubuntu servers.
Services in Ubuntu 16.04 and above are registered with SystemD. Docker is one of the few packages that determine proxy information from a service configuration in SystemD, rather than from an environment variable.
Systemd Docker Service
In order to the set the proxy for Docker, you will need to create a configuration file for the Docker service. No configuration files exist by default, so one will have to be created.
All Systemd service configuration are stored under /etc/systemd/system. In order to keep things organized, we can create a child directory docker.service.d, rather than creating a file called /etc/systemd/system/docker.service.
Within this configuration file, we can set our HTTP and HTTPS proxy. We can also set our NO_PROXY value, too.
Creating Proxy Configuration
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo vi /etc/systemd/system/docker.service.d/proxy.conf
[Service] Environment="HTTP_PROXY=http://myproxy.hostname:8080" Environment="HTTPS_PROXY=https://myproxy.hostname:8080/" Environment="NO_PROXY="localhost,127.0.0.1. 1"
sudo systemctl daemon-reload
sudo systemctl restart docker.service
After the service is restarted Docker should be able to pull images from external repositories. You can test this by attempting to pull down an image. If the download completes and does not timeout, your proxy settings have been applied.
