When working behind restrictive networks, pulling Docker images often requires routing traffic through SOCKS proxies. The standard ALL_PROXY environment variable approach fails because:
- Docker daemon runs as a system service, not inheriting user shell environments
- Docker Compose makes direct HTTP requests outside the proxy context
Here are three working methods to force Docker traffic through SOCKS5:
Method 1: Docker Daemon Proxy Configuration
# Create or modify the Docker systemd configuration
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo tee /etc/systemd/system/docker.service.d/http-proxy.conf << EOF
[Service]
Environment="HTTP_PROXY=socks5://127.0.0.1:8888"
Environment="HTTPS_PROXY=socks5://127.0.0.1:8888"
EOF
# Reload and restart Docker
sudo systemctl daemon-reload
sudo systemctl restart docker
Method 2: SSH Tunnel Wrapper
#!/bin/bash
# docker-compose-proxy.sh
# First establish SOCKS tunnel in background
ssh -f -N -D 8888 parham@remote-server
# Execute compose with proxied environment
ALL_PROXY=socks5://127.0.0.1:8888 HTTPS_PROXY=socks5://127.0.0.1:8888 \
docker-compose up
# Cleanup tunnel when done
pkill -f "ssh -f -N -D 8888"
Method 3: Docker Client Proxy via CNTLM
# Install CNTLM and configure for SOCKS5
sudo apt install cntlm
sudo tee /etc/cntlm.conf << EOF
Username your_username
Domain your_domain
Proxy 127.0.0.1:8888
Listen 3128
SOCKS5Proxy yes
EOF
# Start CNTLM and configure Docker client
sudo systemctl restart cntlm
export HTTP_PROXY=http://127.0.0.1:3128
export HTTPS_PROXY=http://127.0.0.1:3128
docker-compose pull
- For Method 1, registry-specific proxies may require additional
NO_PROXYsettings - Method 2 works well for temporary sessions but requires SSH key setup
- Corporate environments often block direct Docker Hub access - combine Methods 1+3
When proxy configurations fail, check these diagnostic commands:
# Verify Docker daemon environment
sudo systemctl show docker --property Environment
# Test proxy connectivity
curl --socks5 127.0.0.1:8888 https://registry-1.docker.io/v2/
# Inspect Docker client config
docker info | grep -i proxy
When working behind restrictive networks or in development environments requiring secure connections, pulling Docker images through a SOCKS5 proxy becomes essential. Unlike HTTP proxies, Docker doesn't natively support SOCKS proxies out of the box.
The standard ALL_PROXY or HTTP_PROXY environment variables won't work because:
- Docker daemon runs as a system service, not inheriting user session variables
- The Docker client and daemon communicate through Unix sockets
- Docker's internal networking stack doesn't recognize SOCKS proxies directly
Method 1: Using tsocks as Wrapper
Install tsocks and configure it to use your SOCKS5 proxy:
sudo apt-get install tsocks
echo "server = 127.0.0.1" | sudo tee -a /etc/tsocks.conf
echo "server_type = 5" | sudo tee -a /etc/tsocks.conf
echo "server_port = 8888" | sudo tee -a /etc/tsocks.confThen run Docker Compose through tsocks:
tsocks docker-compose upMethod 2: Creating HTTP Proxy Bridge with Privoxy
Convert SOCKS5 to HTTP proxy:
sudo apt-get install privoxy
echo "forward-socks5 / 127.0.0.1:8888 ." | sudo tee -a /etc/privoxy/config
sudo systemctl restart privoxyConfigure Docker to use the HTTP proxy:
mkdir -p ~/.docker
echo '{
"proxies": {
"default": {
"httpProxy": "http://127.0.0.1:8118",
"httpsProxy": "http://127.0.0.1:8118"
}
}
}' > ~/.docker/config.jsonFor system-wide Docker proxy settings:
sudo mkdir -p /etc/systemd/system/docker.service.d
echo '[Service]
Environment="HTTP_PROXY=http://127.0.0.1:8118"
Environment="HTTPS_PROXY=http://127.0.0.1:8118"' | sudo tee /etc/systemd/system/docker.service.d/http-proxy.conf
sudo systemctl daemon-reload
sudo systemctl restart docker- Verify proxy connectivity with
curl --socks5 127.0.0.1:8888 http://checkip.amazonaws.com - Check Docker logs with
journalctl -u docker.service - For corporate environments, you might need additional CA certificates