Port 2376: Docker TLS — The Encrypted Gateway to Container Control

Port 2376 carries the Docker REST API over TLS. When you deploy containers to a remote server, when CI/CD pipelines spin up test environments, when orchestration platforms manage fleets of services across data centers, this is often the port that makes it possible.

But port 2376 only exists because its sibling, port 2375, was too dangerous to expose to the network.

The Port That Guards Root

Docker gives you the power to create isolated environments, package applications, and deploy them anywhere. But that power comes at a cost: the Docker daemon runs with root privileges on the host system.¹ Whoever controls the Docker API controls the machine.

Port 2375 is Docker's unencrypted API. Exposing it to the network is, in the words of security researchers, "equivalent to giving the world root access to the host."² No authentication. No encryption. Just a TCP socket waiting for commands.

Port 2376 exists to solve this. It wraps the same API in TLS encryption and, critically, mutual authentication. The daemon only accepts connections from clients that present a certificate signed by a trusted authority. The client verifies the daemon's certificate before sending commands. Both sides must prove their identity before any container can be created, started, or destroyed.³

How It Works

The mechanism is mutual TLS, also called mTLS. When a client connects to port 2376:

1. The TLS handshake begins. The daemon presents its certificate, proving it is who it claims to be.
2. The client verifies the daemon's certificate against a trusted Certificate Authority (CA).
3. The daemon requests the client's certificate.
4. The client presents its certificate, proving it has authorization to issue commands.
5. The daemon verifies the client's certificate against the same CA.
6. Only then does the encrypted channel open for Docker API calls.

This two-way verification means that even if someone intercepts traffic, they cannot issue commands without holding valid certificates. And anyone with those certificates effectively holds root access to the host, so Docker's documentation warns: "Guard these keys as you would a root password."⁴

The Origin Story

Docker emerged from dotCloud, a platform-as-a-service company founded in 2010 by Solomon Hykes, Kamel Founadi, and Sebastien Pahl.⁵ The company had built internal tooling for deploying applications in containers, but struggled to differentiate itself in a crowded PaaS market.

In March 2013, Hykes demonstrated Docker at PyCon in Santa Clara. The tool was open-sourced and popularity exploded. By mid-2015, Docker had been downloaded over 300 million times.⁶

The Docker Remote API initially ran over Unix sockets for local access. But as Docker adoption spread, administrators needed to manage containers on remote servers. The API was exposed over TCP, and ports 2375 and 2376 were registered with IANA on April 17, 2014, by Christopher Liljenstolpe on behalf of Docker.⁷

Port 2375 was designated for unencrypted communication. Port 2376 was designated for TLS. The names in the IANA registry tell the story: "docker" and "docker-s" (the 's' for secure, echoing the HTTP/HTTPS convention).

The Security Nightmare of Port 2375

The distinction between these two ports is not academic. Attackers actively scan the Internet for exposed Docker daemons on port 2375.

The Cetus worm, documented by Palo Alto Networks' Unit 42, uses Masscan to sweep random subnets looking for Docker daemons on port 2375. When it finds one, it deploys an XMRig cryptominer disguised as a legitimate binary called "docker-cache."⁸

The Kinsing malware campaign hijacks misconfigured Docker APIs to install cryptominers, with Aqua Security reporting thousands of attack attempts daily.⁹

The attack vector is straightforward: an exposed Docker daemon allows attackers to create containers with the host's root filesystem mounted. They can then write SSH keys to the host, install cron jobs, or simply run cryptomining software indefinitely.

A 2025 variant documented by Akamai takes this further: after compromising a Docker host, it uses the host's firewall tools to block port 2375, preventing other attackers from exploiting the same vulnerability. The attackers lock the door behind them.¹⁰

This is why Docker's documentation now states: "Remote access without TLS is not recommended, and will require explicit opt-in in a future release."¹¹

The Certificate Dance

Configuring TLS for Docker requires generating three sets of certificates:

The Certificate Authority (CA): A self-signed certificate that will sign both server and client certificates. This establishes the trust anchor.

The server certificate: Identifies the Docker daemon. Must include Subject Alternative Names (SANs) for every hostname and IP address clients might use to connect.

Client certificates: One for each machine or developer authorized to connect. The extended key usage must be set to "clientAuth."

The daemon configuration in /etc/docker/daemon.json then specifies:

{
  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server-cert.pem",
  "tlskey": "/etc/docker/server-key.pem",
  "tlsverify": true
}

Clients connect by providing their credentials:

docker --tlsverify \
  --tlscacert=ca.pem \
  --tlscert=cert.pem \
  --tlskey=key.pem \
  -H=tcp://192.168.1.10:2376 info

If certificates are stored in ~/.docker/, the client finds them automatically.¹²

Port 2376 in the Ecosystem

Docker's port family serves distinct purposes:

Port 2377 deserves special mention. When Docker introduced Swarm mode for container orchestration in 2016, it needed a port for cluster management separate from the container API. Port 2377 handles the Raft consensus protocol that keeps manager nodes synchronized, while 2376 remains the API endpoint for issuing commands to individual nodes.¹³

The Container Revolution

Docker's impact on software infrastructure is difficult to overstate. A 2024 Forrester study found enterprises adopting Docker reduced infrastructure costs by an average of 66% while increasing developer productivity by 43%.¹⁴

The container model, packaging applications with their dependencies into portable units, became the foundation of modern cloud-native architecture. Kubernetes rose as the orchestration layer, but Docker established the container format and tooling that made it all possible.

Port 2376 sits at the control plane of this infrastructure. Every remote docker run, every CI/CD pipeline that deploys to a Docker host, every monitoring tool that queries container status flows through this port when TLS is properly configured.