Socket exposure can be avoided by running jwilder's nginx and docker-gen containers separately as explained in his repo (you still bind to tthe docker socket but on a separate unexposed local container): https://github.com/jwilder/nginx-proxy/blob/master/README.md...