Port 2375 / 2376 — Docker Daemon

The Docker daemon (dockerd) listens for API requests that control containers — starting, stopping, building images, pulling from registries. By default, it only listens on a Unix socket (/var/run/docker.sock), meaning only local processes can talk to it. But if you expose the API over TCP, it uses port 2375 (unencrypted) or port 2376 (TLS encrypted).

Security Warning: Never expose port 2375 to the internet without TLS. The Docker API has full root access to the host machine — anyone who can reach port 2375 can run any container, mount any volume, and effectively own your server. Always use port 2376 with TLS client certificates for remote access.

The Two Docker Ports

Port	Protocol	Security	Use Case
2375	HTTP (unencrypted)	None — full root access to anyone	Local development only (never production)
2376	HTTPS (TLS)	Client certificate authentication	Secure remote Docker management

Enable TCP Access (Development Only)

On Docker Desktop (Windows/Mac), go to Settings → General → check "Expose daemon on tcp://localhost:2375 without TLS." This only binds to localhost, so it's safe for local use.

On Linux, edit the Docker systemd service:

# Create override file
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo nano /etc/systemd/system/docker.service.d/override.conf

# Add:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375

# Reload and restart
sudo systemctl daemon-reload
sudo systemctl restart docker

Note: 127.0.0.1:2375 binds only to localhost. Using 0.0.0.0:2375 would expose it to the network — don't do this without TLS.

Secure Remote Access with TLS (Port 2376)

For production remote Docker management, use TLS with client certificates:

# Generate CA, server, and client certificates
# (simplified — use Docker's official docs for production)

# On the Docker host, configure with TLS:
dockerd --tlsverify \
  --tlscacert=ca.pem \
  --tlscert=server-cert.pem \
  --tlskey=server-key.pem \
  -H=0.0.0.0:2376

# Connect from client:
docker --tlsverify \
  --tlscacert=ca.pem \
  --tlscert=cert.pem \
  --tlskey=key.pem \
  -H=tcp://remote-host:2376 ps

Or set environment variables so you don't need flags every time:

export DOCKER_HOST=tcp://remote-host:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=~/.docker/certs

# Now regular docker commands work remotely
docker ps
docker images

Docker Context (Modern Approach)

Docker contexts make managing multiple remote Docker hosts cleaner than environment variables:

# Create a context for a remote host
docker context create my-server \
  --docker "host=tcp://remote-host:2376,ca=ca.pem,cert=cert.pem,key=key.pem"

# Switch to it
docker context use my-server

# Now all docker commands target the remote host
docker ps

# Switch back to local
docker context use default

SSH Alternative (Easiest)

The simplest way to manage Docker remotely — no TLS certificates needed. Docker can tunnel through SSH directly:

# Connect via SSH (requires Docker on both machines)
docker -H ssh://user@remote-host ps

# Or create a context
docker context create my-server --docker "host=ssh://user@remote-host"
docker context use my-server

This uses your existing SSH keys for authentication and encrypts everything. No need to open ports 2375 or 2376 at all.

Troubleshooting

"Cannot connect to the Docker daemon": The daemon isn't listening on TCP. Check if Docker is running (systemctl status docker) and whether TCP is enabled in the configuration.

"TLS handshake error": Certificate mismatch. Verify the CA, client cert, and server cert are all from the same CA chain. Check that the server certificate's Common Name or SAN matches the hostname you're connecting to.