docker-registry-proxy/entrypoint.sh

#! /bin/bash

set -Eeuo pipefail
trap "echo TRAPed signal" HUP INT QUIT TERM

# The list of SAN (Subject Alternative Names) for which we will create a TLS certificate.
ALLDOMAINS=""

# Interceptions map, which are the hosts that will be handled by the caching part.
# It should list exactly the same hosts we have created certificates for -- if not, Docker will get TLS errors, of course.
echo -n "" > /etc/nginx/docker.intercept.map

# Some hosts/registries are always needed, but others can be configured in env var REGISTRIES
for ONEREGISTRYIN in docker.caching.proxy.internal registry-1.docker.io auth.docker.io ${REGISTRIES}; do
    ONEREGISTRY=$(echo ${ONEREGISTRYIN} | xargs) # Remove whitespace
    echo "Adding certificate for registry: $ONEREGISTRY"
    ALLDOMAINS="${ALLDOMAINS},DNS:${ONEREGISTRY}"
    echo "${ONEREGISTRY} 127.0.0.1:443;" >> /etc/nginx/docker.intercept.map
done

# Clean the list and generate certificates.
export ALLDOMAINS=${ALLDOMAINS:1} # remove the first comma and export
/create_ca_cert.sh # This uses ALLDOMAINS to generate the certificates.

# Now handle the auth part.
echo -n "" > /etc/nginx/docker.auth.map

for ONEREGISTRYIN in ${AUTH_REGISTRIES}; do
    ONEREGISTRY=$(echo -n ${ONEREGISTRYIN} | xargs) # Remove whitespace
    AUTH_HOST=$(echo -n ${ONEREGISTRY} | cut -d ":" -f 1 | xargs)
    AUTH_USER=$(echo -n ${ONEREGISTRY} | cut -d ":" -f 2 | xargs)
    AUTH_PASS=$(echo -n ${ONEREGISTRY} | cut -d ":" -f 3 | xargs)
    AUTH_BASE64=$(echo -n ${AUTH_USER}:${AUTH_PASS} | base64 | xargs)
    echo "Adding Auth for registry '${AUTH_HOST}' with user '${AUTH_USER}'."
    echo "\"${AUTH_HOST}\" \"${AUTH_BASE64}\";" >> /etc/nginx/docker.auth.map
done

echo "" > /etc/nginx/docker.verify.ssl.conf
if [ "a$VERIFY_SSL" == "atrue" ]; then
    cat << EOD > /etc/nginx/docker.verify.ssl.conf
    # We actually wanna be secure and avoid mitm attacks.
    # Fitting, since this whole thing is a mitm...
    # We'll accept any cert signed by a CA trusted by Mozilla (ca-certificates in alpine)
    proxy_ssl_verify on;
    proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    proxy_ssl_verify_depth 2;
EOD
    echo "Upstream SSL certificate verification enabled."
fi 


echo "Testing nginx config..."
nginx -t

echo "Starting nginx! Have a nice day."
nginx -g "daemon off;"
completely reworked into an HTTPS_PROXY-based solution - emit our own certificates - configurable via ENVs - generates config dinamically 2018-06-28 23:39:02 +00:00			`#! /bin/bash`

			`set -Eeuo pipefail`
			`trap "echo TRAPed signal" HUP INT QUIT TERM`

			`# The list of SAN (Subject Alternative Names) for which we will create a TLS certificate.`
			`ALLDOMAINS=""`

			`# Interceptions map, which are the hosts that will be handled by the caching part.`
			`# It should list exactly the same hosts we have created certificates for -- if not, Docker will get TLS errors, of course.`
			`echo -n "" > /etc/nginx/docker.intercept.map`

			`# Some hosts/registries are always needed, but others can be configured in env var REGISTRIES`
			`for ONEREGISTRYIN in docker.caching.proxy.internal registry-1.docker.io auth.docker.io ${REGISTRIES}; do`
			`ONEREGISTRY=$(echo ${ONEREGISTRYIN} \| xargs) # Remove whitespace`
			`echo "Adding certificate for registry: $ONEREGISTRY"`
			`ALLDOMAINS="${ALLDOMAINS},DNS:${ONEREGISTRY}"`
			`echo "${ONEREGISTRY} 127.0.0.1:443;" >> /etc/nginx/docker.intercept.map`
			`done`

			`# Clean the list and generate certificates.`
			`export ALLDOMAINS=${ALLDOMAINS:1} # remove the first comma and export`
			`/create_ca_cert.sh # This uses ALLDOMAINS to generate the certificates.`

			`# Now handle the auth part.`
			`echo -n "" > /etc/nginx/docker.auth.map`

			`for ONEREGISTRYIN in ${AUTH_REGISTRIES}; do`
			`ONEREGISTRY=$(echo -n ${ONEREGISTRYIN} \| xargs) # Remove whitespace`
			`AUTH_HOST=$(echo -n ${ONEREGISTRY} \| cut -d ":" -f 1 \| xargs)`
			`AUTH_USER=$(echo -n ${ONEREGISTRY} \| cut -d ":" -f 2 \| xargs)`
			`AUTH_PASS=$(echo -n ${ONEREGISTRY} \| cut -d ":" -f 3 \| xargs)`
			`AUTH_BASE64=$(echo -n ${AUTH_USER}:${AUTH_PASS} \| base64 \| xargs)`
			`echo "Adding Auth for registry '${AUTH_HOST}' with user '${AUTH_USER}'."`
			`echo "\"${AUTH_HOST}\" \"${AUTH_BASE64}\";" >> /etc/nginx/docker.auth.map`
			`done`

			`echo "" > /etc/nginx/docker.verify.ssl.conf`
			`if [ "a$VERIFY_SSL" == "atrue" ]; then`
			`cat << EOD > /etc/nginx/docker.verify.ssl.conf`
			`# We actually wanna be secure and avoid mitm attacks.`
			`# Fitting, since this whole thing is a mitm...`
			`# We'll accept any cert signed by a CA trusted by Mozilla (ca-certificates in alpine)`
			`proxy_ssl_verify on;`
			`proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;`
			`proxy_ssl_verify_depth 2;`
			`EOD`
			`echo "Upstream SSL certificate verification enabled."`
			`fi`


			`echo "Testing nginx config..."`
			`nginx -t`

			`echo "Starting nginx! Have a nice day."`
			`nginx -g "daemon off;"`