docker-registry-proxy/Dockerfile

# We start from my nginx fork which includes the proxy-connect module from tEngine
# Source is available at https://github.com/rpardini/nginx-proxy-connect-stable-alpine
# This is already multi-arch!
ARG BASE_IMAGE="rpardini/nginx-proxy-connect-stable-alpine:nginx-1.18.0-alpine-3.12.0"
# Could be "-debug"
ARG BASE_IMAGE_SUFFIX=""
FROM ${BASE_IMAGE}${BASE_IMAGE_SUFFIX}

# apk packages that will be present in the final image both debug and release
RUN apk add --no-cache --update bash ca-certificates-bundle coreutils openssl

# If set to 1, enables building mitmproxy, which helps a lot in debugging, but is super heavy to build.
ARG DEBUG_BUILD="1"
ENV DO_DEBUG_BUILD="$DEBUG_BUILD"

# Build mitmproxy via pip. This is heavy, takes minutes do build and creates a 90mb+ layer. Oh well.
RUN [[ "a$DO_DEBUG_BUILD" == "a1" ]] && { echo "Debug build ENABLED." \
 && apk add --no-cache --update su-exec git g++ libffi libffi-dev libstdc++ openssl-dev python3 python3-dev py3-pip py3-wheel \
 && LDFLAGS=-L/lib pip install mitmproxy==4.0.4 \
 && apk del --purge git g++ libffi-dev openssl-dev python3-dev py3-pip py3-wheel \
 && rm -rf ~/.cache/pip \
 ; } || { echo "Debug build disabled." ; }

# Required for mitmproxy
ENV LANG=en_US.UTF-8

# Check the installed mitmproxy version, if built.
RUN [[ "a$DO_DEBUG_BUILD" == "a1" ]] && { mitmproxy --version ; } || { echo "Debug build disabled."; }

# Create the cache directory and CA directory
RUN mkdir -p /docker_mirror_cache /ca

# Expose it as a volume, so cache can be kept external to the Docker image
VOLUME /docker_mirror_cache

# Expose /ca as a volume. Users are supposed to volume mount this, as to preserve it across restarts.
# Actually, its required; if not, then docker clients will reject the CA certificate when the proxy is run the second time
VOLUME /ca

# Add our configuration
ADD nginx.conf /etc/nginx/nginx.conf

# Add our very hackish entrypoint and ca-building scripts, make them executable
ADD entrypoint.sh /entrypoint.sh
ADD create_ca_cert.sh /create_ca_cert.sh
RUN chmod +x /create_ca_cert.sh /entrypoint.sh

# Clients should only use 3128, not anything else.
EXPOSE 3128

# In debug mode, 8081 exposes the mitmweb interface.
EXPOSE 8081

## Default envs.
# A space delimited list of registries we should proxy and cache; this is in addition to the central DockerHub.
ENV REGISTRIES="k8s.gcr.io gcr.io quay.io"
# A space delimited list of registry:user:password to inject authentication for
ENV AUTH_REGISTRIES="some.authenticated.registry:oneuser:onepassword another.registry:user:password"
# Should we verify upstream's certificates? Default to true.
ENV VERIFY_SSL="true"
# Enable debugging mode; this inserts mitmproxy/mitmweb between the CONNECT proxy and the caching layer
ENV DEBUG="false"
# Enable nginx debugging mode; this uses nginx-debug binary and enabled debug logging, which is VERY verbose so separate setting
ENV DEBUG_NGINX="false"

# Did you want a shell? Sorry, the entrypoint never returns, because it runs nginx itself. Use 'docker exec' if you need to mess around internally.
ENTRYPOINT ["/entrypoint.sh"]
completely reworked into an HTTPS_PROXY-based solution - emit our own certificates - configurable via ENVs - generates config dinamically 2018-06-28 23:39:02 +00:00			`# We start from my nginx fork which includes the proxy-connect module from tEngine`
			`# Source is available at https://github.com/rpardini/nginx-proxy-connect-stable-alpine`
GitHub Actions: multiarch build, new -debug version, much lighter layers 2020-10-07 23:57:49 +00:00			`# This is already multi-arch!`
			`ARG BASE_IMAGE="rpardini/nginx-proxy-connect-stable-alpine:nginx-1.18.0-alpine-3.12.0"`
			`# Could be "-debug"`
			`ARG BASE_IMAGE_SUFFIX=""`
			`FROM ${BASE_IMAGE}${BASE_IMAGE_SUFFIX}`

			`# apk packages that will be present in the final image both debug and release`
			`RUN apk add --no-cache --update bash ca-certificates-bundle coreutils openssl`
introduce Docker build-args: - BASE_IMAGE, used in FROM line - DEBUG_BUILD, build mitmproxy or not 2020-06-08 12:49:21 +00:00
			`# If set to 1, enables building mitmproxy, which helps a lot in debugging, but is super heavy to build.`
			`ARG DEBUG_BUILD="1"`
			`ENV DO_DEBUG_BUILD="$DEBUG_BUILD"`
initial commit 2018-06-27 11:08:09 +00:00
GitHub Actions: multiarch build, new -debug version, much lighter layers 2020-10-07 23:57:49 +00:00			`# Build mitmproxy via pip. This is heavy, takes minutes do build and creates a 90mb+ layer. Oh well.`
upgrade to nginx-1.18.0-alpine-3.12; alpine 3.12 changed a lot of python/pip/wheel stuff 2020-09-22 08:15:15 +00:00			`RUN [[ "a$DO_DEBUG_BUILD" == "a1" ]] && { echo "Debug build ENABLED." \`
GitHub Actions: multiarch build, new -debug version, much lighter layers 2020-10-07 23:57:49 +00:00			`&& apk add --no-cache --update su-exec git g++ libffi libffi-dev libstdc++ openssl-dev python3 python3-dev py3-pip py3-wheel \`
upgrade to nginx-1.18.0-alpine-3.12; alpine 3.12 changed a lot of python/pip/wheel stuff 2020-09-22 08:15:15 +00:00			`&& LDFLAGS=-L/lib pip install mitmproxy==4.0.4 \`
GitHub Actions: multiarch build, new -debug version, much lighter layers 2020-10-07 23:57:49 +00:00			`&& apk del --purge git g++ libffi-dev openssl-dev python3-dev py3-pip py3-wheel \`
introduce Docker build-args: - BASE_IMAGE, used in FROM line - DEBUG_BUILD, build mitmproxy or not 2020-06-08 12:49:21 +00:00			`&& rm -rf ~/.cache/pip \`
GitHub Actions: multiarch build, new -debug version, much lighter layers 2020-10-07 23:57:49 +00:00			`; } \|\| { echo "Debug build disabled." ; }`
add mitmproxy/nginx-debug inspection capabilities - avoid some caching for non-blob urls 2018-11-04 10:23:52 +00:00
			`# Required for mitmproxy`
			`ENV LANG=en_US.UTF-8`

introduce Docker build-args: - BASE_IMAGE, used in FROM line - DEBUG_BUILD, build mitmproxy or not 2020-06-08 12:49:21 +00:00			`# Check the installed mitmproxy version, if built.`
upgrade to nginx-1.18.0-alpine-3.12; alpine 3.12 changed a lot of python/pip/wheel stuff 2020-09-22 08:15:15 +00:00			`RUN [[ "a$DO_DEBUG_BUILD" == "a1" ]] && { mitmproxy --version ; } \|\| { echo "Debug build disabled."; }`
initial commit 2018-06-27 11:08:09 +00:00
completely reworked into an HTTPS_PROXY-based solution - emit our own certificates - configurable via ENVs - generates config dinamically 2018-06-28 23:39:02 +00:00			`# Create the cache directory and CA directory`
			`RUN mkdir -p /docker_mirror_cache /ca`
initial commit 2018-06-27 11:08:09 +00:00
			`# Expose it as a volume, so cache can be kept external to the Docker image`
			`VOLUME /docker_mirror_cache`

completely reworked into an HTTPS_PROXY-based solution - emit our own certificates - configurable via ENVs - generates config dinamically 2018-06-28 23:39:02 +00:00			`# Expose /ca as a volume. Users are supposed to volume mount this, as to preserve it across restarts.`
			`# Actually, its required; if not, then docker clients will reject the CA certificate when the proxy is run the second time`
			`VOLUME /ca`

initial commit 2018-06-27 11:08:09 +00:00			`# Add our configuration`
			`ADD nginx.conf /etc/nginx/nginx.conf`

completely reworked into an HTTPS_PROXY-based solution - emit our own certificates - configurable via ENVs - generates config dinamically 2018-06-28 23:39:02 +00:00			`# Add our very hackish entrypoint and ca-building scripts, make them executable`
			`ADD entrypoint.sh /entrypoint.sh`
			`ADD create_ca_cert.sh /create_ca_cert.sh`
			`RUN chmod +x /create_ca_cert.sh /entrypoint.sh`

			`# Clients should only use 3128, not anything else.`
			`EXPOSE 3128`

add mitmproxy/nginx-debug inspection capabilities - avoid some caching for non-blob urls 2018-11-04 10:23:52 +00:00			`# In debug mode, 8081 exposes the mitmweb interface.`
			`EXPOSE 8081`

completely reworked into an HTTPS_PROXY-based solution - emit our own certificates - configurable via ENVs - generates config dinamically 2018-06-28 23:39:02 +00:00			`## Default envs.`
			`# A space delimited list of registries we should proxy and cache; this is in addition to the central DockerHub.`
			`ENV REGISTRIES="k8s.gcr.io gcr.io quay.io"`
			`# A space delimited list of registry:user:password to inject authentication for`
			`ENV AUTH_REGISTRIES="some.authenticated.registry:oneuser:onepassword another.registry:user:password"`
			`# Should we verify upstream's certificates? Default to true.`
			`ENV VERIFY_SSL="true"`
add mitmproxy/nginx-debug inspection capabilities - avoid some caching for non-blob urls 2018-11-04 10:23:52 +00:00			`# Enable debugging mode; this inserts mitmproxy/mitmweb between the CONNECT proxy and the caching layer`
disable debug by default; fixes #9 2019-01-16 19:53:45 +00:00			`ENV DEBUG="false"`
completely reworked caching, now cache by exception (/blobs/ only essentially) - now only /v2/.../blobs/... URIs are actually cached (together with their redirect catchers) - /manifests/, /token, and /v2/ are not cached anymore, which should solve a lot of problems - better messages for /v1 attempts - fix usage of $connect_host:443 (which is hostname:port and causes errors to be logged) to $connect_addr (which returns an IP:port) in the proxy layer 2018-11-04 15:43:53 +00:00			`# Enable nginx debugging mode; this uses nginx-debug binary and enabled debug logging, which is VERY verbose so separate setting`
			`ENV DEBUG_NGINX="false"`
completely reworked into an HTTPS_PROXY-based solution - emit our own certificates - configurable via ENVs - generates config dinamically 2018-06-28 23:39:02 +00:00
completely reworked caching, now cache by exception (/blobs/ only essentially) - now only /v2/.../blobs/... URIs are actually cached (together with their redirect catchers) - /manifests/, /token, and /v2/ are not cached anymore, which should solve a lot of problems - better messages for /v1 attempts - fix usage of $connect_host:443 (which is hostname:port and causes errors to be logged) to $connect_addr (which returns an IP:port) in the proxy layer 2018-11-04 15:43:53 +00:00			`# Did you want a shell? Sorry, the entrypoint never returns, because it runs nginx itself. Use 'docker exec' if you need to mess around internally.`
introduce Docker build-args: - BASE_IMAGE, used in FROM line - DEBUG_BUILD, build mitmproxy or not 2020-06-08 12:49:21 +00:00			`ENTRYPOINT ["/entrypoint.sh"]`