diff --git a/Dockerfile b/Dockerfile index 48d0662..a5238ec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -94,5 +94,8 @@ ENV MANIFEST_CACHE_SECONDARY_TIME="60d" # In the default config, :latest and other frequently-used tags will get this value. ENV MANIFEST_CACHE_DEFAULT_TIME="1h" +# Should we allow actions different than pull, default to false. +ENV ALLOW_PUSH="false" + # Did you want a shell? Sorry, the entrypoint never returns, because it runs nginx itself. Use 'docker exec' if you need to mess around internally. ENTRYPOINT ["/entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh index 5ff820a..039c87e 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -121,6 +121,29 @@ echo "Manifest caching config: ---" cat /etc/nginx/nginx.manifest.caching.config.conf echo "---" +if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then + cat < /etc/nginx/conf.d/allowed.methods.conf + # allow to upload big layers + client_max_body_size 0; + + # only cache GET requests + proxy_cache_methods GET; +EOF +else + cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf + # Block POST/PUT/DELETE. Don't use this proxy for pushing. + if ($request_method = POST) { + return 405 "POST method is not allowed"; + } + if ($request_method = PUT) { + return 405 "PUT method is not allowed"; + } + if ($request_method = DELETE) { + return 405 "DELETE method is not allowed"; + } +EOF +fi + # normally use non-debug version of nginx NGINX_BIN="/usr/sbin/nginx" diff --git a/nginx.conf b/nginx.conf index d09c0b8..24bb5c9 100644 --- a/nginx.conf +++ b/nginx.conf @@ -219,16 +219,8 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/" # Docker needs this. Don't ask. chunked_transfer_encoding on; - # Block POST/PUT/DELETE. Don't use this proxy for pushing. - if ($request_method = POST) { - return 405 "POST method is not allowed"; - } - if ($request_method = PUT) { - return 405 "PUT method is not allowed"; - } - if ($request_method = DELETE) { - return 405 "DELETE method is not allowed"; - } + # configuration of the different allowed methods + include "/etc/nginx/conf.d/allowed.methods.conf"; proxy_read_timeout 900;