RPJosh
/
docker-registry-proxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow override with own authentication if provided (#61)

pull/78/head
gw0 2021-02-18 15:11:04 +01:00
parent ce3c77b62a
commit 9a3beba6ab
4 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Dockerfile
View File

@ -94,6 +94,9 @@ ENV MANIFEST_CACHE_SECONDARY_TIME="60d"
# In the default config, :latest and other frequently-used tags will get this value.
ENV MANIFEST_CACHE_DEFAULT_TIME="1h"
# Should we allow overridding with own authentication, default to false.
ENV ALLOW_OWN_AUTH="false"
# Should we allow actions different than pull, default to false.
ENV ALLOW_PUSH="false"

1
README.md
View File

@ -79,6 +79,7 @@ for this to work it requires inserting a root CA certificate into system trusted
- Expose port 3128 to the network
- Map volume `/docker_mirror_cache` for up to `CACHE_MAX_SIZE` (32gb by default) of cached images across all cached registries
- Map volume `/ca`, the proxy will store the CA certificate here across restarts. **Important** this is security sensitive.
- Env `ALLOW_OWN_AUTH` (default `false`): Allow overridding the `AUTH_REGISTRIES` authentication with own Docker credentials if provided (to support `docker login` as another user).
- Env `ALLOW_PUSH` : This bypasses the proxy when pushing, default to false - if kept to false, pushing will not work. For more info see this [commit](https://github.com/rpardini/docker-registry-proxy/commit/536f0fc8a078d03755f1ae8edc19a86fc4b37fcf).
- Env `CACHE_MAX_SIZE` (default `32g`): set the max size to be used for caching local Docker image layers. Use [Nginx sizes](http://nginx.org/en/docs/syntax.html).
- Env `ENABLE_MANIFEST_CACHE`, see the section on pull rate limiting.

11
entrypoint.sh
View File

@ -137,6 +137,17 @@ echo -e "\nManifest caching config: ---\n"
cat /etc/nginx/nginx.manifest.caching.config.conf
echo "---"
if [[ "a${ALLOW_OWN_AUTH}" == "atrue" ]]; then
cat << 'EOF' > /etc/nginx/conf.d/allowed_override_auth.conf
if ($http_authorization != "") {
# override with own authentication if provided
set $finalAuth $http_authorization;
}
EOF
else
echo '' > /etc/nginx/conf.d/allowed_override_auth.conf
fi
if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then
cat <<EOF > /etc/nginx/conf.d/allowed.methods.conf
# allow to upload big layers

1
nginx.conf
View File

@ -245,6 +245,7 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
# Add the authentication info, if the map matched the target domain.
include "/etc/nginx/conf.d/allowed_override_auth.conf";
proxy_set_header Authorization $finalAuth;
# Use SNI during the TLS handshake with the upstream.