diff --git a/Dockerfile b/Dockerfile index 47d9b63..85b6b5c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ ARG DEBUG_BUILD="0" ENV DO_DEBUG_BUILD="$DEBUG_BUILD" # Build mitmproxy via pip. This is heavy, takes minutes do build and creates a 90mb+ layer. Oh well. -RUN [[ "a$DO_DEBUG_BUILD" == "a1" ]] && { echo "Debug build ENABLED." \ +RUN [ "$DO_DEBUG_BUILD" = "1" ] && { echo "Debug build ENABLED." \ && apk add --no-cache --update su-exec git g++ libffi libffi-dev libstdc++ openssl-dev python3 python3-dev py3-pip py3-wheel py3-six py3-idna py3-certifi py3-setuptools \ && LDFLAGS=-L/lib pip install mitmproxy==5.2 \ && apk del --purge git g++ libffi-dev openssl-dev python3-dev py3-pip py3-wheel \ @@ -28,7 +28,7 @@ RUN [[ "a$DO_DEBUG_BUILD" == "a1" ]] && { echo "Debug build ENABLED." \ ENV LANG=en_US.UTF-8 # Check the installed mitmproxy version, if built. -RUN [[ "a$DO_DEBUG_BUILD" == "a1" ]] && { mitmproxy --version && mitmweb --version ; } || { echo "Debug build disabled."; } +RUN [ "$DO_DEBUG_BUILD" = "1" ] && { mitmproxy --version && mitmweb --version ; } || { echo "Debug build disabled."; } # Create the cache directory and CA directory RUN mkdir -p /docker_mirror_cache /ca diff --git a/entrypoint.sh b/entrypoint.sh index 37acf0c..2c3e596 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,7 +5,7 @@ trap "echo TRAPed signal" HUP INT QUIT TERM #configure nginx DNS settings to match host, why must we do that nginx? export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') -if [ "x$RESOLVERS" = "x" ]; then +if [ -z "$RESOLVERS" ]; then echo "Warning: unable to determine DNS resolvers for nginx" >&2 exit 66 fi @@ -20,7 +20,7 @@ done echo "Final chosen resolver: $conf" confpath=/etc/nginx/resolvers.conf -if [ ! -e $confpath ] || [ "$conf" != "$(cat $confpath)" ] +if [ ! -e "$confpath" ] || [ "$conf" != "$(cat "$confpath")" ] then echo "Using auto-determined resolver '$conf' via '$confpath'" echo "$conf" > $confpath @@ -55,7 +55,7 @@ echo -n "" > /etc/nginx/docker.targetHost.map echo -n "" > /etc/nginx/docker.auth.map # Only configure auth registries if the env var contains values -if [ "$AUTH_REGISTRIES" ]; then +if [ -n "$AUTH_REGISTRIES" ]; then # Ref: https://stackoverflow.com/a/47633817/219530 AUTH_REGISTRIES_DELIMITER=${AUTH_REGISTRIES_DELIMITER:-" "} s=$AUTH_REGISTRIES$AUTH_REGISTRIES_DELIMITER @@ -94,58 +94,57 @@ echo "proxy_cache_path /docker_mirror_cache levels=1:2 max_size=$CACHE_MAX_SIZE # Manifest caching configuration. We generate config based on the environment vars. echo -n "" >/etc/nginx/nginx.manifest.caching.config.conf -[[ "a${ENABLE_MANIFEST_CACHE}" == "atrue" ]] && [[ "a${MANIFEST_CACHE_PRIMARY_REGEX}" != "a" ]] && cat <>/etc/nginx/nginx.manifest.caching.config.conf +if [ "${ENABLE_MANIFEST_CACHE}" = "true" ]; then + [ -n "${MANIFEST_CACHE_PRIMARY_REGEX}" ] && cat <>/etc/nginx/nginx.manifest.caching.config.conf # First tier caching of manifests; configure via MANIFEST_CACHE_PRIMARY_REGEX and MANIFEST_CACHE_PRIMARY_TIME location ~ ^/v2/(.*)/manifests/${MANIFEST_CACHE_PRIMARY_REGEX} { set \$docker_proxy_request_type "manifest-primary"; proxy_cache_valid ${MANIFEST_CACHE_PRIMARY_TIME}; include "/etc/nginx/nginx.manifest.stale.conf"; } -EOD - -[[ "a${ENABLE_MANIFEST_CACHE}" == "atrue" ]] && [[ "a${MANIFEST_CACHE_SECONDARY_REGEX}" != "a" ]] && cat <>/etc/nginx/nginx.manifest.caching.config.conf +EOF + [ -n "${MANIFEST_CACHE_SECONDARY_REGEX}" ] && cat <>/etc/nginx/nginx.manifest.caching.config.conf # Secondary tier caching of manifests; configure via MANIFEST_CACHE_SECONDARY_REGEX and MANIFEST_CACHE_SECONDARY_TIME location ~ ^/v2/(.*)/manifests/${MANIFEST_CACHE_SECONDARY_REGEX} { set \$docker_proxy_request_type "manifest-secondary"; proxy_cache_valid ${MANIFEST_CACHE_SECONDARY_TIME}; include "/etc/nginx/nginx.manifest.stale.conf"; } -EOD - -[[ "a${ENABLE_MANIFEST_CACHE}" == "atrue" ]] && cat <>/etc/nginx/nginx.manifest.caching.config.conf +EOF + cat <>/etc/nginx/nginx.manifest.caching.config.conf # Default tier caching for manifests. Caches for ${MANIFEST_CACHE_DEFAULT_TIME} (from MANIFEST_CACHE_DEFAULT_TIME) location ~ ^/v2/(.*)/manifests/ { set \$docker_proxy_request_type "manifest-default"; proxy_cache_valid ${MANIFEST_CACHE_DEFAULT_TIME}; include "/etc/nginx/nginx.manifest.stale.conf"; } -EOD - -[[ "a${ENABLE_MANIFEST_CACHE}" != "atrue" ]] && cat <>/etc/nginx/nginx.manifest.caching.config.conf +EOF +else + cat <>/etc/nginx/nginx.manifest.caching.config.conf # Manifest caching is disabled. Enable it with ENABLE_MANIFEST_CACHE=true location ~ ^/v2/(.*)/manifests/ { set \$docker_proxy_request_type "manifest-default-disabled"; proxy_cache_valid 0s; include "/etc/nginx/nginx.manifest.stale.conf"; } -EOD +EOF +fi echo -e "\nManifest caching config: ---\n" cat /etc/nginx/nginx.manifest.caching.config.conf echo "---" -if [[ "a${ALLOW_OWN_AUTH}" == "atrue" ]]; then - cat << 'EOF' > /etc/nginx/conf.d/allowed_override_auth.conf +echo -n "" > /etc/nginx/conf.d/allowed_override_auth.conf +if [ "${ALLOW_OWN_AUTH}" = "true" ]; then + cat <<'EOF' > /etc/nginx/conf.d/allowed_override_auth.conf if ($http_authorization != "") { # override with own authentication if provided set $finalAuth $http_authorization; } EOF -else - echo '' > /etc/nginx/conf.d/allowed_override_auth.conf fi -if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then +if [ "${ALLOW_PUSH}" = "true" ]; then cat < /etc/nginx/conf.d/allowed.methods.conf # allow to upload big layers client_max_body_size 0; @@ -153,8 +152,8 @@ if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then # only cache GET requests proxy_cache_methods GET; EOF -elif [[ "a${ALLOW_PUSH_WITH_OWN_AUTH}" == "atrue" ]]; then - cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf +elif [ "${ALLOW_PUSH_WITH_OWN_AUTH}" = "true" ]; then + cat <<'EOF' > /etc/nginx/conf.d/allowed.methods.conf # Block POST/PUT/DELETE if own authentication is not provided. set $combined_ha_rm "$http_authorization$request_method"; if ($combined_ha_rm = POST) { @@ -196,8 +195,8 @@ fi # normally use non-debug version of nginx NGINX_BIN="/usr/sbin/nginx" -if [[ "a${DEBUG}" == "atrue" ]]; then - if [[ ! -f /usr/bin/mitmweb ]]; then +if [ "${DEBUG}" = "true" ]; then + if [ ! -f /usr/bin/mitmweb ]; then echo "To debug, you need the -debug version of this image, eg: :latest-debug" exit 3 fi @@ -215,8 +214,8 @@ if [[ "a${DEBUG}" == "atrue" ]]; then echo "Access mitmweb via http://127.0.0.1:8081/ " fi -if [[ "a${DEBUG_HUB}" == "atrue" ]]; then - if [[ ! -f /usr/bin/mitmweb ]]; then +if [ "${DEBUG_HUB}" = "true" ]; then + if [ ! -f /usr/bin/mitmweb ]; then echo "To debug, you need the -debug version of this image, eg: :latest-debug" exit 3 fi @@ -238,8 +237,8 @@ if [[ "a${DEBUG_HUB}" == "atrue" ]]; then echo "Access mitmweb for outgoing DockerHub requests via http://127.0.0.1:8082/ " fi -if [[ "a${DEBUG_NGINX}" == "atrue" ]]; then - if [[ ! -f /usr/sbin/nginx-debug ]]; then +if [ "${DEBUG_NGINX}" = "true" ]; then + if [ ! -f /usr/sbin/nginx-debug ]; then echo "To debug, you need the -debug version of this image, eg: :latest-debug" exit 4 fi @@ -252,8 +251,8 @@ fi # Timeout configurations -echo "" > /etc/nginx/nginx.timeouts.config.conf -cat <>/etc/nginx/nginx.timeouts.config.conf +echo -n "" > /etc/nginx/nginx.timeouts.config.conf +cat <>/etc/nginx/nginx.timeouts.config.conf # Timeouts # ngx_http_core_module @@ -271,23 +270,23 @@ cat <>/etc/nginx/nginx.timeouts.config.conf proxy_connect_read_timeout ${PROXY_CONNECT_READ_TIMEOUT}; proxy_connect_connect_timeout ${PROXY_CONNECT_CONNECT_TIMEOUT}; proxy_connect_send_timeout ${PROXY_CONNECT_SEND_TIMEOUT}; -EOD +EOF echo -e "\nTimeout configs: ---" cat /etc/nginx/nginx.timeouts.config.conf echo -e "---\n" # Upstream SSL verification. -echo "" > /etc/nginx/docker.verify.ssl.conf -if [[ "a${VERIFY_SSL}" == "atrue" ]]; then - cat << EOD > /etc/nginx/docker.verify.ssl.conf +echo -n "" > /etc/nginx/docker.verify.ssl.conf +if [ "${VERIFY_SSL}" = "true" ]; then + cat < /etc/nginx/docker.verify.ssl.conf # We actually wanna be secure and avoid mitm attacks. # Fitting, since this whole thing is a mitm... # We'll accept any cert signed by a CA trusted by Mozilla (ca-certificates-bundle in alpine) proxy_ssl_verify on; proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; proxy_ssl_verify_depth 2; -EOD +EOF echo "Upstream SSL certificate verification enabled." else echo "Upstream SSL certificate verification is DISABLED."