RPJosh
/
docker-registry-proxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow push only if own authentication is provided

pull/78/head
gw0 2021-02-18 15:12:57 +01:00
parent 9a3beba6ab
commit c1a433dc9c
3 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -99,6 +99,8 @@ ENV ALLOW_OWN_AUTH="false"
# Should we allow actions different than pull, default to false.
ENV ALLOW_PUSH="false"
# Should we allow push only with own authentication, default to false.
ENV ALLOW_PUSH_WITH_OWN_AUTH="false"
# Timeouts
# ngx_http_core_module

3
README.md
View File

@ -80,7 +80,8 @@ for this to work it requires inserting a root CA certificate into system trusted
- Map volume `/docker_mirror_cache` for up to `CACHE_MAX_SIZE` (32gb by default) of cached images across all cached registries
- Map volume `/ca`, the proxy will store the CA certificate here across restarts. **Important** this is security sensitive.
- Env `ALLOW_OWN_AUTH` (default `false`): Allow overridding the `AUTH_REGISTRIES` authentication with own Docker credentials if provided (to support `docker login` as another user).
- Env `ALLOW_PUSH` : This bypasses the proxy when pushing, default to false - if kept to false, pushing will not work. For more info see this [commit](https://github.com/rpardini/docker-registry-proxy/commit/536f0fc8a078d03755f1ae8edc19a86fc4b37fcf).
- Env `ALLOW_PUSH` (default `false`): This bypasses the proxy when pushing, default to false - if kept to false, pushing will not work. For more info see this [commit](https://github.com/rpardini/docker-registry-proxy/commit/536f0fc8a078d03755f1ae8edc19a86fc4b37fcf).
- Env `ALLOW_PUSH_WITH_OWN_AUTH` (default `false`): Allow bypassing the proxy when pushing only if own authentication is provided.
- Env `CACHE_MAX_SIZE` (default `32g`): set the max size to be used for caching local Docker image layers. Use [Nginx sizes](http://nginx.org/en/docs/syntax.html).
- Env `ENABLE_MANIFEST_CACHE`, see the section on pull rate limiting.
- Env `REGISTRIES`: space separated list of registries to cache; no need to include DockerHub, its already done internally.

25
entrypoint.sh
View File

@ -156,6 +156,31 @@ if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then
# only cache GET requests
proxy_cache_methods GET;
EOF
elif [[ "a${ALLOW_PUSH_WITH_OWN_AUTH}" == "atrue" ]]; then
cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf
# Block POST/PUT/DELETE if own authentication is not provided.
set $combined_ha_rm "$http_authorization$request_method";
if ($combined_ha_rm = POST) {
return 405 "POST method is not allowed";
}
if ($combined_ha_rm = PUT) {
return 405 "PUT method is not allowed";
}
if ($combined_ha_rm = DELETE) {
return 405 "DELETE method is not allowed";
}
if ($http_authorization != "") {
# override with own authentication if provided
set $finalAuth $http_authorization;
}
# allow to upload big layers
client_max_body_size 0;
# only cache GET requests
proxy_cache_methods GET;
EOF
else
cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf
# Block POST/PUT/DELETE. Don't use this proxy for pushing.