From c1a433dc9c702d15528a478cb6b1794cb45fb822 Mon Sep 17 00:00:00 2001 From: gw0 Date: Thu, 18 Feb 2021 15:12:57 +0100 Subject: [PATCH] Allow push only if own authentication is provided --- Dockerfile | 2 ++ README.md | 3 ++- entrypoint.sh | 25 +++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 1f7b720..e47d356 100644 --- a/Dockerfile +++ b/Dockerfile @@ -99,6 +99,8 @@ ENV ALLOW_OWN_AUTH="false" # Should we allow actions different than pull, default to false. ENV ALLOW_PUSH="false" +# Should we allow push only with own authentication, default to false. +ENV ALLOW_PUSH_WITH_OWN_AUTH="false" # Timeouts # ngx_http_core_module diff --git a/README.md b/README.md index d8ccc96..e92f911 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,8 @@ for this to work it requires inserting a root CA certificate into system trusted - Map volume `/docker_mirror_cache` for up to `CACHE_MAX_SIZE` (32gb by default) of cached images across all cached registries - Map volume `/ca`, the proxy will store the CA certificate here across restarts. **Important** this is security sensitive. - Env `ALLOW_OWN_AUTH` (default `false`): Allow overridding the `AUTH_REGISTRIES` authentication with own Docker credentials if provided (to support `docker login` as another user). -- Env `ALLOW_PUSH` : This bypasses the proxy when pushing, default to false - if kept to false, pushing will not work. For more info see this [commit](https://github.com/rpardini/docker-registry-proxy/commit/536f0fc8a078d03755f1ae8edc19a86fc4b37fcf). +- Env `ALLOW_PUSH` (default `false`): This bypasses the proxy when pushing, default to false - if kept to false, pushing will not work. For more info see this [commit](https://github.com/rpardini/docker-registry-proxy/commit/536f0fc8a078d03755f1ae8edc19a86fc4b37fcf). +- Env `ALLOW_PUSH_WITH_OWN_AUTH` (default `false`): Allow bypassing the proxy when pushing only if own authentication is provided. - Env `CACHE_MAX_SIZE` (default `32g`): set the max size to be used for caching local Docker image layers. Use [Nginx sizes](http://nginx.org/en/docs/syntax.html). - Env `ENABLE_MANIFEST_CACHE`, see the section on pull rate limiting. - Env `REGISTRIES`: space separated list of registries to cache; no need to include DockerHub, its already done internally. diff --git a/entrypoint.sh b/entrypoint.sh index 7e20be8..26d7b89 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -156,6 +156,31 @@ if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then # only cache GET requests proxy_cache_methods GET; EOF +elif [[ "a${ALLOW_PUSH_WITH_OWN_AUTH}" == "atrue" ]]; then + cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf + # Block POST/PUT/DELETE if own authentication is not provided. + set $combined_ha_rm "$http_authorization$request_method"; + if ($combined_ha_rm = POST) { + return 405 "POST method is not allowed"; + } + if ($combined_ha_rm = PUT) { + return 405 "PUT method is not allowed"; + } + if ($combined_ha_rm = DELETE) { + return 405 "DELETE method is not allowed"; + } + + if ($http_authorization != "") { + # override with own authentication if provided + set $finalAuth $http_authorization; + } + + # allow to upload big layers + client_max_body_size 0; + + # only cache GET requests + proxy_cache_methods GET; +EOF else cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf # Block POST/PUT/DELETE. Don't use this proxy for pushing.