Allow push only if own authentication is provided
parent
9a3beba6ab
commit
c1a433dc9c
|
@ -99,6 +99,8 @@ ENV ALLOW_OWN_AUTH="false"
|
||||||
|
|
||||||
# Should we allow actions different than pull, default to false.
|
# Should we allow actions different than pull, default to false.
|
||||||
ENV ALLOW_PUSH="false"
|
ENV ALLOW_PUSH="false"
|
||||||
|
# Should we allow push only with own authentication, default to false.
|
||||||
|
ENV ALLOW_PUSH_WITH_OWN_AUTH="false"
|
||||||
|
|
||||||
# Timeouts
|
# Timeouts
|
||||||
# ngx_http_core_module
|
# ngx_http_core_module
|
||||||
|
|
|
@ -80,7 +80,8 @@ for this to work it requires inserting a root CA certificate into system trusted
|
||||||
- Map volume `/docker_mirror_cache` for up to `CACHE_MAX_SIZE` (32gb by default) of cached images across all cached registries
|
- Map volume `/docker_mirror_cache` for up to `CACHE_MAX_SIZE` (32gb by default) of cached images across all cached registries
|
||||||
- Map volume `/ca`, the proxy will store the CA certificate here across restarts. **Important** this is security sensitive.
|
- Map volume `/ca`, the proxy will store the CA certificate here across restarts. **Important** this is security sensitive.
|
||||||
- Env `ALLOW_OWN_AUTH` (default `false`): Allow overridding the `AUTH_REGISTRIES` authentication with own Docker credentials if provided (to support `docker login` as another user).
|
- Env `ALLOW_OWN_AUTH` (default `false`): Allow overridding the `AUTH_REGISTRIES` authentication with own Docker credentials if provided (to support `docker login` as another user).
|
||||||
- Env `ALLOW_PUSH` : This bypasses the proxy when pushing, default to false - if kept to false, pushing will not work. For more info see this [commit](https://github.com/rpardini/docker-registry-proxy/commit/536f0fc8a078d03755f1ae8edc19a86fc4b37fcf).
|
- Env `ALLOW_PUSH` (default `false`): This bypasses the proxy when pushing, default to false - if kept to false, pushing will not work. For more info see this [commit](https://github.com/rpardini/docker-registry-proxy/commit/536f0fc8a078d03755f1ae8edc19a86fc4b37fcf).
|
||||||
|
- Env `ALLOW_PUSH_WITH_OWN_AUTH` (default `false`): Allow bypassing the proxy when pushing only if own authentication is provided.
|
||||||
- Env `CACHE_MAX_SIZE` (default `32g`): set the max size to be used for caching local Docker image layers. Use [Nginx sizes](http://nginx.org/en/docs/syntax.html).
|
- Env `CACHE_MAX_SIZE` (default `32g`): set the max size to be used for caching local Docker image layers. Use [Nginx sizes](http://nginx.org/en/docs/syntax.html).
|
||||||
- Env `ENABLE_MANIFEST_CACHE`, see the section on pull rate limiting.
|
- Env `ENABLE_MANIFEST_CACHE`, see the section on pull rate limiting.
|
||||||
- Env `REGISTRIES`: space separated list of registries to cache; no need to include DockerHub, its already done internally.
|
- Env `REGISTRIES`: space separated list of registries to cache; no need to include DockerHub, its already done internally.
|
||||||
|
|
|
@ -156,6 +156,31 @@ if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then
|
||||||
# only cache GET requests
|
# only cache GET requests
|
||||||
proxy_cache_methods GET;
|
proxy_cache_methods GET;
|
||||||
EOF
|
EOF
|
||||||
|
elif [[ "a${ALLOW_PUSH_WITH_OWN_AUTH}" == "atrue" ]]; then
|
||||||
|
cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf
|
||||||
|
# Block POST/PUT/DELETE if own authentication is not provided.
|
||||||
|
set $combined_ha_rm "$http_authorization$request_method";
|
||||||
|
if ($combined_ha_rm = POST) {
|
||||||
|
return 405 "POST method is not allowed";
|
||||||
|
}
|
||||||
|
if ($combined_ha_rm = PUT) {
|
||||||
|
return 405 "PUT method is not allowed";
|
||||||
|
}
|
||||||
|
if ($combined_ha_rm = DELETE) {
|
||||||
|
return 405 "DELETE method is not allowed";
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($http_authorization != "") {
|
||||||
|
# override with own authentication if provided
|
||||||
|
set $finalAuth $http_authorization;
|
||||||
|
}
|
||||||
|
|
||||||
|
# allow to upload big layers
|
||||||
|
client_max_body_size 0;
|
||||||
|
|
||||||
|
# only cache GET requests
|
||||||
|
proxy_cache_methods GET;
|
||||||
|
EOF
|
||||||
else
|
else
|
||||||
cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf
|
cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf
|
||||||
# Block POST/PUT/DELETE. Don't use this proxy for pushing.
|
# Block POST/PUT/DELETE. Don't use this proxy for pushing.
|
||||||
|
|
Loading…
Reference in New Issue