From 02fe04c5bd3f925a49a47007c9fce7d1d302fa50 Mon Sep 17 00:00:00 2001 From: Mostowiec Dominik Date: Thu, 16 Aug 2018 14:51:10 +0200 Subject: [PATCH 1/7] add a short-lived cache for all requests in case of network problems in connection to AWS --- files/nginx.conf | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/files/nginx.conf b/files/nginx.conf index bcbaa25..be7cdb7 100644 --- a/files/nginx.conf +++ b/files/nginx.conf @@ -36,13 +36,19 @@ http { chunked_transfer_encoding on; # increases timeouts to avoid HTTP 504 - proxy_connect_timeout 300s; + proxy_connect_timeout 3s; proxy_read_timeout 300s; proxy_send_timeout 300s; send_timeout 300s; # disable proxy request buffering proxy_request_buffering off; + proxy_cache cache; + proxy_cache_key $scheme$uri$args$request_method; + proxy_cache_valid 200 1s; + proxy_cache_use_stale error timeout invalid_header updating + http_500 http_502 http_503 http_504; + proxy_cache_lock on; add_header "Access-Control-Allow-Origin" "*"; @@ -88,7 +94,7 @@ http { set $saved_redirect_location '$upstream_http_location'; proxy_pass $saved_redirect_location; proxy_cache cache; - proxy_cache_key $scheme$proxy_host$uri$request_method; + proxy_cache_key $scheme$uri$args$request_method; proxy_cache_valid 200 1y; proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; From 1ceb594aa4227e24d30465a4d243616bd397d0c6 Mon Sep 17 00:00:00 2001 From: Mostowiec Dominik Date: Fri, 17 Aug 2018 11:02:15 +0200 Subject: [PATCH 2/7] add ssl configuration posibility --- Dockerfile | 1 + files/nginx.conf | 4 +++- files/ssl.conf | 9 +++++++++ files/startup.sh | 12 ++++++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 files/ssl.conf diff --git a/Dockerfile b/Dockerfile index 8796e88..789c211 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,6 +13,7 @@ COPY files/ecr.ini /etc/supervisor.d/ecr.ini COPY files/root /etc/crontabs/root COPY files/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf +COPY files/ssl.conf /usr/local/openresty/nginx/conf/ssl.conf ENV PORT 5000 diff --git a/files/nginx.conf b/files/nginx.conf index be7cdb7..3e43514 100644 --- a/files/nginx.conf +++ b/files/nginx.conf @@ -18,11 +18,13 @@ http { # this is necessary for us to be able to disable request buffering in all cases proxy_http_version 1.1; + #SSLCONFIG + # will run before forking out nginx worker processes init_by_lua_block { require "cjson" } server { - listen PORT default_server; + listen LISTEN default_server; # Cache add_header X-Cache-Status $upstream_cache_status; diff --git a/files/ssl.conf b/files/ssl.conf new file mode 100644 index 0000000..af36dfe --- /dev/null +++ b/files/ssl.conf @@ -0,0 +1,9 @@ +ssl_certificate_key REGISTRY_HTTP_TLS_KEY; +ssl_certificate REGISTRY_HTTP_TLS_CERTIFICATE; + +ssl_protocols TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +ssl_prefer_server_ciphers on; + +add_header Strict-Transport-Security max-age=31536000; + diff --git a/files/startup.sh b/files/startup.sh index 7c5dadc..9bf66a9 100755 --- a/files/startup.sh +++ b/files/startup.sh @@ -36,11 +36,23 @@ echo Using cache max size $CACHE_MAX_SIZE CONFIG=/usr/local/openresty/nginx/conf/nginx.conf +ENABLESSL='' +SSLINCLUDE='' +SSLCONFIG=/usr/local/openresty/nginx/conf/ssl.conf +if [ ! -z "$REGISTRY_HTTP_TLS_CERTIFICATE" ] && [ ! -z "$REGISTRY_HTTP_TLS_KEY" ]; then + sed -i -e s!REGISTRY_HTTP_TLS_CERTIFICATE!"$REGISTRY_HTTP_TLS_CERTIFICATE"!g $SSLCONFIG + sed -i -e s!REGISTRY_HTTP_TLS_KEY!"$REGISTRY_HTTP_TLS_KEY"!g $SSLCONFIG + ENABLESSL='ssl' + SSLINCLUDE="include $SSLCONFIG;" +fi + # Update nginx config sed -i -e s!UPSTREAM!"$UPSTREAM"!g $CONFIG +sed -i -e s!LISTEN!"$PORT $ENABLESSL"!g $CONFIG sed -i -e s!PORT!"$PORT"!g $CONFIG sed -i -e s!RESOLVER!"$RESOLVER"!g $CONFIG sed -i -e s!CACHE_MAX_SIZE!"$CACHE_MAX_SIZE"!g $CONFIG +sed -i -e s!#SSLCONFIG!"$SSLINCLUDE"!g $CONFIG # setup ~/.aws directory AWS_FOLDER='/root/.aws' From 253db3b4ae3fa043aa80a3ebe186d73f3bfa55f2 Mon Sep 17 00:00:00 2001 From: Mostowiec Dominik Date: Fri, 17 Aug 2018 14:09:46 +0200 Subject: [PATCH 3/7] add basic auth configuration possibility --- files/nginx.conf | 8 ++++++++ files/startup.sh | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/files/nginx.conf b/files/nginx.conf index 3e43514..8f676cf 100644 --- a/files/nginx.conf +++ b/files/nginx.conf @@ -23,9 +23,16 @@ http { # will run before forking out nginx worker processes init_by_lua_block { require "cjson" } + #https://docs.docker.com/registry/recipes/nginx/#setting-things-up + map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { + '' 'registry/2.0'; + } + server { listen LISTEN default_server; + #AUTHCONFIG + # Cache add_header X-Cache-Status $upstream_cache_status; proxy_temp_path /cache/temp 1 2; @@ -52,6 +59,7 @@ http { http_500 http_502 http_503 http_504; proxy_cache_lock on; + add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; add_header "Access-Control-Allow-Origin" "*"; location / { diff --git a/files/startup.sh b/files/startup.sh index 9bf66a9..7ec0e3c 100755 --- a/files/startup.sh +++ b/files/startup.sh @@ -46,6 +46,11 @@ if [ ! -z "$REGISTRY_HTTP_TLS_CERTIFICATE" ] && [ ! -z "$REGISTRY_HTTP_TLS_KEY" SSLINCLUDE="include $SSLCONFIG;" fi +AUTHCONFIG='' +if [ ! -z "$REGISTRY_AUTH_HTPASSWD_PATH" ] && [ ! -z "$REGISTRY_AUTH_HTPASSWD_REALM" ]; then + AUTHCONFIG="auth_basic ${REGISTRY_AUTH_HTPASSWD_REALM};\n auth_basic_user_file ${REGISTRY_AUTH_HTPASSWD_PATH};" +fi + # Update nginx config sed -i -e s!UPSTREAM!"$UPSTREAM"!g $CONFIG sed -i -e s!LISTEN!"$PORT $ENABLESSL"!g $CONFIG @@ -53,6 +58,7 @@ sed -i -e s!PORT!"$PORT"!g $CONFIG sed -i -e s!RESOLVER!"$RESOLVER"!g $CONFIG sed -i -e s!CACHE_MAX_SIZE!"$CACHE_MAX_SIZE"!g $CONFIG sed -i -e s!#SSLCONFIG!"$SSLINCLUDE"!g $CONFIG +sed -i -e s!#AUTHCONFIG!"$AUTHCONFIG"!g $CONFIG # setup ~/.aws directory AWS_FOLDER='/root/.aws' From a0b09c76339472043b6bae1fdc81a7b4f262c702 Mon Sep 17 00:00:00 2001 From: Piotr Kruk Date: Thu, 6 Sep 2018 11:20:29 +0200 Subject: [PATCH 4/7] reset authorization after logging and +x permissions --- Dockerfile | 1 + files/nginx.conf | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index 789c211..c550471 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ COPY files/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf COPY files/ssl.conf /usr/local/openresty/nginx/conf/ssl.conf ENV PORT 5000 +RUN chmod a+x /startup.sh /renew_token.sh ENTRYPOINT ["/startup.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] diff --git a/files/nginx.conf b/files/nginx.conf index 8f676cf..0f319c4 100644 --- a/files/nginx.conf +++ b/files/nginx.conf @@ -73,6 +73,7 @@ http { proxy_set_header X-Forwarded-User "Basic $http_authorization"; proxy_set_header Authorization "Basic $http_authorization"; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Authorization ""; } @@ -89,6 +90,7 @@ http { proxy_set_header X-Forwarded-User "Basic $http_authorization"; proxy_set_header Authorization "Basic $http_authorization"; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Authorization ""; # When accessing image blobs using HTTP GET AWS ECR redirects with # s3 buckets uri to download the image. This needs to handled by @@ -113,6 +115,7 @@ http { location ~ ^/v2/.*/.*/tags/list+$ { # get paginated list of tags + proxy_set_header Authorization ""; content_by_lua_block { local location, tags, cjson = ngx.var.uri, {}, require "cjson" while true do @@ -144,6 +147,7 @@ http { internal; set_unescape_uri $req_uri $arg_req_uri; proxy_pass UPSTREAM$req_uri; + proxy_set_header Authorization ""; # Add AWS ECR authentication headers proxy_set_header X-Real-IP $remote_addr; From 14a90de6adb5a84753be98f6d62eecee3add5819 Mon Sep 17 00:00:00 2001 From: MQasimSarfraz Date: Mon, 2 Sep 2019 11:20:02 +0000 Subject: [PATCH 5/7] add support for SSL --- .gitignore | 2 + files/nginx.conf | 22 ++------ files/ssl.conf | 1 - files/startup.sh | 31 ++++++----- hosts | 2 +- roles/docker-registry-proxy/defaults/main.yml | 4 ++ .../files/certificate.pem | 32 ++++++++++++ roles/docker-registry-proxy/files/key.pem | 52 +++++++++++++++++++ roles/docker-registry-proxy/tasks/main.yaml | 26 +++++++++- 9 files changed, 135 insertions(+), 37 deletions(-) create mode 100644 .gitignore create mode 100644 roles/docker-registry-proxy/files/certificate.pem create mode 100644 roles/docker-registry-proxy/files/key.pem diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bc40480 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/dev +/*.retry diff --git a/files/nginx.conf b/files/nginx.conf index 0f319c4..85a6a2f 100644 --- a/files/nginx.conf +++ b/files/nginx.conf @@ -18,8 +18,6 @@ http { # this is necessary for us to be able to disable request buffering in all cases proxy_http_version 1.1; - #SSLCONFIG - # will run before forking out nginx worker processes init_by_lua_block { require "cjson" } @@ -29,9 +27,9 @@ http { } server { - listen LISTEN default_server; + listen PORT SSL_LISTEN default_server; - #AUTHCONFIG + SSL_INCLUDE # Cache add_header X-Cache-Status $upstream_cache_status; @@ -52,12 +50,6 @@ http { # disable proxy request buffering proxy_request_buffering off; - proxy_cache cache; - proxy_cache_key $scheme$uri$args$request_method; - proxy_cache_valid 200 1s; - proxy_cache_use_stale error timeout invalid_header updating - http_500 http_502 http_503 http_504; - proxy_cache_lock on; add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; add_header "Access-Control-Allow-Origin" "*"; @@ -65,7 +57,7 @@ http { location / { set $url UPSTREAM; proxy_pass $url; - proxy_redirect $url http://$host:PORT; + proxy_redirect $url SCHEME://$host:PORT; # Add AWS ECR authentication headers proxy_set_header X-Real-IP $remote_addr; @@ -73,7 +65,6 @@ http { proxy_set_header X-Forwarded-User "Basic $http_authorization"; proxy_set_header Authorization "Basic $http_authorization"; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Authorization ""; } @@ -82,7 +73,7 @@ http { location ~ ^/v2/.*/blobs/[a-z0-9]+:[a-f0-9]+$ { set $url UPSTREAM; proxy_pass $url; - proxy_redirect $url http://$host:PORT; + proxy_redirect $url SCHEME://$host:PORT; # Add AWS ECR authentication headers proxy_set_header X-Real-IP $remote_addr; @@ -90,7 +81,6 @@ http { proxy_set_header X-Forwarded-User "Basic $http_authorization"; proxy_set_header Authorization "Basic $http_authorization"; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Authorization ""; # When accessing image blobs using HTTP GET AWS ECR redirects with # s3 buckets uri to download the image. This needs to handled by @@ -106,7 +96,7 @@ http { set $saved_redirect_location '$upstream_http_location'; proxy_pass $saved_redirect_location; proxy_cache cache; - proxy_cache_key $scheme$uri$args$request_method; + proxy_cache_key CACHE_KEY; proxy_cache_valid 200 1y; proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; @@ -115,7 +105,6 @@ http { location ~ ^/v2/.*/.*/tags/list+$ { # get paginated list of tags - proxy_set_header Authorization ""; content_by_lua_block { local location, tags, cjson = ngx.var.uri, {}, require "cjson" while true do @@ -147,7 +136,6 @@ http { internal; set_unescape_uri $req_uri $arg_req_uri; proxy_pass UPSTREAM$req_uri; - proxy_set_header Authorization ""; # Add AWS ECR authentication headers proxy_set_header X-Real-IP $remote_addr; diff --git a/files/ssl.conf b/files/ssl.conf index af36dfe..5ef014f 100644 --- a/files/ssl.conf +++ b/files/ssl.conf @@ -6,4 +6,3 @@ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=31536000; - diff --git a/files/startup.sh b/files/startup.sh index 7ec0e3c..2b5f13c 100755 --- a/files/startup.sh +++ b/files/startup.sh @@ -34,31 +34,30 @@ echo Using resolver $RESOLVER and $UPSTREAM [$(dig +short ${UPSTREAM_WITHOUT_PO CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-75g} echo Using cache max size $CACHE_MAX_SIZE -CONFIG=/usr/local/openresty/nginx/conf/nginx.conf +CACHE_KEY=${CACHE_KEY:='$scheme$uri$request_method'} +echo Using cache key $CACHE_KEY -ENABLESSL='' -SSLINCLUDE='' -SSLCONFIG=/usr/local/openresty/nginx/conf/ssl.conf -if [ ! -z "$REGISTRY_HTTP_TLS_CERTIFICATE" ] && [ ! -z "$REGISTRY_HTTP_TLS_KEY" ]; then - sed -i -e s!REGISTRY_HTTP_TLS_CERTIFICATE!"$REGISTRY_HTTP_TLS_CERTIFICATE"!g $SSLCONFIG - sed -i -e s!REGISTRY_HTTP_TLS_KEY!"$REGISTRY_HTTP_TLS_KEY"!g $SSLCONFIG - ENABLESSL='ssl' - SSLINCLUDE="include $SSLCONFIG;" -fi +SCHEME=http +CONFIG=/usr/local/openresty/nginx/conf/nginx.conf +SSL_CONFIG=/usr/local/openresty/nginx/conf/ssl.conf -AUTHCONFIG='' -if [ ! -z "$REGISTRY_AUTH_HTPASSWD_PATH" ] && [ ! -z "$REGISTRY_AUTH_HTPASSWD_REALM" ]; then - AUTHCONFIG="auth_basic ${REGISTRY_AUTH_HTPASSWD_REALM};\n auth_basic_user_file ${REGISTRY_AUTH_HTPASSWD_PATH};" +if [ "$ENABLE_SSL" ]; then + sed -i -e s!REGISTRY_HTTP_TLS_CERTIFICATE!"$REGISTRY_HTTP_TLS_CERTIFICATE"!g $SSL_CONFIG + sed -i -e s!REGISTRY_HTTP_TLS_KEY!"$REGISTRY_HTTP_TLS_KEY"!g $SSL_CONFIG + SSL_LISTEN="ssl" + SSL_INCLUDE="include $SSL_CONFIG;" + SCHEME="https" fi # Update nginx config sed -i -e s!UPSTREAM!"$UPSTREAM"!g $CONFIG -sed -i -e s!LISTEN!"$PORT $ENABLESSL"!g $CONFIG sed -i -e s!PORT!"$PORT"!g $CONFIG sed -i -e s!RESOLVER!"$RESOLVER"!g $CONFIG sed -i -e s!CACHE_MAX_SIZE!"$CACHE_MAX_SIZE"!g $CONFIG -sed -i -e s!#SSLCONFIG!"$SSLINCLUDE"!g $CONFIG -sed -i -e s!#AUTHCONFIG!"$AUTHCONFIG"!g $CONFIG +sed -i -e s!CACHE_KEY!"$CACHE_KEY"!g $CONFIG +sed -i -e s!SCHEME!"$SCHEME"!g $CONFIG +sed -i -e s!SSL_INCLUDE!"$SSL_INCLUDE"!g $CONFIG +sed -i -e s!SSL_LISTEN!"$SSL_LISTEN"!g $CONFIG # setup ~/.aws directory AWS_FOLDER='/root/.aws' diff --git a/hosts b/hosts index 605bbc4..1509c55 100644 --- a/hosts +++ b/hosts @@ -1,2 +1,2 @@ [docker-registry-proxy] -registry-proxy.example.com +localhost ansible_connection=local diff --git a/roles/docker-registry-proxy/defaults/main.yml b/roles/docker-registry-proxy/defaults/main.yml index fcc7c81..be04130 100644 --- a/roles/docker-registry-proxy/defaults/main.yml +++ b/roles/docker-registry-proxy/defaults/main.yml @@ -8,3 +8,7 @@ docker_proxy_backend_resolver: "8.8.8.8" docker_proxy_ecr_access_id: docker_proxy_ecr_secret_key: docker_proxy_ecr_region: + +docker_proxy_ssl_enabled: +docker_proxy_ssl_host_path: /registry +docker_proxy_ssl_container_path: /opt/nginx diff --git a/roles/docker-registry-proxy/files/certificate.pem b/roles/docker-registry-proxy/files/certificate.pem new file mode 100644 index 0000000..fc3fc52 --- /dev/null +++ b/roles/docker-registry-proxy/files/certificate.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFcTCCA1mgAwIBAgIJALWdZASytQRkMA0GCSqGSIb3DQEBCwUAME8xCzAJBgNV +BAYTAkRFMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxFTATBgNVBAoMDGVTYWlsb3Jz +IExURDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDkwMjA4NTYzNloXDTI5MDgz +MDA4NTYzNlowTzELMAkGA1UEBhMCREUxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEV +MBMGA1UECgwMZVNhaWxvcnMgTFREMRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCrznLzCWlKJO4fXD/E8hx4cXUqbd9U +VwpcAzWq3xGjC6gettYSp171elDXj23ddDJ1wwOl2U0bjN/DceRCl4Tnb3O86fzt +Bwj8xA/stYGvZQqOvEhSfFh85qvDf1niu2uW1Zx4kMemUvNdhpXsqa9RPSu0Mb0G +ZeHnCQkuz3KTjUMhQqwomg/6BY4G7tDmCZYsZezGSgAgoa+Q4vffW+H8S9nuKi8o +EXUf9NuJHUTjtdgcVcCihPj54jXAQsqS9JzWSWxDnKxTaOZuRWEkG+vqGoKEL5+q +PeH8x8aAM7wErsdxTqTV4XCJU0nS9om1Z6sz0Lrva/loyKciulTO8jYWqZIuBL8J +GVeizcoYl9KcW8I66XkeuYWlNWCsWhGii7zEWVcXDdSuLCv1wLagRE9MJHoT64nd +KAR2UQml/MSPlz8419K4r87hcVmNU6FFBP2RZO7UGW5eHbbKT+whhDdBTaig2NNL +Ml7pVFq6ciemNr6IVsTuzS0VPJpuOoZa86+6UPqgw49jg4cBlKxgJxanDy2a2Hbm +zx2dPAkbz3kMKDeBmgFzk3xt10czPXvIXUSnJdhi8NdQUCBHdu9yjT3s7Cc12NCQ +3H0NPWUklHlqJrPY9IbGnNrmJblwZ7hyrI3eISV9njQf3etL2QdDXksLJpgeQsv7 +vcXEBje+aluNqQIDAQABo1AwTjAdBgNVHQ4EFgQUyBLOw8nyo6W4BJWI9L24TTta +RbcwHwYDVR0jBBgwFoAUyBLOw8nyo6W4BJWI9L24TTtaRbcwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAgEAkYdRTaZuVAcxY1MI7V8PVnvTDxJ1izAWsr2W +aQMSX0UxAZ/Aed+Q056Ya50/x5ffSigHY5Dap4eP36i/4+dhIeoaMpRjlz/sWCb5 +fE6judBvrMlMwrnKpi/eN0QC1KiCptPbPVPyonRj1ydrvQTPPDxLSeqgzCn3q5kf +Gb6VlPDhj/CmIoVXkA9gYNlCwSpZ49DJJ2gTmI+MXolXnlZCvXuR+VsgTsjn96vH +j0AczAZ+g7gD8XTl/K9Z/gcs06DcmMonYrgOGuaFDDiEuBwgABo8gajCFg4xwxi2 +bw7B+opMrOXH9ZGhaoF2eySDGXXgw7TLRqkGXDghZNzWajnGuN7vSaiQfnr0EmW+ +020gJDDUZyc9Ky165SQe3Bfin1cLc2W6mZYmV9lDtUYw80Gth52L9uOiEBIbV6mI +ZBZFyslxQ7IYWOxseoU9xrxzscTtxa+MGs47w6Hzxh38zYPe/I0Yt62yMRtUmJJ7 +ebQZti7qLeW+QOZAruUzei7fpOZOrq8vy4GBUm0pkg8eOVdDaCAQAWMwaGaHH9/5 +q+AvDLjvR6zvJdV2dxA3XsVmcIA45zOA2mZkRrcTWyf5DZ7bDcQvSnd7R4anv3hG +YJXeKyzcI7SWfMxo0hU6p9fv66xYn6x9d5oA/ZU/5XRn1bFL7kuKj7BmB+LcS0BE +XipqaCA= +-----END CERTIFICATE----- diff --git a/roles/docker-registry-proxy/files/key.pem b/roles/docker-registry-proxy/files/key.pem new file mode 100644 index 0000000..5d88119 --- /dev/null +++ b/roles/docker-registry-proxy/files/key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCrznLzCWlKJO4f +XD/E8hx4cXUqbd9UVwpcAzWq3xGjC6gettYSp171elDXj23ddDJ1wwOl2U0bjN/D +ceRCl4Tnb3O86fztBwj8xA/stYGvZQqOvEhSfFh85qvDf1niu2uW1Zx4kMemUvNd +hpXsqa9RPSu0Mb0GZeHnCQkuz3KTjUMhQqwomg/6BY4G7tDmCZYsZezGSgAgoa+Q +4vffW+H8S9nuKi8oEXUf9NuJHUTjtdgcVcCihPj54jXAQsqS9JzWSWxDnKxTaOZu +RWEkG+vqGoKEL5+qPeH8x8aAM7wErsdxTqTV4XCJU0nS9om1Z6sz0Lrva/loyKci +ulTO8jYWqZIuBL8JGVeizcoYl9KcW8I66XkeuYWlNWCsWhGii7zEWVcXDdSuLCv1 +wLagRE9MJHoT64ndKAR2UQml/MSPlz8419K4r87hcVmNU6FFBP2RZO7UGW5eHbbK +T+whhDdBTaig2NNLMl7pVFq6ciemNr6IVsTuzS0VPJpuOoZa86+6UPqgw49jg4cB +lKxgJxanDy2a2Hbmzx2dPAkbz3kMKDeBmgFzk3xt10czPXvIXUSnJdhi8NdQUCBH +du9yjT3s7Cc12NCQ3H0NPWUklHlqJrPY9IbGnNrmJblwZ7hyrI3eISV9njQf3etL +2QdDXksLJpgeQsv7vcXEBje+aluNqQIDAQABAoICAQCjIxe3expFUyfhE2FiC1vJ +akKNFWNY3IVztYCCTeqbXXg4IfjIIbFjes/Ev+bcv3cipxiRpPM4092t4jmSmfmT +IRtPKQgHsgRwr2NHq1oHR/RscJBj8rq7bvVuX0DksH6K7S70tNU/M8ju59r4rG9S +vrj/E7OfnaKSFNxpXIY5YYt6y6pZq2C8UgX4w1AM/tFgOzBHYQEZ+y2QcFRZ/Q9q +2EOJiPjaHSmQPJsxaV9+sa8RyMNwDr+z136en01nmWpLd9CbqutfEF6uGqcQ+Ipc +8us3xVjg+H3b3363QWipMaUkDD8s8DJB05pn/b3pSRUh0HOQ4IAlZVJ/AVuCXi/I +amEVq5hClLL16OhyM4u/50BxSn673jNCi3uRPxcJlnR0cFy8u6XEs8rbU1ezxlz3 +SJBpTfXyvvWhNdvEQzNy+AOf8XQLzKgcnoLYYx9nhFUBv3pSU+7hW11RKmjHSu9v +0NNcUGq+Ig3QTB/4CTM1YJ/usL9kVdJY+tK1wVKHiIm0O58fcyrfN05kUpqJ5NMg +4ByeXkm8JR8A9jiNmJy/bBuFEIXTsxalsQjonGw4WHcRZCke0eqMSOgzp50CNad2 +NIRqNWD0EInTatXtjTQ+zbCkDoUdgW4NhCnmf4OxVLEpKIYFw/y1271mVZp9zbYU +aAfaTXi/mZ+hAspQlTOPAQKCAQEA3BhyO90ACUtKbbBPwUVgEHxtsKZ1lyIgyGMQ +D8PDh+ixdvRYD4m4rewTzY346kaEPcWzjKUp2sU0G1/moBQWLBb9gKyBll8LKSNG +yA5MAMENyI9rIFpzOoJkkTrnu8iwIPXjVgAShrRqBa+eKAa5XEOR6x+L5UhIEZIQ +mfCqyPAKKieODiykqqmDURCadRC3LrIbjDSdnX6VEMS7Sun6pNRz7s1u5CYnLQGZ +QhZeRMkcdmYuAThfwWpX/GdtIxqM08jWX9RFKpMiSisKX8YsXv0W0IbesuDj/bkc +4BQou03sEUJxC6P8O+jiKtOkygwTdqmjIpDRf1EHiPGibv+f+QKCAQEAx9VfJ/5e +zmLWwEEqSxpwWpMQdB5ir68VjnnvFNDVms/XVHr/EV7TuI092cXJdntqqynCZGBA +IP1Wv2eSqGibIyOXdbTXv1qWmSxZdeECIj11vtRQ5etK977/F0llNYav6WAn3pDp +0IRzofaD6SEFhTJKoGiv86gFcqm2tO4lrTU1B30KnqKfYER6mUdBwto///Rwrpoy +B5+EWbrjJmKOqKuXP+M/YnlQXeBtyVHlQlaog2sea9OSCJEbTrmkZqJ1ZXmBH8T+ +D91QOF+5rxPVKLG5Ybnfen7Fu3dHAotD8WM77iQR+EDmffvrxS+ddZUXzINS9jml +kKkaG9zOvEcnMQKCAQEAyIo1u7nYSJ+jh2I4qT9PEnZtc6GYT0a3XB53CgYzaOhq +mpp0imPQNBiAyrBrdvsdjzNOL/5lroI0wiSVfJIQyceA3/dOc/bRsoAEBFCSi7Vb +m7yhvW7swwkAHRvw/bcUVFP2+etC9h345Ilpr8rApgKjN/sceqNrlybhnYId+sxM +VrCHzP58Y0vk7L4WHkhGwHNkilF+s3wc0pSOmumqiPlTUOk5+wOQen+UZxT+e+pK +1s6vaEk3ZoJA/Sg31t5gJrA+ND6zbuF1QuMIps9oqnwsh3/79jzXP92lI776hf+v +8uH5IsQeFXBScvc4lSh/q4VRsTMGz9zC4tJYUI718QKB/3qNYM4mMf5gn1NIo6dr +j3v8tRqBiAQ2XAIExZr+eAF5dZVZ2RPOFAoalNP5eJQxHDncYlssrCePNqQr4MVn +Yb0rFrgZMDcqVzGZAURJugVFq/BcRUC8DD3j5I1jda5d64Q0dD8KoFpA4KlzhXJz +ze7h6OJ3UXEcmjq32lUbt/+BogP1q42eLh/b31QhXzMgph9SychKyGPkcEaXVrcz +ukm28gs8UqMRwzfPa4ULtI36l14BU6bNGcInO5gMQcav209gNNBG/4i7MXdhPX8h +qphKZmaIl4WIObu+as4kmoZvVVG2zU5yfujEltNXYDm8Ndw2rapTsDYHfvuXbzII +cQKCAQBW3LAfFAkmu1+NJBXYt86rftOF+VSNWkN1/YkPwIMX1y647aVMGMegr7yF +xUh1DSQQAuD2ACzII1ufoUWRrhdCMsgr3o9b0ApCXQwTaaFsZjGIr33bsnqNHW3e +FJEfTrNW5PLTkkEjJQH0N/6W0TRowjpYSpgRz/fpJjdFLmQ1A+RLVoyHCVq/Qhzj +Ywk6hsYjI432aebdFH8pqWl8Hhcq6DW9jAyKkuVnX/p60OZ6tp6cZ75nIj7bdB7W +zcrUs4/igRY8HUwZlQJK5X2D+LWuN1Ag8DBbbjOmqziKDBikV/GmOcuCRgltckrT +UFg2hiaXvnBuMgGHodqIzeQarqKv +-----END PRIVATE KEY----- diff --git a/roles/docker-registry-proxy/tasks/main.yaml b/roles/docker-registry-proxy/tasks/main.yaml index 0f0f88a..4b84cf5 100644 --- a/roles/docker-registry-proxy/tasks/main.yaml +++ b/roles/docker-registry-proxy/tasks/main.yaml @@ -2,6 +2,16 @@ become: true file: path={{ docker_proxy_cache_path }} state=directory mode=0755 recurse=true +- name: Copy the ssl certificates + become: true + copy: + src: "{{ item }}" + dest: "{{ docker_proxy_ssl_host_path }}/{{ item }}" + with_items: + - certificate.pem + - key.pem + when: docker_proxy_ssl_enabled | bool + - name: Print current cache directory size information become: true command: du -hs {{ docker_proxy_cache_path }} @@ -10,6 +20,8 @@ become: true command: > docker pull esailors/aws-ecr-http-proxy:{{ docker_proxy_version }} + tags: + - pull-image - name: Remove previous proxy container become: true @@ -29,11 +41,21 @@ --net host --restart=unless-stopped - -v {{ docker_proxy_cache_path }}:/cache + -v {{ docker_proxy_cache_path }}:/cache + + {% if docker_proxy_ssl_enabled | bool %} + -v {{ docker_proxy_ssl_host_path }}/certificate.pem:{{ docker_proxy_ssl_container_path }}/certificate.pem + -v {{ docker_proxy_ssl_host_path }}/key.pem:{{ docker_proxy_ssl_container_path }}/key.pem + + -e ENABLE_SSL=true + -e REGISTRY_HTTP_TLS_KEY={{ docker_proxy_ssl_container_path }}/key.pem + -e REGISTRY_HTTP_TLS_CERTIFICATE={{ docker_proxy_ssl_container_path }}/certificate.pem + {% endif %} + -e RESOLVER={{ docker_proxy_backend_resolver }} -e PORT=5000 -e UPSTREAM={{ docker_proxy_backend_schema }}://{{ docker_proxy_backend }} - -e CACHE_MAX_SIZE={{ docker_proxy_cache_limit }} + -e CACHE_MAX_SIZE={{ docker_proxy_cache_limit }} -e AWS_ACCESS_KEY_ID={{ docker_proxy_ecr_access_id }} -e AWS_SECRET_ACCESS_KEY={{ docker_proxy_ecr_secret_key }} -e AWS_REGION={{ docker_proxy_ecr_region }} From 4e3b6b881bb10cb65e778913e7a06884618346d8 Mon Sep 17 00:00:00 2001 From: MQasimSarfraz Date: Mon, 2 Sep 2019 13:49:11 +0000 Subject: [PATCH 6/7] Update README.md --- README.md | 59 ++++++++++++++++++++++++++++++++++-------------- files/startup.sh | 2 +- 2 files changed, 43 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 4355480..7424e77 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,40 @@ -aws-ecr-http-proxy -=========== - -A very simple nginx proxy that forwards requests to AWS ECR and caches the responses locally. - -Run it like this, replace UPSTREAM with your target address with following required params: -- `AWS_REGION` -- `AWS_ACCESS_KEY_ID` -- `AWS_SECRET_ACCESS_KEY` - -It is also possible to define `CACHE_MAX_SIZE` env to limit maximum cache size on provided volume - -For example: +

+ + + + + + + +

+ +# aws-ecr-http-proxy + +A very simple nginx push/pull proxy that forwards requests to AWS ECR and caches the responses locally. + +### Configuration: +The proxy is packaged in a docker container and can be configured with following environment variables: + +| Environment Variable | Description | Status | Default | +| :---------------------------------: | :--------------------------------------------: | :-------------------------------: | :--------: | +| `AWS_REGION` | AWS Region for AWS ECR | Required | | +| `AWS_ACCESS_KEY_ID` | AWS Account Access ID | Required | | +| `AWS_SECRET_ACCESS_KEY` | AWS Account Secret Key | Required | | +| `RESOLVER` | DNS server to used by proxy | Required | | +| `PORT` | Port on which proxy listens | Required | | +| `CACHE_MAX_SIZE` | Maximum size for cache volume | Optional | `75g` | +| `CACHE_KEY` | Key to be used for images content/blobs | Optional | `$uri` | +| `ENABLE_SSL` | Used to enable SSL/TLS for proxy | Optional | `false` | +| `REGISTRY_HTTP_TLS_KEY` | Path to TLS key in the container | Required with TLS | | +| `REGISTRY_HTTP_TLS_CERTIFICATE` | Path to TLS cert in the container | Required with TLS | | + +### Example: ```sh docker run --rm --name docker-registry-proxy --net=host \ - -v /local-storage/cache:/cache \ + -v /registry/local-storage/cache:/cache \ + -v /registry/certificate.pem:/opt/ssl/certificate.pem + -v /registry/key.pem:/opt/ssl/key.pem -e PORT=5000 \ -e RESOLVER=8.8.8.8 \ -e UPSTREAM=https://XXXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com \ @@ -22,6 +42,9 @@ docker run --rm --name docker-registry-proxy --net=host \ -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ -e AWS_REGION=${AWS_DEFAULT_REGION} \ -e CACHE_MAX_SIZE=100g \ + -e ENABLE_SSL=true \ + -e REGISTRY_HTTP_TLS_KEY=/opt/ssl/key.pem \ + -e REGISTRY_HTTP_TLS_CERTIFICATE=/opt/ssl/certificate.pem esailors/aws-ecr-http-proxy:latest ``` @@ -32,7 +55,9 @@ Modify the ansible role variables according to your need and run the playbook as ```sh ansible-playbook -i hosts playbook-docker-registry-proxy.yaml ``` -The docker registry for project is available [here](https://hub.docker.com/r/esailors/aws-ecr-http-proxy) +In case you want to enable SSL/TLS please replace the SSL certificates with the valid ones in `roles/docker-registry-proxy/files/*.pem` -### Note -The proxy has `HTTP` endpoint so in order to avoid docker client complaining about it either mark the registry host as insecure in your [deamon config](https://docs.docker.com/registry/insecure/) or add [SSL/TLS termination](https://docs.docker.com/registry/recipes/nginx) +### Note on SSL/TLS +The proxy is using `HTTP` (plain text) as default protocol for now. So in order to avoid docker client complaining either: + - (**Recommended**) Enable SSL/TLS using `ENABLE_SSL` configuration. For that you will have to mount your **valid** certificate/key in the container and pass the paths using `REGISTRY_HTTP_TLS_*` variables. + - Mark the registry host as insecure in your [deamon config](https://docs.docker.com/registry/insecure/). diff --git a/files/startup.sh b/files/startup.sh index 2b5f13c..9424cf7 100755 --- a/files/startup.sh +++ b/files/startup.sh @@ -34,7 +34,7 @@ echo Using resolver $RESOLVER and $UPSTREAM [$(dig +short ${UPSTREAM_WITHOUT_PO CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-75g} echo Using cache max size $CACHE_MAX_SIZE -CACHE_KEY=${CACHE_KEY:='$scheme$uri$request_method'} +CACHE_KEY=${CACHE_KEY:='$uri'} echo Using cache key $CACHE_KEY SCHEME=http From c901e8cda674beb62cfde3550c9a8725594dec76 Mon Sep 17 00:00:00 2001 From: MQasimSarfraz Date: Tue, 3 Sep 2019 08:27:11 +0000 Subject: [PATCH 7/7] Fix README.md --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 7424e77..279a52e 100644 --- a/README.md +++ b/README.md @@ -18,12 +18,13 @@ The proxy is packaged in a docker container and can be configured with following | Environment Variable | Description | Status | Default | | :---------------------------------: | :--------------------------------------------: | :-------------------------------: | :--------: | | `AWS_REGION` | AWS Region for AWS ECR | Required | | -| `AWS_ACCESS_KEY_ID` | AWS Account Access ID | Required | | -| `AWS_SECRET_ACCESS_KEY` | AWS Account Secret Key | Required | | -| `RESOLVER` | DNS server to used by proxy | Required | | +| `AWS_ACCESS_KEY_ID` | AWS Account Access Key ID | Required | | +| `AWS_SECRET_ACCESS_KEY` | AWS Account Secret Access Key | Required | | +| `UPSTREAM` | URL for AWS ECR | Required | | +| `RESOLVER` | DNS server to be used by proxy | Required | | | `PORT` | Port on which proxy listens | Required | | | `CACHE_MAX_SIZE` | Maximum size for cache volume | Optional | `75g` | -| `CACHE_KEY` | Key to be used for images content/blobs | Optional | `$uri` | +| `CACHE_KEY` | Cache key used for the content by nginx | Optional | `$uri` | | `ENABLE_SSL` | Used to enable SSL/TLS for proxy | Optional | `false` | | `REGISTRY_HTTP_TLS_KEY` | Path to TLS key in the container | Required with TLS | | | `REGISTRY_HTTP_TLS_CERTIFICATE` | Path to TLS cert in the container | Required with TLS | | @@ -51,13 +52,13 @@ docker run --rm --name docker-registry-proxy --net=host \ If you ran this command on "registry-proxy.example.com" you can now get your images using `docker pull registry-proxy.example.com:5000/repo/image`. ### Deploying the proxy -Modify the ansible role variables according to your need and run the playbook as follow: +Modify the ansible role [variables](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/defaults) according to your need and run the playbook as follow: ```sh ansible-playbook -i hosts playbook-docker-registry-proxy.yaml ``` -In case you want to enable SSL/TLS please replace the SSL certificates with the valid ones in `roles/docker-registry-proxy/files/*.pem` +In case you want to enable SSL/TLS please replace the SSL certificates with the valid ones in [roles/docker-registry-proxy/files/*.pem](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/files) ### Note on SSL/TLS The proxy is using `HTTP` (plain text) as default protocol for now. So in order to avoid docker client complaining either: - (**Recommended**) Enable SSL/TLS using `ENABLE_SSL` configuration. For that you will have to mount your **valid** certificate/key in the container and pass the paths using `REGISTRY_HTTP_TLS_*` variables. - - Mark the registry host as insecure in your [deamon config](https://docs.docker.com/registry/insecure/). + - Mark the registry host as insecure in your client [deamon config](https://docs.docker.com/registry/insecure/).