Skip to content

Commit 72c33d8

Browse files
pkrukpkruk
authored
Merge pull request #3 from DreamLab/add_ssl_and_base_auth_conf
Add ssl and base auth conf
2 parents 6e4d401 + 253db3b commit 72c33d8

File tree

4 files changed

+39
-1
lines changed

4 files changed

+39
-1
lines changed

Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ COPY files/ecr.ini /etc/supervisor.d/ecr.ini
1313
COPY files/root /etc/crontabs/root
1414

1515
COPY files/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
16+
COPY files/ssl.conf /usr/local/openresty/nginx/conf/ssl.conf
1617

1718
ENV PORT 5000
1819

files/nginx.conf

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,20 @@ http {
1818
# this is necessary for us to be able to disable request buffering in all cases
1919
proxy_http_version 1.1;
2020

21+
#SSLCONFIG
22+
2123
# will run before forking out nginx worker processes
2224
init_by_lua_block { require "cjson" }
2325

26+
#https://docs.docker.com/registry/recipes/nginx/#setting-things-up
27+
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
28+
'' 'registry/2.0';
29+
}
30+
2431
server {
25-
listen PORT default_server;
32+
listen LISTEN default_server;
33+
34+
#AUTHCONFIG
2635

2736
# Cache
2837
add_header X-Cache-Status $upstream_cache_status;
@@ -50,6 +59,7 @@ http {
5059
http_500 http_502 http_503 http_504;
5160
proxy_cache_lock on;
5261

62+
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
5363
add_header "Access-Control-Allow-Origin" "*";
5464

5565
location / {

files/ssl.conf

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
ssl_certificate_key REGISTRY_HTTP_TLS_KEY;
2+
ssl_certificate REGISTRY_HTTP_TLS_CERTIFICATE;
3+
4+
ssl_protocols TLSv1.2;
5+
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
6+
ssl_prefer_server_ciphers on;
7+
8+
add_header Strict-Transport-Security max-age=31536000;
9+

files/startup.sh

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,11 +36,29 @@ echo Using cache max size $CACHE_MAX_SIZE
3636

3737
CONFIG=/usr/local/openresty/nginx/conf/nginx.conf
3838

39+
ENABLESSL=''
40+
SSLINCLUDE=''
41+
SSLCONFIG=/usr/local/openresty/nginx/conf/ssl.conf
42+
if [ ! -z "$REGISTRY_HTTP_TLS_CERTIFICATE" ] && [ ! -z "$REGISTRY_HTTP_TLS_KEY" ]; then
43+
sed -i -e s!REGISTRY_HTTP_TLS_CERTIFICATE!"$REGISTRY_HTTP_TLS_CERTIFICATE"!g $SSLCONFIG
44+
sed -i -e s!REGISTRY_HTTP_TLS_KEY!"$REGISTRY_HTTP_TLS_KEY"!g $SSLCONFIG
45+
ENABLESSL='ssl'
46+
SSLINCLUDE="include $SSLCONFIG;"
47+
fi
48+
49+
AUTHCONFIG=''
50+
if [ ! -z "$REGISTRY_AUTH_HTPASSWD_PATH" ] && [ ! -z "$REGISTRY_AUTH_HTPASSWD_REALM" ]; then
51+
AUTHCONFIG="auth_basic ${REGISTRY_AUTH_HTPASSWD_REALM};\n auth_basic_user_file ${REGISTRY_AUTH_HTPASSWD_PATH};"
52+
fi
53+
3954
# Update nginx config
4055
sed -i -e s!UPSTREAM!"$UPSTREAM"!g $CONFIG
56+
sed -i -e s!LISTEN!"$PORT $ENABLESSL"!g $CONFIG
4157
sed -i -e s!PORT!"$PORT"!g $CONFIG
4258
sed -i -e s!RESOLVER!"$RESOLVER"!g $CONFIG
4359
sed -i -e s!CACHE_MAX_SIZE!"$CACHE_MAX_SIZE"!g $CONFIG
60+
sed -i -e s!#SSLCONFIG!"$SSLINCLUDE"!g $CONFIG
61+
sed -i -e s!#AUTHCONFIG!"$AUTHCONFIG"!g $CONFIG
4462

4563
# setup ~/.aws directory
4664
AWS_FOLDER='/root/.aws'

0 commit comments

Comments
 (0)