From 9a3beba6abe9fef49dbb03d615779c4d738e37b7 Mon Sep 17 00:00:00 2001 From: gw0 Date: Thu, 18 Feb 2021 15:11:04 +0100 Subject: [PATCH] Allow override with own authentication if provided (#61) --- Dockerfile | 3 +++ README.md | 1 + entrypoint.sh | 11 +++++++++++ nginx.conf | 1 + 4 files changed, 16 insertions(+) diff --git a/Dockerfile b/Dockerfile index 53065ff..1f7b720 100644 --- a/Dockerfile +++ b/Dockerfile @@ -94,6 +94,9 @@ ENV MANIFEST_CACHE_SECONDARY_TIME="60d" # In the default config, :latest and other frequently-used tags will get this value. ENV MANIFEST_CACHE_DEFAULT_TIME="1h" +# Should we allow overridding with own authentication, default to false. +ENV ALLOW_OWN_AUTH="false" + # Should we allow actions different than pull, default to false. ENV ALLOW_PUSH="false" diff --git a/README.md b/README.md index a419e99..d8ccc96 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,7 @@ for this to work it requires inserting a root CA certificate into system trusted - Expose port 3128 to the network - Map volume `/docker_mirror_cache` for up to `CACHE_MAX_SIZE` (32gb by default) of cached images across all cached registries - Map volume `/ca`, the proxy will store the CA certificate here across restarts. **Important** this is security sensitive. +- Env `ALLOW_OWN_AUTH` (default `false`): Allow overridding the `AUTH_REGISTRIES` authentication with own Docker credentials if provided (to support `docker login` as another user). - Env `ALLOW_PUSH` : This bypasses the proxy when pushing, default to false - if kept to false, pushing will not work. For more info see this [commit](https://github.com/rpardini/docker-registry-proxy/commit/536f0fc8a078d03755f1ae8edc19a86fc4b37fcf). - Env `CACHE_MAX_SIZE` (default `32g`): set the max size to be used for caching local Docker image layers. Use [Nginx sizes](http://nginx.org/en/docs/syntax.html). - Env `ENABLE_MANIFEST_CACHE`, see the section on pull rate limiting. diff --git a/entrypoint.sh b/entrypoint.sh index 7a7aa2c..7e20be8 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -137,6 +137,17 @@ echo -e "\nManifest caching config: ---\n" cat /etc/nginx/nginx.manifest.caching.config.conf echo "---" +if [[ "a${ALLOW_OWN_AUTH}" == "atrue" ]]; then + cat << 'EOF' > /etc/nginx/conf.d/allowed_override_auth.conf + if ($http_authorization != "") { + # override with own authentication if provided + set $finalAuth $http_authorization; + } +EOF +else + echo '' > /etc/nginx/conf.d/allowed_override_auth.conf +fi + if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then cat < /etc/nginx/conf.d/allowed.methods.conf # allow to upload big layers diff --git a/nginx.conf b/nginx.conf index 897628e..054b187 100644 --- a/nginx.conf +++ b/nginx.conf @@ -245,6 +245,7 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/" proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie; # Add the authentication info, if the map matched the target domain. + include "/etc/nginx/conf.d/allowed_override_auth.conf"; proxy_set_header Authorization $finalAuth; # Use SNI during the TLS handshake with the upstream.